JN0-636 Sample Questions Answers

An IKE security association (SA) is a set of parameters that define how the Internet Key Exchange (IKE) protocol will authenticate and establish the secure channel between the IPsec VPN peers. When you configure an IPsec VPN, one IKE SA is created between the peers, regardless of how many CoS forwarding classes are used to separate the traffic. The SA will be used to negotiate the IPsec SA parameters, such as encryption algorithms and keys.

In this scenario, only 1 IKE security association is required between the IPsec peers, no matter how many CoS forwarding classes are used to separate the voice and data traffic.

According to the output of the command show configuration services security-intelligence url, the SRX Series device is directly enrolled with Juniper ATP Cloud. This is indicated by the URL https://cloudfeeds.argon.junipersecurity.net/api/manifest.xml , which is the default URL for Juniper ATP Cloud1. This means that the device is not enrolled with Policy Enforcer, which would use a different URL that includes the IP address of the Policy Enforcer server2. Therefore, the problem in this scenario is that the device is directly enrolled with Juniper ATP Cloud, which prevents it from being enrolled with Policy Enforcer.

To enroll the device with Policy Enforcer, the user needs to disenroll the device from Juniper ATP Cloud first. This can be done by using the following command:

delete services security-intelligence url

This command will remove the Juniper ATP Cloud URL from the device configuration and stop the device from receiving threat feeds from Juniper ATP Cloud1. After that, the user can enroll the device with Policy Enforcer by using the Security Director GUI or the SLAX script2.

References: 1: Configuring Juniper ATP Cloud on SRX Series Devices 2: Enrolling SRX Series Devices with Policy Enforcer

Referring to the exhibit, your company’s infrastructure team implemented new printers. To make sure that the policy enforcer pushes the updated IP address list to the SRX, you need to perform the following actions:

• A. Configure the server feed URL as http://172.25.10.254/myprinters. The server feed URL is the address of the remote server that provides the custom feed data. You need to configure the server feed URL to match the location of the file that contains the IP addresses of the new printers. In this case, the file name is myprinters and the server IP address is 172.25.10.254, so the server feed URL should be http://172.25.10.254/myprinters1.
• B. Create a security policy that uses the dynamic address feed to allow access. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You need to create a security policy that uses the dynamic address feed as the source or destination address to allow access to the new printers. A dynamic address feed is a custom feed that contains a group of IP addresses that can be entered manually or imported from external sources. The dynamic address feed can be used in security policies to either deny or allow traffic based on either source or destination IP criteria2.
• C. Configure Security Director to create a dynamic address feed. Security Director is a Junos Space application that enables you to create and manage security policies and objects. You need to configure Security Director to create a dynamic address feed that contains the IP addresses of the new printers. You can create a dynamic address feed by using the local file or the remote file server option. In this case, you should use the remote file server option and specify the server feed URL as http://172.25.10.254/myprinters3.

The other options are incorrect because:

• D. Configuring Security Director to create a C&C feed is not required to complete the requirement. A C&C feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The C&C feed is not related to the new printers or the dynamic address feed.
• E. Configuring the server feed URL as https://172.25.10.254/myprinters is not required to complete the requirement. The server feed URL can use either the HTTP or the HTTPS protocol, depending on the configuration of the remote server. In this case, the exhibit shows that the remote server is using the HTTP protocol, so the server feed URL should use the same protocol1.

References:

• Configuring the Server Feed URL
• Dynamic Address Overview
• Creating Custom Feeds
• [Command and Control Feed Overview]

The flow-session resource is needed in order to ensure adequate and secure communication between the two logical systems.

