Practice Free JN0-336 Security, Specialist (JNCIS-SEC) Exam Questions Answers With Explanation

The correct answers are A and D. A mobile command center using a 5G ISP behind CGNAT is operating behind dynamic address translation. For IPsec to work reliably through NAT, the SRX must support NAT Traversal, which encapsulates IKE and ESP traffic in UDP/4500 after NAT is detected. Juniper states that NAT-T is used when NAT devices exist in the datapath and that NAT keepalives are required because NAT devices age out UDP translations. Juniper’s Security Director VPN workflow also specifically says to enable NAT-T when the dynamic endpoint is behind a NAT device.

DPD is also required because mobile and carrier-grade NAT connections can disappear, roam, or become stale without a clean tunnel teardown. Juniper defines Dead Peer Detection as the method used by IPsec peers to verify whether the remote peer is still present and responsive by sending encrypted IKE notification payloads and waiting for acknowledgements. Option B is not the best answer because IKEv1 aggressive mode is weaker and does not provide identity protection; Juniper also notes that aggressive mode applies only to IKEv1. Option C is invalid because IKEv2 aggressive mode does not exist. Reference topics: IPsec VPN, NAT-T, CGNAT, dynamic endpoints, DPD, IKE peer availability.

The correct answer is D. exempt. In Junos IDP, the exempt rulebase is specifically used to prevent selected traffic from triggering known false-positive detections. Juniper’s IDP documentation explains that exempt rules can be configured when an IDP policy generates false positives for a particular attack object, source, destination, or traffic pattern. The exempt rulebase lets the administrator exclude matching traffic from attack detection while still allowing the rest of the IDP policy to inspect other traffic normally.

Option A, IPS, is wrong because the IPS rulebase is the main inspection rulebase used to detect and act on attacks. It is where attack objects and actions are commonly applied, but it is not the rulebase designed to eliminate false positives. Option B, monitor, is not the correct false-positive elimination mechanism. Monitoring can help observe behavior, but it does not exempt traffic from matching an attack object. Option C, signature, is wrong because signatures are attack-detection patterns, not a rulebase type used to suppress false positives. The operational correction for noisy or irrelevant matches is to create an exempt rule for the specific trusted source, destination, or attack object. Reference topics: IDP rulebases, exempt rulebase, false-positive tuning, attack objects, IPS inspection.

The correct answer is D. You have too many domain controllers. The exhibit shows 15 Active Directory domain controllers. Juniper’s integrated Active Directory identity-source configuration for SRX identity-aware firewall supports a limited number of domain controllers; Juniper documentation states that an SRX Series device can configure a maximum of 10 domain controllers for Active Directory identity-source integration. Because this environment has 15 domain controllers, the direct Active Directory identity-source method exceeds the supported scale and JIMS must be used instead.

Option A is wrong because SRX devices can use Active Directory directly as an identity source; JIMS is not the only possible method. Option B is wrong because 1,500 users does not exceed the relevant identity-source scale shown here; Juniper documentation also notes probe functionality support well above this number. Option C is wrong because the issue being tested is not the Windows Server version. JIMS is designed for larger identity-aware deployments and can centralize identity collection from Active Directory, domain controllers, Exchange servers, and syslog sources, then provide identity mappings to SRX firewalls. Juniper’s JIMS datasheet shows much higher scale, including up to 100 active directories, 25 domains, and 500,000 user entries. Reference topics: Identity-Aware Security Policies, Active Directory identity source limits, JIMS scalability, domain controller scale limitations.

The correct answer is C. device policy rules. In Junos Space Security Director, policy scope matters. A rule intended for one specific SRX Series device must be placed in a device policy, because Juniper defines a device policy as a firewall policy created per device and used when you want to push a unique firewall policy configuration per device. Security Director also distinguishes this from group policies, which are shared with multiple devices, and from all-devices policy rules, which are global in scope rather than device-specific.

Option A is wrong because all-devices prerules are global rules evaluated before device-specific rules; they are not intended for a unique single-device exception. Option B is wrong because group policy prerules apply to devices within a group, not to one individually targeted SRX firewall. Option D is wrong because all-devices postrules are still globally scoped, even though they occur later in policy order. The clean Security Director design is to use device policy rules when the policy must apply only to one SRX device. Reference topics: Security Director, firewall policy hierarchy, device policy, group policy, all-devices prerules/postrules.

