JN0-636 Practice Exam Questions with Answers Security, Professional (JNCIP-SEC) Certification

The purpose of the Switch Microservice of Policy Enforcer is to isolate infected hosts. The Switch Microservice is a component of Policy Enforcer that runs on EX Series and QFX Series switches. It communicates with Policy Enforcer and Juniper ATP Cloud to receive threat intelligence and quarantine commands. When an infected host is detected by Juniper ATP Cloud, Policy Enforcer sends a command to the Switch Microservice to isolate the host by applying an access control list (ACL) on the switch port where the host is connected. The ACL blocks all traffic from or to the host except for the traffic that is required for remediation. The Switch Microservice also tracks the MAC address of the infected host and updates Policy Enforcer if the host moves to a different switch port or a different switch. This way, the Switch Microservice ensures that the infected host is isolated until it is remediated and no longer poses a threat to the network. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-enforcer-switch-microservice-overview.html

According to the output shown in the exhibit, which is a security flow session on an SRX Series device, the correct statement is that the local gateway address for the IPsec tunnel is 10.20.20.2. This is indicated by the line In: 10.20.20.2/2060 -> 10.20.20.1/3382, which shows that the source IP address of the incoming packet is 10.20.20.2, which is the local gateway address of the IPsec tunnel. The destination IP address of the incoming packet is 10.20.20.1, which is the remote gateway address of the IPsec tunnel.

The following statements are incorrect or not supported by the output:

• The remote gateway address for the IPsec tunnel is 10.20.20.2. This is false, as explained above. The remote gateway address for the IPsec tunnel is 10.20.20.1, not 10.20.20.2.
• The session information indicates that the IPsec tunnel has not been established. This is false, as the output shows that there are two active sessions with the communication tag IPSec VPN: vpn1, which indicates that the IPsec tunnel has been established and is named vpn11.
• NAT is being used to change the source address of outgoing packets. This is not supported by the output, as there is no indication of NAT being applied to the outgoing packets. The source IP address of the outgoing packet is 192.168.1.1, which is the same as the source IP address of the original packet. If NAT was being used, the source IP address of the outgoing packet would be different from the source IP address of the original packet.

References: 1: show security flow session - Technical Documentation - Support - Juniper Networks

The solution to this problem is to enable address persistence. This will ensure that the same external IP address is used for multiple sessions between an internal host and an external host. This will result in only one authentication being required, as the same external IP address will be used for all sessions.

According to the Juniper documentation, the infected host score is a global setting that determines the minimum threat level required for a host to be considered infected and blocked by Juniper ATP Cloud. The infected host score can be configured from 1 to 10, where 1 is the lowest and 10 is the highest. The default infected host score is 5, which means that any host with a threat level of 5 or higher will be automatically blocked by Juniper ATP Cloud. However, the infected host score can be changed to a higher value, such as 6 or 7, to reduce the number of false positives and allow more traffic to pass through. In the exhibit, the host has a threat level of 5, which indicates that it is infected with malware and has attempted to contact command-and-control servers. However, some of the events have not been automatically mitigated, which means that the host has not been blocked by Juniper ATP Cloud. A possible reason for this behavior is that the infected host score is globally set above a threat level of 5, such as 6 or 7, which means that the host does not meet the minimum threshold for blocking. Therefore, the correct answer is C. The infected host score is globally set above a threat level of 5. References: [Configuring the Infected Host Score] 1, [Compromised Hosts: More Information] 2

1: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/task/sky-atp-infected-host-score.html  2: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/concept/sky-atp-infected-host-overview.html

https://forums.juniper.net/t5/Ethernet-Switching/monitor-traffic- interface/td-p/462528

https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/ref/statement/family-ethernet-switching-edit-interfaces-qfx-series.html#statement-name-statement__d26608e73