• The flow-session resource must be defined in the security profile for the interconnect logical system because the interconnect logical system is responsible for forwarding traffic between other logical systems. The flow-session resource determines the maximum number of sessions that the interconnect logical system can create and maintain. If the flow-session resource is not allocated or is insufficient, the interconnect logical system might drop packets or fail to establish sessions1.
• The NAT resources are not needed to be allocated to the interconnect logical system because the interconnect logical system does not perform any NAT operations on the traffic. The NAT resources are only relevant for the logical systems that need to translate the source or destination IP addresses or ports of the traffic1.
• No resources are not needed to be allocated to the interconnect logical system is incorrect because the interconnect logical system still requires some resources to function properly, such as the flow-session resource. The interconnect logical system cannot operate without any resources allocated to it1.
• The resources must be calculated based on the amount of traffic that will flow between the logical systems is partially correct, but not the best answer. The resources must be calculated based on the amount of traffic and the type of traffic that will flow between the logical systems. For example, the flow-session resource depends on the number and duration of sessions, the security-log-stream-number resource depends on the number and size of logs, and the NAT resource depends on the number and type of NAT rules1.

References:

• Security Profiles for Logical Systems | Junos OS | Juniper Networks

The Juniper ATP Appliance platform collects, inspects and analyzes advanced and stealthy web, file, and email-based threats that exploit and infiltrate client browsers, operating systems, emails and applications. Juniper ATP Appliance’s detection of malicious attacks generates incident and event details that can be sent to connected SIEM platforms in CEF, LEEF or Syslog formats1. CEF (Common Event Format) is an open log management standard that improves the interoperability of security-related information from different vendors2. Juniper ATP Appliance supports CEF format for sending events and system audit notifications to SIEM servers. You can configure the CEF format in the Juniper ATP Appliance Central Manager WebUI Config > Notifications > SIEM Settings1. Therefore, the correct answer is C. CEF is a supported logging output format for Juniper ATP Appliance. The other options are incorrect because:

• A. WELF (WebTrends Enhanced Log Format) is a proprietary log format developed by WebTrends Corporation for web analytics3. Juniper ATP Appliance does not support WELF format for SIEM integration.
• B. JSON (JavaScript Object Notation) is a lightweight data-interchange format that is easy for humans and machines to read and write4. Juniper ATP Appliance supports JSON format for HTTP API results, but not for SIEM notifications1.
• D. Binary is a numeric system that uses only two digits: 0 and 1. Binary is not a logging output format for Juniper ATP Appliance or any SIEM platform.

References:

• SIEM Syslog, LEEF and CEF Logging
• Common Event Format Configuration Guide
• WebTrends Enhanced Log Format
• JSON

You want traffic to avoid the flow daemon for administrative tasks. In this scenario, the two stateless services that are available with selective stateless packet-based services are:

• A. Layer 2 switching. Layer 2 switching is a stateless service that forwards packets based on the MAC addresses of the source and destination hosts. Layer 2 switching does not require any routing or flow processing, and can be performed by the Packet Forwarding Engine (PFE) of the SRX Series device. You can use selective stateless packet-based services to enable Layer 2 switching for traffic that matches a stateless firewall filter. The firewall filter must have the packet-mode action modifier to bypass the flow daemon1.
• B. IPv4 routing. IPv4 routing is a stateless service that forwards packets based on the IP addresses of the source and destination hosts. IPv4 routing does not require any flow processing, and can be performed by the PFE of the SRX Series device. You can use selective stateless packet-based services to enable IPv4 routing for traffic that matches a stateless firewall filter. The firewall filter must have the packet-mode action modifier to bypass the flow daemon1.

The other options are incorrect because:

• C. IPsec. IPsec is a stateful service that provides security and encryption for IP packets. IPsec requires flow processing, and cannot be performed by the PFE of the SRX Series device. You cannot use selective stateless packet-based services to enable IPsec for traffic that matches a stateless firewall filter. The firewall filter cannot have the packet-mode action modifier to bypass the flow daemon2.
• D. IPv6 routing. IPv6 routing is a stateful service that forwards packets based on the IP addresses of the source and destination hosts. IPv6 routing requires flow processing, and cannot be performed by the PFE of the SRX Series device. You cannot use selective stateless packet-based services to enable IPv6 routing for traffic that matches a stateless firewall filter. The firewall filter cannot have the packet-mode action modifier to bypass the flow daemon3.