The correct answers are B and C. Adaptive Threat Profiling allows SRX Series Firewalls to act either as inline enforcement devices or as tap-based sensors. In an inline deployment, the SRX is directly in the traffic path and can enforce policy actions such as blocking, denying, or adding threat indicators to Security Intelligence feeds for real-time mitigation. In a tap deployment, the SRX observes copied traffic from a TAP/SPAN-style feed and contributes intelligence without being the active forwarding device. Juniper’s ATP Cloud documentation states that Adaptive Threat Profiling enables SRX devices to be deployed as sensors on Tap ports, identifying and sharing intelligence to inline devices for real-time enforcement. It also describes a “Tap-based SRX Series Firewall sensor” and contrasts it with an inline device.

Option A, bridge, is not the deployment mode being tested here. Bridge/transparent forwarding is a firewall deployment style, not the named Adaptive Threat Profiling mode. Option D, promiscuous, is also wrong; promiscuous mode is an interface behavior, not the ATP Adaptive Threat Profiling deployment model. Reference topics: ATP Cloud, Adaptive Threat Profiling, tap sensors, inline enforcement, Security Intelligence feeds.

The correct answer is B. count. In Junos security policy configuration, count is the policy parameter used for accounting and tabular operational visibility. Juniper’s security policy configuration rules state that accounting and auditing elements can be specified with count and log, while logging itself is enabled at either session-init or session-close.

The operational result is visible through commands such as show security policies hit-count, which displays a table of policy hit counters, including fields such as index, from-zone, to-zone, policy name, policy count, and action. Juniper defines this command as displaying the number of times a security policy rule matches traffic, and the sample output is explicitly tabular. Option A, permit, is an action, not a counter or logging/accounting parameter. Option C, session-init, logs at the beginning of a session, and option D, session-close, logs at session teardown. Those two parameters generate logs, but they do not provide the tabular policy-count view being asked about. Reference topics: security policy accounting, count parameter, hit-count, operational-mode policy monitoring, session-init/session-close logging.

The correct answer is C. device policy rules. In Junos Space Security Director, a firewall rule that must apply uniquely to one SRX Series device belongs in the device-specific policy layer, not in global or group-level policy. Juniper’s Security Director documentation states that a device can have a device-specific policy and can also be part of multiple group policies; the rule processing order places policies applied before device-specific policies first, then device-specific policies, then policies applied after device-specific policies. Juniper also explains that rules applied before device-specific policies take priority and cannot be overridden, while rules applied after device-specific policies can be overridden by adding a rule in the device-specific policy.

Option A is wrong because all-devices prerules are global mandatory rules applied before device-specific policy, not unique device exceptions. Option B is wrong because group policy prerules apply to a group of devices, not one specific SRX. Option D is wrong because all-devices postrules are still global policy rules, although they can be overridden. For a unique policy requirement on one SRX device, device policy rules are the precise Security Director construct. Reference topics: Security Director, firewall policies, device-specific policies, policy rule precedence, global/group/device rule hierarchy.

The correct answer is A. Manually configure and apply an SSL proxy profile. HTTPS traffic is encrypted, so ATP Cloud cannot extract and submit downloaded files for malware analysis unless the SRX can decrypt the SSL/TLS session first. Juniper’s ATP Cloud documentation states that to detect malware in HTTPS traffic, you must configure the SSL inspection CA used for SSL forward proxy, and the ATP Cloud policy workflow specifically includes configuring an SSL proxy profile to inspect HTTPS traffic. Juniper’s example shows the SSL proxy profile being created with a root CA and then applied so HTTPS sessions can be inspected before advanced anti-malware processing occurs.

Option B is wrong because lowering the threat score only changes the enforcement threshold after a file verdict is returned; it does not solve the inability to inspect encrypted payloads. Option C is wrong because changing the ATP device profile alone does not decrypt HTTPS traffic. The exhibit already shows a malware profile and HTTP file-download configuration, but HTTPS malware detection still requires SSL proxy. Option D is wrong because Junos ATP Cloud integration does not require redirecting encrypted traffic to a separate decryption appliance for this task. The SRX performs SSL forward proxy locally, then advanced anti-malware can inspect extracted content. Reference topics: ATP Cloud, HTTPS malware inspection, SSL forward proxy, SSL inspection CA, advanced anti-malware policy.

The correct answer is B. LDAP. In Juniper identity-aware firewall deployments, the SRX Series Firewall integrates with Microsoft Active Directory so that user and group information can be used in security policy decisions. Juniper’s Active Directory identity-source documentation states that the LDAP protocol helps identify the groups to which users belong, and that username and group information are queried from the LDAP service running on the Active Directory domain controller. It also explains that the device uses Lightweight Directory Access Protocol to obtain user and group information required for Active Directory identity-source operation.

