JN0-335 Sample Questions Answers

 Juniper Secure Analytics (JSA) is a security information and event management (SIEM) system that consolidates, analyzes, and manages surveillance data from network devices, endpoints, and applications1

JSA uses two features to configure alerts based on certain criteria: building blocks and events2

Building blocks are reusable components that define common characteristics of network activity, such as IP addresses, ports, protocols, usernames, or threat categories. Building blocks can be used to create custom rules, searches, reports, and filters that can trigger alerts when certain conditions are met2

Events are records of network activity that are collected and normalized by JSA. Events can be classified into different categories, such as offenses, flows, logs, or anomalies. Events can also be correlated with other data sources, such as vulnerability scanners, threat intelligence feeds, or asset databases, to provide more context and insight. Events can trigger alerts when they match predefined or custom rules that specify the severity, frequency, or duration of the activity2

References: 1: JSA Series Secure Analytics - Juniper Networks 2: Juniper Secure Analytics Users Guide

• A: In the vSwitch security settings, accept promiscuous mode. This is a true statement. Promiscuous mode allows the vSwitch to forward all frames to the vSRX control interface, regardless of the destination MAC address1. This is necessary for the control link to function properly and exchange heartbeat messages between the cluster nodes2.
• C: In the vSwitch security settings, reject forged transmits. This is also a true statement. Forged transmits are frames that have a source MAC address that is different from the one that is assigned to the vNIC by the host operating system1. Rejecting forged transmits prevents spoofing attacks and ensures that the control link traffic is authentic2.
• B: In the vSwitch properties settings, set the VLAN ID to None. This is a false statement. The VLAN ID for the vSwitch can be any value as long as it matches the VLAN ID for the vSRX control interface1. The VLAN ID is used to tag the control link traffic and separate it from other traffic on the same vSwitch2.
• D: In the vSwitch security settings, reject MAC address changes. This is also a false statement. MAC address changes are allowed for the vSRX control interface, as the vSRX uses the MAC address of the control link to identify the cluster nodes1. Rejecting MAC address changes would prevent the cluster formation and synchronization2.

References:

• 1: vSRX Virtual Firewall Cluster Staging and Provisioning for VMware
• 2: Configuring Chassis Clustering on SRX Series Devices

The fab interface is the data link between the nodes of a chassis cluster and is used to forward traffic between the chassis and to synchronize the data plane software’s dynamic runtime state. Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization for operations such as authentication, NAT, ALGs, and IPsec. In an active/active configuration, inter-chassis transit traffic is sent over the fab interface, as traffic arriving on a node that needs to be processed on the other or traffic processed on a node that needs to exit through an interface on the other is forwarded over the fabric. The fab interface does not enable configuration synchronization, as this is done by the control link. Heartbeat signals sent on the fab interface monitor the health of the data plane link, not the control plane link. References: Chassis Cluster Fabric Interfaces, HA Chassis cluster, difference between Swfab and Fab

 Juniper ATP Cloud is a cloud-based service that provides advanced malware detection and prevention for the network. It uses machine learning to find and block both known and unknown cyberthreats, analyzing files and network traffic looking for signs of malicious behavior. One of the methods that Juniper ATP Cloud uses to identify zero-day threats is dynamic analysis, which is the process of executing suspicious files or code in a sandbox environment and observing their behavior and network activity. Dynamic analysis can uncover zero-day malware threats and malicious connections, including botnets and command-and-control servers hiding in encrypted traffic, by detecting anomalous or malicious patterns. Dynamic analysis is complemented by other methods, such as static analysis, which examines the file structure and content without executing it, and machine learning, which uses artificial intelligence to classify and predict threats based on previous data and models. References:

• [Juniper Advanced Threat Prevention Products] 1
• [Juniper Advanced Threat Prevention Datasheet] 2
• [Juniper Advanced Threat Prevention | NetworkScreen.com] 3
• [Introduction to Juniper ATP Cloud | ATP Cloud | Juniper Networks] 4
• [JUNIPER ADVANCED THREAT PREVENTION CLOUD SERVICES DESCRIPTION] 5

The Juniper Networks solution that will accomplish the task of alerting if the wrong password is used more than three times on a single device within five minutes is Juniper Secure Analytics (JSA). JSA is a security intelligence platform that collects, analyzes, and correlates network data from various sources, such as firewalls, routers, switches, servers, and applications. JSA can detect and respond to threats, anomalies, and vulnerabilities in real time using rules, offenses, reports, and dashboards. JSA can also integrate with JIMS (Juniper Identity Management Service) to obtain user identity information from Active Directory domains or syslog sources. JSA can use this information to create custom rules that trigger offenses or alerts based on user behavior or activity, such as failed login attempts or password changes.