References:

• Selective Stateless Packet-Based Services Overview
• IPsec VPN Overview
• IPv6 Overview

The three profiles that are configurable in a threat prevention policy are infected host profile, C&C profile, and malware profile. A threat prevention policy is a feature of Juniper ATP Cloud that provides protection and monitoring for selected threat profiles, including command and control servers, infected hosts, and malware. Using feeds from Juniper ATP Cloud and optional custom feeds that you configure, ingress and egress traffic is monitored for suspicious content and behavior. Based on a threat score, detected threats are evaluated and action may be taken once a verdict is reached. You can create a threat prevention policy by selecting one or more of the following profiles:

• Infected host profile: This profile detects and blocks traffic from hosts that are infected with malware or compromised by attackers. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.
• C&C profile: This profile detects and blocks traffic to or from command and control servers that are used by attackers to control malware or botnets. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.
• Malware profile: This profile detects and blocks traffic that contains malware or malicious content. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable protocol-specific settings for HTTP and SMTP traffic, such as file type filtering, file size filtering, and file name filtering.

The other two profiles, device profile and SSL proxy profile, are not configurable in a threat prevention policy. A device profile is a feature of Policy Enforcer that defines the device type, the device group, and the device settings for the SRX Series devices that are enrolled with Juniper ATP Cloud. An SSL proxy profile is a feature of SRX Series devices that enables SSL proxy to decrypt and inspect SSL/TLS traffic for threats and policy violations.

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos-space23.1/policy-enforcer/topics/concept/threat-management-policy-overview.html https://www.juniper.net/documentation/en_US/junos-space23.1/policy-enforcer/topics/task/configuration/junos-space-policy-enforcer-threat-management-policy-configure.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-enforcer-device-profile-overview.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-ssl-proxy-overview.html

DNS doctoring is a feature that allows the SRX Series firewall to modify the IP address in a DNS response based on a static NAT rule. This can be useful when the DNS server returns an IP address that is not reachable by the client, such as a private IP address or an IP address from a different network. To use DNS doctoring, the following requirements must be met:

• The DNS ALG must be enabled. The DNS ALG is responsible for parsing the DNS messages and performing the IP address translation. The DNS ALG can be enabled globally or per security policy. To enable the DNS ALG globally, use the command set security alg dns enable. To enable the DNS ALG per security policy, use the command set security policies from-zone zone1 to-zone zone2 policy policy1 then permit application-services application-firewall rule-set rule-set-name application junos-dns.
• Static NAT must be configured for the IP address that needs to be translated. Static NAT is a type of NAT that maps a fixed IP address to another fixed IP address. Static NAT can be configured using the command set security nat static rule-set rule-set-name rule rule-name match destination-address address and set security nat static rule-set rule-set-name rule rule-name then static-nat prefix prefix. References:
• DNS ALG and Doctoring Support
• Understanding DNS ALG and NAT Doctoring
• Disabling DNS ALG and NAT Doctoring
• SRX Getting Started - Configure DNS

The command "show security dynamic-address category-name DS hield" will show the IP addresses that are part of the DS hield category. By filtering the output of this command with the "match 203.0.113.5" command, you can determine if the IP address 203.0.113.5 is part of the DS hield feed. This command will check the feeds that are configured on SRX Series device and are associated to juniper ATP Cloud.

• The packet is processed as host inbound traffic because the traceoptions output shows that the destination IP address 10.10.10.1 belongs to the SRX device itself, which is configured with the ge-0/0/1.0 interface. The traceoptions output also shows the flag flow_host_inbound, which indicates that the packet is destined to the device.
• The packet matches the default security policy because the traceoptions output shows that the policy name is default-deny, which is the implicit system-default security policy that denies all packets. The traceoptions output also shows the flag flow_policy_deny, which indicates that the packet is denied by the policy.