Option A, SSH, is wrong because SSH is a device management protocol, not the protocol SRX uses to query Active Directory user/group membership. Option C, DNS, is wrong because DNS can resolve names but does not provide Active Directory group mapping to the firewall. Option D, NETCONF, is wrong because NETCONF is used for network device configuration and automation, not Windows domain-controller identity queries. In a complete identity-aware firewall workflow, SRX may also use WMI/DCOM-related mechanisms to read Windows event-log data, but among the available protocol choices, LDAP is the correct answer because it is the directory protocol used to query user and group information. Reference topics: Active Directory identity source, LDAP, domain controller communication, user and group mapping.

The correct answers are B and D. A terminal rule is specifically designed to stop further rule evaluation. Juniper states that the IDP rule-matching algorithm normally checks traffic against all matching rules in the rulebase, but when a terminal rule matches the source, destination, zones, and application, IDP does not continue to check subsequent rules for that same traffic. Juniper also warns that traffic matching a terminal rule is not compared to later rules even if it does not match the attack object inside that terminal rule.

Option D is also correct because the Ignore Connection action stops scanning traffic for the rest of the connection if an attack match is found. Juniper defines Ignore Connection as disabling the rulebase for that specific connection after a match. Option A is wrong because a close action closes the connection by sending reset behavior, but it is not the rule-processing control mechanism being tested. Option C is a trap: the exempt rulebase is used to suppress known false positives after an IPS rule match, but the two direct mechanisms that end IDP rule processing are terminal rule matching and ignore connection. Reference topics: IDP rulebases, terminal rules, Ignore Connection action, rule-matching algorithm, false-positive exemption.

The correct answers are A and B. In SRX chassis clustering, the fabric link, represented by fab interfaces, is the data-plane connection between the two cluster nodes. Juniper describes the fabric as the back-to-back data connection used when traffic on one node must be processed on the other node or must exit through an interface on the other node; session-state information also passes over the fabric. This is especially visible in active/active clustering, where ingress and egress interfaces can reside on different nodes and transit traffic must cross the fabric link.

Option B is also correct because the fabric link still exists in active/passive clustering for cluster data-plane synchronization and inter-node state handling, even though active/passive designs minimize fabric transit traffic because only one node normally forwards traffic at a time. Juniper specifically states that active/passive mode minimizes traffic over the fabric link, not that the fabric link is unused.

Options C and D are not the intended answers. The cluster is identified by a configured cluster ID, and each chassis is identified by a node ID, but the fabric interface names themselves are not where the cluster ID is reflected. Reference topics: HA Clustering, fabric link, active/active clustering, active/passive clustering, session synchronization, inter-node traffic.

The correct answers are A and B. In an SRX chassis cluster, the cluster ID identifies the chassis cluster, and valid operational cluster IDs are nonzero values. Juniper’s chassis cluster command documentation states that the system uses the chassis cluster ID and node ID to apply the correct node-specific configuration, and the command writes the chassis cluster ID and node ID to EPROM. When the cluster ID is set to 0, clustering is disabled; therefore, the HA cluster configuration is effectively ignored because the device is no longer operating as a chassis-cluster member.

Option B is also correct because Juniper states that chassis cluster ID and node ID changes take effect only after the system is rebooted. That is why the operational command format includes the reboot behavior when setting cluster-id and node. Option C is wrong because node ID 0 is valid; it identifies node0 in the two-node cluster. Option D is wrong because SRX chassis clusters use node IDs 0 and 1 only; the 1–255 range applies to cluster IDs, not node IDs. Reference topics: HA Clustering, cluster ID, node ID, EPROM, chassis cluster enablement, node-specific configuration.

The correct answer is B. ip-notify. When administrators want visibility without enforcement impact, ip-notify is the correct IP action. Juniper Security Director documentation defines IP Notify as an IP action that does not take any action against future traffic but logs the event. That is exactly the requirement in the question: traffic matching the IDP condition must not be blocked, closed, or rate-limited until administrators have reviewed the events and decided whether enforcement is appropriate.

Option A, ip-block, is wrong because it blocks future packets matching the IP action rule. That would immediately impact traffic. Option C, ip-connection-rate-limit, is wrong because it limits the connection rate and therefore changes traffic behavior before administrators complete evaluation. Option D, ip-close, is also wrong because it closes matching future sessions by sending reset packets to the client and server, which is disruptive. In a safe evaluation or tuning phase, the proper approach is to log and observe first, then move to stronger actions such as block, close, or rate-limit only after the detected condition has been validated. Reference topics: IDP IP actions, ip-notify, event logging, non-disruptive evaluation mode, IDP policy tuning.