References := Juniper Secure Analytics Troubleshooting Guide, Juniper Identity Management Service User Guide

Static attack object groups are predefined groups of attack objects that are included in Juniper’s IPS signature database. These groups do not change automatically when Juniper updates the database. You must manually add matching attack objects to a custom group34 References:

• Attack Objects and Object Groups for IDP Policies | Junos OS
• Attack Objects and Object Groups for IDP Policies on NFX Devices
• Exam Name: Security, Specialist (JNCIS-SEC) Version: DEMO - exam
• Juniper - ExamsBoost

The DNS ALG is an application layer gateway that handles data associated with locating and translating domain names into IP addresses. The DNS ALG supports the following features:

• DDNS: The DNS ALG supports dynamic DNS (DDNS), which allows hosts to update their DNS records dynamically when their IP addresses change. The DNS ALG monitors the DDNS update messages and performs the necessary address transformations2
• DNS doctoring: The DNS ALG performs DNS doctoring, which is a process of modifying the DNS responses to match the NAT address translation. This is done to resolve the problems introduced by NAT, such as the mismatch between the internal and external IP addresses of a host. The DNS ALG performs the IPv4 and IPv6 address transformations for both DNS and DDNS responses2

The DNS ALG does not support VPN tunnels or NAT itself. The DNS ALG works with NAT, but does not perform NAT. The DNS ALG only supports UDP traffic, not TCP traffic2 References:

• 1: Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide 3
• 2: Junos OS Security Configuration Guide | DNS ALG 1

• A stateful firewall in SRX Series devices keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets that match a known active connection. Sessions are created when a TCP SYN packet is received and permitted by the security policy1.
• A security policy is a set of rules that defines how traffic is processed by the SRX Series device. A security policy applies the security rules to the transit traffic within a context (from-zone to to-zone) and each policy is uniquely identified by its name. The traffic is classified by matching the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane2.
• A Layer 3 route is a path that a packet takes to reach its destination based on the destination IP address. The SRX Series device performs a longest-match Layer 3 route table lookup to determine the next hop for the packet3.
• An Application Layer Gateway (ALG) is a software component that provides application-level awareness, security, and control for specific protocols. An ALG inspects the application-layer payload of a packet and modifies it if necessary to allow the application to traverse the SRX Series device. For example, an ALG can rewrite IP addresses and port numbers in the payload of FTP or SIP packets4.
• The sequence that an SRX Series device uses when implementing stateful session security policies using Layer 3 routes is as follows3:

References:

• 1: Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks
• 2: Best Practices for Defining Policies on High-End SRX Series Devices - TechLibrary - Juniper Networks
• 3: [SRX] Example: Configuring TCP SYN Check options on a per-policy basis
• 4: Application Layer Gateways Overview | Junos OS | Juniper Networks

A policy scheduler is a feature that allows you to specify when a security policy is in effect. You can configure a policy scheduler to start at a specific date and time or start on a recurrent basis, such as daily, weekly, or monthly. A policy scheduler determines the time frame that a security policy is actively evaluated and enforced by the SRX Series device2

A policy scheduler can only be applied to security policies that have the action of permit or reject. A policy scheduler cannot be applied to security policies that have the action of deny. A policy scheduler is not related to the policy-rematch feature, which is used to reevaluate existing sessions when a security policy is modified. A policy scheduler cannot be dynamically activated based on traffic flow volumes2 References:

• 1: Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide 3
• 2: Junos OS Security Configuration Guide | Configuring Policy Schedulers 4

 The configuration shown in the exhibit is a pre-ID default policy, which is a security policy that applies to traffic that cannot be identified by the SRX Series device before the user authentication process is complete. The pre-ID default policy has the following characteristics1:

• It is applied to all traffic that matches the from-zone and to-zone parameters, regardless of the source and destination addresses or applications.
• It can only have the permit action, and it cannot be deleted or renamed.
• It can have optional parameters such as log, session-timeout, and session-class.

The session-timeout parameter specifies the maximum time that a session can remain idle before it is closed by the SRX Series device. The session-timeout parameter can have different values for different types of traffic, such as TCP, UDP, or others. The others parameter applies to traffic that is not TCP or UDP, such as ICMP or GRE. The value of the others parameter is in seconds, not milliseconds. Therefore, the others 300 parameter means unidentified traffic flows will be dropped in 300 seconds, not milliseconds2. This statement is correct, so option B is a valid answer.