References:

• traceoptions (Security NAT) | Junos OS | Juniper Networks
• [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting
• Default Security Policies | Junos OS | Juniper Networks

To troubleshoot the traffic problem using the match criteria, you need to use the show security match-policies CLI command. The other options are incorrect because:

• A. The show security policy-report CLI command displays the policy report, which is a summary of the policy usage statistics, such as the number of sessions, bytes, and packets that match each policy. It does not show the match criteria or the reason why the traffic is not hitting the policy1.
• B. The show security application-tracking counters CLI command displays the application tracking counters, which are the statistics of the application usage, such as the number of sessions, bytes, and packets that match each application. It does not show the match criteria or the reason why the traffic is not hitting the policy2.
• D. The request security policies check CLI command checks the validity and consistency of the security policies, such as the syntax, the references, and the conflicts. It does not show the match criteria or the reason why the traffic is not hitting the policy3.

Therefore, the correct answer is C. You need to use the show security match-policies CLI command to troubleshoot the traffic problem using the match criteria. The show security match-policies CLI command displays the policies that match the specified criteria, such as the source and destination addresses, the zones, the protocols, and the ports. It also shows the action and the hit count of each matching policy. You can use this command to verify if the traffic is matching the expected policy or not, and if not, what policy is blocking or rejecting the traffic4

According to the Juniper documentation, Juniper ATP Cloud supports the following modes:

• Layer 3 mode: In this mode, the SRX Series device acts as a Layer 3 gateway and routes traffic between different subnets. The SRX Series device performs NAT and security policy enforcement on the traffic and sends a copy of the traffic to Juniper ATP Cloud for analysis. This mode is suitable for networks that have multiple subnets and require NAT and firewall functions1
• Transparent mode: In this mode, the SRX Series device acts as a Layer 2 bridge and forwards traffic between the same subnet. The SRX Series device does not perform NAT or security policy enforcement on the traffic, but sends a copy of the traffic to Juniper ATP Cloud for analysis. This mode is suitable for networks that have a single subnet and do not require NAT or firewall functions1

The other two modes, global mode and private mode, are not supported by Juniper ATP Cloud. Global mode is a configuration option for Juniper ATP Appliance, which is an on-premises solution that provides threat detection and prevention. Private mode is a configuration option for Juniper ATP Private Cloud, which is a cloud-based solution that provides threat detection and prevention within a private network23

References:

1: Juniper Advanced Threat Prevention Cloud | ATP Cloud | Juniper Networks 2: Juniper Advanced Threat Prevention Appliance | ATP Appliance | Juniper Networks 3: [Juniper Advanced Threat Prevention Private Cloud | ATP Private Cloud | Juniper Networks]

Referring to the exhibit, the following statements are correct:

• B. All of the entries are command and control entries. Command and control entries are dynamic addresses that represent the IP addresses of servers that are used by malware to communicate with infected hosts. The SRX Series device can block or log the traffic to or from these IP addresses based on the security policies. The exhibit shows that all of the entries have the category DC/1, which stands for command and control1.
• C. All of the entries are Dshield entries. Dshield is a feed source that provides a list of IP addresses that are associated with malicious activities, such as scanning, spamming, or attacking. The SRX Series device can download the Dshield feed and use it to populate the dynamic address entries. The exhibit shows that all of the entries have the feed dshield, which indicates that they are from the Dshield feed source2.

The other statements are incorrect because:

• A. All of the entries are not a threat level 8, but a threat level 10. The threat level is a numeric value that indicates the severity of the threat associated with a dynamic address entry. The higher the threat level, the more dangerous the threat. The SRX Series device can use the threat level to prioritize the actions for the dynamic address entries. The exhibit shows that all of the entries have the cc CN, which stands for country code China. According to the Juniper documentation, the country code China has a threat level of 10, which is the highest.
• D. All of the entries are not a threat level 10, but they are. See the explanation for option A.