The log parameter enables the SRX Series device to generate a log message for each session that matches the pre-ID default policy. The log parameter can have two values: session-init and session-close. The session-init value logs the session when it is created, and the session-close value logs the session when it is closed. The session-init value is useful for identifying the source and destination of the unidentified traffic, while the session-close value is useful for measuring the duration and volume of the traffic3. The configuration shown in the exhibit has the session-init value, which means every session that enters the SRX Series device will generate an event. This statement is correct, so option C is a valid answer.

The session-class parameter is used to assign a priority to the sessions that match the pre-ID default policy. The session-class parameter can have four values: high, medium-high, medium-low, and low. The session-class parameter is useful for managing the resources allocated to the sessions and for applying quality of service (QoS) policies. The session-class parameter is not only used when troubleshooting, but also when optimizing the performance and security of the SRX Series device4. This statement is incorrect, so option A is not a valid answer.

Replacing the session-init parameter with session-lose will not log unidentified flows, but rather log the sessions that are closed due to session timeout or other reasons. This will not help in identifying the source and destination of the unidentified traffic, but rather provide information about the duration and volume of the traffic. This statement is incorrect, so option D is not a valid answer.

References:

• Pre-ID Default Policy Overview
• Configuring Session Timeout Values for Security Policies
• Configuring Logging for Security Policies
• Configuring Session Class for Security Policies

A vSRX is a virtualized security platform that runs on various hypervisors and cloud environments. It provides firewall and NAT services, as well as other security features, such as IPS, VPN, UTM, and AppSecure. A single vSRX can fulfill the minimum requirements for providing firewall and NAT services in a private cloud, as it can be deployed as a gateway or an edge device, and can scale up or down as needed. A vSRX can also interoperate with other Juniper and third-party products, such as Contrail Networking, Junos Space Security Director, and Sky ATP. A single vSRX is more cost-effective and simpler to manage than having separate vSRX instances for firewall and NAT services. A cSRX is a containerized version of vSRX that runs on Linux-based platforms. It provides similar security features as vSRX, but with a smaller footprint and faster deployment. However, a cSRX is not yet supported on all cloud environments, and it may have some limitations compared to vSRX, such as lower throughput and fewer interfaces. Therefore, a single cSRX may not be able to fulfill the minimum requirements for providing firewall and NAT services in a private cloud, depending on the specific cloud platform and the performance and scalability needs. A cSRX for firewall services and a separate cSRX for NAT services would also introduce more complexity and overhead than a single vSRX. References: vSRX Overview, cSRX Overview, JNCIP-SEC Certification

JIMS server is a Windows service application that collects and maintains user, device, and group information from Active Directory domains or syslog sources. JIMS server uses the Windows event logs to obtain user login and logout information from the domain controllers and Exchange servers. Therefore, to enable JIMS server to view the event logs, you need to perform the following actions:

• Enable remote event log management within Windows Firewall on the necessary domain controllers and Exchange servers. This allows JIMS server to access the event logs on these servers remotely. You can do this by using the Windows Firewall with Advanced Security snap-in or by using the netsh command. For example, to enable remote event log management on a domain controller, you can use the following command:

netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

• Enable remote event log management within Windows Firewall on the JIMS server. This allows JIMS server to receive the event logs from the domain controllers and Exchange servers. You can do this by using the same method as above. For example, to enable remote event log management on the JIMS server, you can use the following command:

netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

Option C and Option D show the correct actions for solving this issue. Option A and Option B are incorrect because they are not related to the JIMS server’s ability to view the event logs. Host-inbound-traffic rules are used to control the traffic that is allowed to reach the SRX Series devices, not the JIMS server. Enabling remote event log management on the Exchange servers is not necessary if JIMS server does not need to collect user information from them.

References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials

 A chassis cluster is a pair of SRX Series devices that are connected and configured to operate as a single node, providing high availability and load balancing for traffic flows1. A chassis cluster consists of two nodes: one primary and one secondary. Each node can host one or more redundancy groups, which are logical entities that group the interfaces and services that need to fail over together in case of a node failure2. Redundancy group 0 is a special group that monitors the control plane of the cluster, such as the routing engine and the control link. Redundancy group 0 is always active on the primary node and standby on the secondary node3. Therefore, option A is false. Each chassis cluster member requires a unique node ID value, which can be either 0 or 1, to identify itself within the cluster4. However, the cluster ID value is the same for both nodes, and it is used to identify the cluster as a whole. Therefore, option B is false. Each chassis cluster member device can host active redundancy groups, depending on the configuration and the status of the nodes. By default, the primary node hosts all the redundancy groups, but you can configure some groups to be preempted by the secondary node if it has a higher priority or load-sharing between the nodes if they have the same priority. Therefore, option C is true. Chassis cluster member devices must be the same model, because different models have different hardware and software specifications that may not be compatible with each other in a cluster. Therefore, option D is true. References:

• Chassis Cluster User Guide for SRX Series Devices
• Understanding Chassis Cluster Redundancy Groups
• Understanding Redundancy Group 0
• Understanding Chassis Cluster Node IDs
• [Understanding Chassis Cluster Cluster IDs]
• [Configuring Chassis Cluster Redundancy Group Settings]
• [Chassis Cluster Feature Guide for SRX Series Devices]

AppTrack is a logging and reporting tool that provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. AppTrack sends log messages through syslog, providing application activity update messages. AppTrack can be used to share information for application visibility with devices such as Security Threat Response Manager (STRM)12 References:

• 1: Application Tracking | Junos OS | Juniper Networks
• 2: application-tracking | Junos OS | Juniper Networks

SSL proxy is a feature that allows SRX Series devices to act as an intermediary between the client and the server for SSL/TLS encrypted traffic. SRX Series devices support two types of SSL proxy: SSL forward proxy and SSL reverse proxy. SSL forward proxy is also known as web proxy or client-protection, and SSL reverse proxy is also known as server-protection1.

SSL forward proxy enables the SRX Series device to decrypt the client-side traffic and apply security policies before re-encrypting and forwarding it to the server. This allows the SRX Series device to inspect the application data and identify the applications and threats in the encrypted traffic2.

SSL reverse proxy enables the SRX Series device to decrypt the server-side traffic and apply security policies before re-encrypting and forwarding it to the client. This allows the SRX Series device to protect the server from malicious clients and provide load balancing and high availability for the server3.

References:

• Configuring SSL Proxy
• SSL Forward Proxy Overview
• SSL Reverse Proxy Overview

The infected host cloud feed is a list of IP addresses that have been identified as compromised or infected by malware. The feed is updated by Juniper ATP Cloud based on the detection of malicious activity from the hosts, such as contacting known command-and-control servers. When a host on the network reaches the configured threat level threshold, its IP address is automatically added to the infected host cloud feed and blocked from communicating with any other hosts on the Internet. The other feeds are not relevant for this situation. The command-and-control cloud feed is a list of IP addresses that are known to be used by malware for remote control and communication. The allowlist and blocklist feed is a user-defined list of IP addresses that are either allowed or denied by the SRX Series device. The custom cloud feed is a user-defined list of IP addresses that are associated with a specific category or threat level. References:

• Infected Hosts: More Information
• Juniper’s Attacker IP feed bolsters threat protection with SecIntel
• ATP Appliance and SRX Series Threat Level Comparison Chart

SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design. References: Chassis Cluster Overview, Connecting SRX Series Firewalls to Create a Chassis Cluster

Unified policies are security policies that enable you to use dynamic applications as match conditions along with the existing 5-tuple or 6-tuple (with user firewall) match conditions to detect application changes over time3 If the traffic matches the security policy rule, one or more actions defined in the policy are applied to the traffic3 During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies in the potential policy list, the SRX Series Firewall applies the default security policy until a more explicit match has occurred2 The policy that best matches the application is the final policy2 APPID results are used to determine the final security policy1 References:

• 1: Unified Security Policies | Junos OS | Juniper Networks
• 2: Unified Policies Support for Flow | Junos OS | Juniper Networks
• 3: Unified Policy Overview - TechLibrary - Juniper Networks

• Referring to the SRX Series flow module diagram shown in the exhibit, application security is processed at the Services ALGs stage. Application Layer Gateways (ALGs) are software components that enable the SRX Series device to provide application-level security for specific protocols and applications1.
• ALGs inspect the application layer payload of packets and perform various actions, such as modifying the payload, opening pinholes, creating sessions, applying security policies, and enforcing application-specific behavior12.
• ALGs are required for protocols and applications that embed IP address information or port numbers in the application layer data, that open secondary connections, or that are dynamically assigned ports1. Some examples of protocols and applications that require ALGs are FTP, SIP, H.323, RTSP, PPTP, and DNS2.
• ALGs are configured as part of the security policy and are applied to the traffic that matches the policy criteria. ALGs can also be enabled or disabled globally or per zone12.

References:

• 1: Application Layer Gateways Overview
• 2: Application Layer Gateways Feature Guide for Security Devices

References:

• 2: Junos OS Security Configuration Guide | Understanding Security Policies

Encrypted Traffic Insights is a feature of Juniper ATP Cloud and SRX Series firewalls that can detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. It permits organizations greater visibility and policy control over encrypted traffic, without requiring resource-intensive SSL Decryption1.