References:

• Understanding Dynamic Address Categories
• Understanding Dynamic Address Feed Sources
• [Understanding Dynamic Address Threat Levels]

To enable inter-tenant communication with tenant system, you need to use an external router or a logical tunnel interface. The other options are incorrect because:

• A. Interconnecting EVPN switch is not a valid solution for inter-tenant communication with tenant system. EVPN (Ethernet VPN) is a technology that provides layer 2 connectivity over an IP network. It can be used to connect different logical systems on the same device, but not tenant systems. Tenant systems are isolated from each other and do not share the same layer 2 domain1.
• B. Interconnecting VPLS switch is also not a valid solution for inter-tenant communication with tenant system. VPLS (Virtual Private LAN Service) is another technology that provides layer 2 connectivity over an IP network. It can also be used to connect different logical systems on the same device, but not tenant systems. Tenant systems are isolated from each other and do not share the same layer 2 domain1.

Therefore, the correct answer is C and D. You need to use an external router or a logical tunnel interface to enable inter-tenant communication with tenant system. To do so, you need to perform the following steps:

• For external router, you need to connect the external router to the interfaces of the tenant systems that you want to communicate with. You also need to configure the routing protocols and policies on the external router and the tenant systems to exchange routes and traffic. The external router acts as a gateway between the tenant systems and provides layer 3 connectivity2.
• For logical tunnel interface, you need to create a logical tunnel interface on the device and assign it to a tenant system. You also need to configure the IP address and routing protocols on the logical tunnel interface and the tenant systems that you want to communicate with. The logical tunnel interface acts as a virtual link between the tenant systems and provides layer 3 connectivity3.

References:

• Tenant Systems Overview
• Example: Configuring Inter-Tenant Communication Using External Router
• Example: Configuring Inter-Tenant Communication Using Logical Tunnel Interface

The IPS signature database is one of the major components of the intrusion prevention system (IPS). It contains definitions of different objects, such as attack objects, application signature objects, and service objects, that are used in defining IDP policy rules. As a response to new vulnerabilities, Juniper Networks periodically provides a file containing attack database updates on the Juniper Networks website. You can download this file to protect your network from new threats. Note: IPS does not need a separate license to run as a service on the SRX Series Firewall; however, a license is required for IPS updates1.

When you configure a chassis cluster, the two nodes back up each other, with one node acting as the primary device and the other as the secondary device, ensuring stateful failover of processes and services in the event of system or hardware failure. If the primary device fails, the secondary device takes over processing of traffic2.

To download and install the IPS signature database to a device operating in chassis cluster mode, you must perform the following steps:

• Download the IPS signature package from the Juniper Networks website to the primary node of the chassis cluster. You can use the request security idp security-package download CLI command or the Security Director user interface to download the package. Note: You must have a valid license key installed on the device to download the package3.
• Install the IPS signature package on the primary node of the chassis cluster. You can use the request security idp security-package install CLI command or the Security Director user interface to install the package. Note: You must reboot the primary node after installing the package3.
• Synchronize the IPS signature package from the primary node to the backup node of the chassis cluster. You can use the request security idp security-package install-backup CLI command or the Security Director user interface to synchronize the package. Note: You do not need to reboot the backup node after synchronizing the package3.

Therefore, the correct answer is A. You must download and install the IPS signature package on the primary node. The other options are incorrect because:

• B. The first synchronization of the backup node and the primary node is performed automatically after you install the package on the primary node. You do not need to perform it manually3.
• C. The first time you synchronize the IPS signature package from the primary node to the backup node, the primary node does not need to be rebooted. You only need to reboot the primary node after installing the package3.
• D. The IPS signature package does not need to be downloaded and installed on the primary and backup nodes separately. You only need to download and install it on the primary node and then synchronize it to the backup node3.

References:

• IDP Signature Database Overview
• Understanding IDP Signature Database for Migration
• Configuring Chassis Clustering on SRX Series Devices

To create a secure fabric in your company’s network, you need to know the following facts:

• A secure fabric is a collection of sites that contain network devices (switches, routers, firewalls, and other security devices) that are used in policy enforcement groups. A site is a grouping of network devices that contribute to threat prevention. When threat prevention policies are applied to policy enforcement groups, the system automatically discovers to which sites those groups belong. This is how threat prevention is aggregated across your secure fabric1.
• MX Series devices associated with tenants can belong to multiple sites. Tenants are logical partitions of the network that can have their own security policies and enforcement points. Sites that are associated with tenants do not need switches as enforcement points, because MX Series devices can perform tenant-based policy enforcement1.
• SRX Series devices can belong to only one site. SRX Series devices are firewalls that can act as perimeter enforcement points for the secure fabric. They can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic. SRX Series devices cannot belong to multiple sites, because they do not support tenant-based policy enforcement1.
• A switch must be assigned to the site to enforce an infected host policy within the network. An infected host policy is a policy that blocks or quarantines hosts that are identified as infected by the Juniper ATP Cloud. A switch can act as an internal enforcement point for the secure fabric by applying the infected host policy to the hosts that are connected to it. A switch must be assigned to the site where the infected hosts are located, because SRX Series devices cannot enforce infected host policies1.
• Switches and connectors cannot be added to the same site. Connectors are software agents that can be installed on Windows or Linux servers to enable them to act as enforcement points for the secure fabric. Connectors can apply infected host policies to the hosts that are connected to them. However, connectors cannot coexist with switches in the same site, because they use different methods of policy enforcement. Switches use VLANs and ACLs, while connectors use IPtables and WFP1.

Therefore, the correct answer is B, D, and E. The other options are incorrect because:

• A. MX Series devices associated with tenants can belong to multiple sites, not only one site1.
• C. SRX Series devices can belong to only one site, not multiple sites1.

References:

• Secure Fabric Overview

The two steps that will fulfill the requirement of deploying a security policy on an SRX Series device that blocks all known Tor network IP addresses are enrolling the devices with Juniper ATP Cloud and enabling a third-party Tor feed. Juniper ATP Cloud is a cloud-based service that provides advanced threat detection and mitigation capabilities for SRX Series devices. By enrolling the devices with Juniper ATP Cloud, the devices can leverage the cloud intelligence and analytics to identify and block malicious traffic, including Tor traffic. A third-party Tor feed is a source of information that provides a list of IP addresses that are associated with the Tor network. By enabling a third-party Tor feed on the SRX Series device, the device can use the feed to create a dynamic address object that contains all the known Tor IP addresses. The device can then apply a security policy that denies traffic from or to the dynamic address object, effectively blocking the Tor network IP addresses. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud-overview.html https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-intelligence-third-party-feed-configuring.html

https://kb.juniper.net/InfoCenter/index?page=content &id=KB30443&cat=SRX_SERIES&actp=LIST

According to the Juniper documentation, a tenant system is a logical system that supports routing, services, and security features. A tenant system can be configured to log binary security events to a remote server using the pi security profile. The pi security profile specifies the tenant name, the server address, the server port, and the protocol for logging binary security events. In the exhibit, the pi security profile is configured with the server address 10.0.0.1, the server port 514, and the protocol UDP. However, the tenant name is missing from the configuration. To complete the configuration, the tenant name must be configured as local for the pi security profile. This is because the local tenant name is used to identify the tenant system that is sending the binary security events to the remote server. Therefore, the correct statement to complete the configuration is D. Configure the tenant as local for the pi security profile. References: [Tenant Systems Overview] 1, [Configuring Binary Security Event Logging for Tenant Systems] 2

1: https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/topic-map/tenant-systems-overview.html  2: https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/task/security-tenant-systems-binary-logging-configuring.html