Encrypted Traffic Insights assesses the threat of the traffic by using two methods:

• It validates the certificates used by the external servers that the internal hosts are trying to connect to. It compares the certificate signatures with a blocklist of known malicious certificates and also checks the certificate validity, issuer, and subject. If the certificate is invalid or matches a malicious signature, the connection is blocked or alerted2.
• It reviews the timing and frequency of the connections to the external servers. It uses behavior analysis and machine learning to identify patterns and anomalies that indicate malicious activity, such as command and control (C&C) communications, botnet traffic, or data exfiltration. It also uses threat intelligence feeds to enrich the analysis and provide additional context2.

Encrypted Traffic Insights does not decrypt the file or the data in a sandbox or to validate the hash, as these methods would require breaking the encryption of the traffic, which would violate data privacy laws and introduce latency and performance issues21. References:

• 3: SRX5400, SRX5600, SRX5800 Firewalls Datasheet - Juniper Networks
• 2: Encrypted Traffic Insights Overview and Benefits | ATP Cloud | Juniper …
• 1: Juniper Networks Expands Connected Security Portfolio with Encrypted …

The vSRX is a virtual firewall that offers the same features as the physical SRX Series firewalls, but in a virtualized form factor. It supports next-generation firewall (NGFW) capabilities, networking, and automated lifecycle management. It also integrates with cloud orchestration tools and software-defined networking (SDN) solutions1

The vSRX supports VMXNET3 vNICs, which are optimized for performance in virtualized environments. VMXNET3 vNICs offer enhanced networking features such as jumbo frames, hardware offloads, and multicast filtering2

The vSRX runs on Linux as the base OS, which provides a stable and secure platform for the Junos OS and the firewall functionality. Linux also enables the vSRX to leverage the native hypervisor drivers and APIs for better performance and compatibility3

References: 1: vSRX Virtual Firewall | Juniper Networks US 2: vSRX Virtual Firewall for VMware - TechLibrary - Juniper Networks 3: vSRX Overview - TechLibrary - Juniper Networks

 To track BitTorrent traffic on your network, you need to use the Security Intelligence feature, which allows you to apply actions to traffic based on predefined or custom feeds. The High_Risk_Workstations and BitTorrent_Servers are examples of custom feeds that you can create and populate with IP addresses of devices that match certain criteria. To automatically add the workstations and servers to the respective feeds, you need to use the administration-feed option under the application-services security-intelligence hierarchy. This option specifies the feed name and the action to be taken for the traffic that matches the feed. For example, to add the workstations to the High_Risk_Workstations feed and drop the traffic, you would use:

set security policies from-zone untrust policy FindThreat then permit application-services security-intelligence administration-feed High_Risk_Workstations drop

To add the servers to the BitTorrent_Servers feed and log the traffic, you would use:

set security policies from-zone untrust policy FindThreat then permit application-services security-intelligence administration-feed BitTorrent_Servers log

Option B and Option C show the correct commands for these scenarios. Option A and Option D are incorrect because they use the wrong syntax for the administration-feed option. They also use the wrong feed names, as the feeds are case-sensitive and must match the ones defined under the security-intelligence hierarchy. References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials

You can create an exempt rule to skip detection of a set of attacks in certain traffic. You can specify the source and destination IP addresses as the match criteria for the exempt rule. This allows you to exclude traffic from specific hosts or networks from being examined by the IPS rulebase. You can also specify other parameters such as protocol, application, and attack objects for the exempt rule, but source and destination IP addresses are the most common ones. References: = Create IPS or Exempt Rules and rulebase-exempt

After JSA receives external events and flows, the data goes through the following steps in the event and flow pipeline 1:

• Event and flow collection: JSA accepts event logs and flow records from various sources by using different protocols and methods. The data is parsed and normalized into a JSA-usable format.
• Event and flow processing: JSA applies rules, custom properties, and anomaly detection to the data. The data is also coalesced, filtered, and forwarded as needed. The data is stored in an asset database and an Ariel database for further analysis and reporting.
• Event and flow correlation: JSA analyzes the data for patterns that indicate malicious activity or policy violations. JSA generates offenses, alerts, and notifications based on the correlation rules and building blocks.
• Event and flow response: JSA responds to the offenses and alerts by taking active measures such as blocking IP addresses, quarantining hosts, or updating reference data. JSA also provides investigation and remediation tools for analysts to handle the incidents. References:
• 1: JSA Events and Flows | Junos OS | Juniper Networks