The command that will allow traffic to bypass the SRX Series device flow daemon based on the source address is set firewall family inet filter bypass_flowd term t1 then packet-mode. This command configures a stateless firewall filter named bypass_flowd that has one term t1. The term t1 can match the traffic based on the source address or any other criteria. The term t1 then applies the action packet-mode, which means that the traffic will be forwarded using packet-based processing and will not be sent to the flow daemon for stateful inspection. This feature is known as selective stateless packet-based forwarding and it allows you to use both flow-based and packet-based forwarding on the same device for different types of traffic. You can apply the firewall filter to the input or output direction of an interface to enable selective stateless packet-based forwarding for the traffic passing through that interface. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html https://www.juniper.net/documentation/en_US/junos/topics/example/filter-based-forwarding-example.html

The two types of source NAT translations that are supported in this scenario are translation of IPv4 hosts to IPv6 hosts with or without port address translation, and translation of one IPv6 subnet to another IPv6 subnet without port address translation. These are the types of source NAT translations that are supported by the Junos OS for IPv6 NAT. Translation of IPv4 hosts to IPv6 hosts allows IPv4-only hosts to communicate with IPv6-only hosts by changing the source IPv4 address to a corresponding IPv6 address. Port address translation can be optionally enabled to conserve IPv6 addresses by using different port numbers for different sessions. Translation of one IPv6 subnet to another IPv6 subnet allows IPv6 hosts to use a different IPv6 address range for outbound traffic, such as for security or policy reasons. Port address translation is not supported for this type of translation, as IPv6 addresses are abundant and do not need to be conserved. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-nat-ipv6-overview.html

The solution to this problem is to enable address persistence. This will ensure that the same external IP address is used for multiple sessions between an internal host and an external host. This will result in only one authentication being required, as the same external IP address will be used for all sessions.

Juniper ATP Cloud is a cloud-based service that provides advanced threat prevention and detection for SRX Series devices. To enroll an SRX Series device with Juniper ATP Cloud, you need to have a valid license and authorization code, and you need to run a Junos OS op script on the device. The op script performs the following tasks:

• Downloads and installs certificate authority (CA) licenses onto your SRX Series device.
• Creates local certificates and enrolls them with the cloud server.
• Performs basic Juniper ATP Cloud configuration on the SRX Series device.
• Establishes a secure connection to the cloud server.

You can run the op script either by copying the CLI command from the Juniper ATP Cloud Web Portal and running it on the device, or by using the enroll command on the device. The op script is the only way to enroll an SRX Series device with Juniper ATP Cloud. You cannot enroll the device manually or by using other methods.

The other statements in the question are incorrect for the following reasons:

• If a device is already enrolled in a realm and you enroll it in a new realm, none of the device data or configuration information is propagated to the new realm. This includes history, infected hosts feeds, logging, API tokens, and administrator accounts. You can view and change the realm association of a device from the Realm Management page in the Juniper ATP Cloud Web Portal.
• The only way to enroll an SRX Series device is not to interact with the Juniper ATP Cloud Web Portal. You can also use the enroll command on the device, which performs all the necessary enrollment steps without requiring you to access the Web Portal.
• When the license expires, the SRX Series device is not disenrolled from Juniper ATP Cloud without a grace period. The device enters a grace period of 30 days, during which it can still send files to the cloud for inspection and receive threat intelligence feeds. After the grace period, the device is disenrolled and stops communicating with the cloud.

References:

• How to Enroll Your SRX Series Firewalls in Juniper Advanced Threat Prevention (ATP) Cloud Using Policy Enforcer
• Enroll an SRX Series Firewall using Juniper ATP Cloud Web Portal
• ATP Cloud | Step 2: Up and Running
• Enroll an SRX Series Firewall Using the CLI

A logical system is a virtualization feature in SRX Series devices that allows you to create multiple, isolated virtual routers within a single physical device. Each logical system has its own routing table, firewall policies, and interfaces, and it can be managed and configured independently of the other logical systems. Logical systems are an effective way to isolate different administrative domains and to support a large number of virtualized instances.

According to the Juniper documentation, the solution that would best meet the requirements of deploying a virtualization solution with the security devices in the network is logical systems. Logical systems are a feature that allows the SRX Series device to be partitioned into multiple logical devices, each with its own discrete administrative domain, routing table, firewall policies, VPNs, and interfaces1. Each logical system can support up to 100 virtualized instances, depending on the SRX Series model and the available resources2.

The following solutions are not suitable or incorrect for this scenario:

• VRF instances: VRF instances are a type of routing instance that allows the SRX Series device to maintain multiple routing tables for different VPNs or customers. However, VRF instances do not provide separate administrative domains, firewall policies, or interfaces for each instance3.
• Virtual router instances: Virtual router instances are a type of routing instance that allows the SRX Series device to create multiple logical routers, each with its own routing table and interfaces. However, virtual router instances do not provide separate administrative domains or firewall policies for each instance.
• Tenant systems: Tenant systems are a feature that allows the SRX Series device to create multiple logical devices, each with its own discrete administrative domain, routing table, firewall policies, VPNs, and interfaces. However, tenant systems are only supported on the SRX1500, SRX4100, and SRX4200 devices, and each tenant system can only support up to 10 virtualized instances.

References: 1: Understanding Logical Systems 2: SRX Series Logical Systems Feature Guide 3: vrf (Routing Instances) : [virtual-router (Routing Instances)] : [Understanding Tenant Systems]

• The SRX Series device is performing both source and destination NAT on this session because the traceoptions output shows that both source and destination IP addresses and ports are translated. The source IP address 192.168.5.2 is translated to 192.168.100.1 and the destination IP address 1.1.1.1 is translated to 192.168.5.1. The source port 0 is translated to 14777 and the destination port 80 is translated to 80. The traceoptions output also shows the rule and pool IDs for both source and destination NAT: 2/32770 and 1/1 respectively.
• This is the first packet in the session because the traceoptions output shows the flag flow_first_packet, which indicates that this is the first packet of a new session. The traceoptions output also shows the flag flow_first_src_xlate and flow_first_rule_dst_xlate, which indicate that this is the first time that source and destination NAT are applied to this session.

References:

• traceoptions (Security NAT) | Junos OS | Juniper Networks
• [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting

Juniper MX and SRX series devices support the integration of Seclntel feeds, which provide information about known command and control servers, for the purpose of blocking access to them. These devices can be configured to use the Seclntel feeds without the need for Security Director to manage the feeds.

EX series and QFX series devices are not capable of working in this situation, as they do not support the integration of Seclntel feeds.

According to the Juniper documentation, the two Juniper devices that work in this situation are MX Series devices and SRX Series devices. These devices can use the Juniper SecIntel feeds to block access to known command and control servers without using Security Director to manage the feeds. The Juniper SecIntel feeds are curated and verified threat intelligence data that are continuously collected from Juniper ATP Cloud, Juniper Threat Labs, and other sources. The SecIntel feeds include command and control IPs, URLs, certificate hashes, and domains that are used by attackers to control malware or maintain their connection to the network1.

The MX Series devices and the SRX Series devices can subscribe to the SecIntel feeds by using the following steps:

• Configure the SecIntel service on the device by specifying the SecIntel URL, the SecIntel policy, and the SecIntel license2.
• Configure the SecIntel policy on the device by specifying the SecIntel feeds, the SecIntel actions, and the SecIntel logging3.
• Apply the SecIntel policy to the security zones or the firewall policies on the device by using the secintel-policy option4.

Once the SecIntel service is configured and applied, the MX Series devices and the SRX Series devices will receive the SecIntel feeds from Juniper ATP Cloud and use them to block the traffic from or to the command and control servers. The SecIntel service will also send the SecIntel logs to Juniper ATP Cloud or a third-party SIEM solution for further analysis and reporting.

The following devices are not suitable or incorrect for this situation:

• EX Series devices: EX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.
• QFX Series devices: QFX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.

References: 1: SecIntel Threat Intelligence 2: Configuring SecIntel Service 3: Configuring SecIntel Policy 4: Applying SecIntel Policy : [SecIntel Logging] : [SecIntel Integration with EX Series Switches] : [SecIntel Integration with QFX Series Switches]