The two types of source NAT translations that are supported in this scenario are translation of IPv4 hosts to IPv6 hosts with or without port address translation, and translation of one IPv6 subnet to another IPv6 subnet without port address translation. These are the types of source NAT translations that are supported by the Junos OS for IPv6 NAT. Translation of IPv4 hosts to IPv6 hosts allows IPv4-only hosts to communicate with IPv6-only hosts by changing the source IPv4 address to a corresponding IPv6 address. Port address translation can be optionally enabled to conserve IPv6 addresses by using different port numbers for different sessions. Translation of one IPv6 subnet to another IPv6 subnet allows IPv6 hosts to use a different IPv6 address range for outbound traffic, such as for security or policy reasons. Port address translation is not supported for this type of translation, as IPv6 addresses are abundant and do not need to be conserved. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-nat-ipv6-overview.html

The security trace options configuration shown in the exhibit is committed to your SRX series firewall. The following statements are correct in this scenario:

• B. Once the trace has generated 10 log files, older logs will be overwritten. The files option in the traceoptions statement specifies the maximum number of trace files to keep. When a trace file reaches its maximum size, it is renamed with a numeric suffix, such as kmd.0, kmd.1, and so on, until the maximum number of files is reached. Then the oldest trace file is overwritten by the newest one. In this case, the files option is set to 10, which means that the trace will generate 10 log files and then overwrite the older ones1.
• D. The file debugger will be readable only by the user who committed this configuration. The file option in the traceoptions statement specifies the name of the trace file and the permissions for the file. The permissions can be either world-readable or owner-readable. In this case, the file option is set to debugger owner-readable, which means that the trace file will be named debugger and will be readable only by the user who committed the configuration1.

The other statements are incorrect because:

• A. The file debugger will not be readable by all users, but only by the user who committed this configuration, as explained above.
• C. The trace will not halt after generating 10 log files, but will continue to overwrite the older ones, as explained above.

References:

• traceoptions (Security)

The two valid modes for the Juniper ATP Appliance are all-in-one and core. The all-in-one mode is a single appliance that performs both the collector and the core functions. The collector function collects traffic from the network and sends it to the core function for analysis and detection. The core function performs the threat detection, mitigation, and analytics. The all-in-one mode is suitable for small to medium-sized networks that do not require high scalability or performance. The core mode is a dedicated appliance that performs only the core function. The core mode is used in conjunction with one or more collector appliances that collect traffic from the network and send it to the core appliance for analysis and detection. The core mode is suitable for large-scale networks that require high scalability and performance. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-appliance-overview.html

Juniper MX and SRX series devices support the integration of Seclntel feeds, which provide information about known command and control servers, for the purpose of blocking access to them. These devices can be configured to use the Seclntel feeds without the need for Security Director to manage the feeds.

EX series and QFX series devices are not capable of working in this situation, as they do not support the integration of Seclntel feeds.

According to the Juniper documentation, the two Juniper devices that work in this situation are MX Series devices and SRX Series devices. These devices can use the Juniper SecIntel feeds to block access to known command and control servers without using Security Director to manage the feeds. The Juniper SecIntel feeds are curated and verified threat intelligence data that are continuously collected from Juniper ATP Cloud, Juniper Threat Labs, and other sources. The SecIntel feeds include command and control IPs, URLs, certificate hashes, and domains that are used by attackers to control malware or maintain their connection to the network1.

The MX Series devices and the SRX Series devices can subscribe to the SecIntel feeds by using the following steps:

• Configure the SecIntel service on the device by specifying the SecIntel URL, the SecIntel policy, and the SecIntel license2.
• Configure the SecIntel policy on the device by specifying the SecIntel feeds, the SecIntel actions, and the SecIntel logging3.
• Apply the SecIntel policy to the security zones or the firewall policies on the device by using the secintel-policy option4.

Once the SecIntel service is configured and applied, the MX Series devices and the SRX Series devices will receive the SecIntel feeds from Juniper ATP Cloud and use them to block the traffic from or to the command and control servers. The SecIntel service will also send the SecIntel logs to Juniper ATP Cloud or a third-party SIEM solution for further analysis and reporting.

The following devices are not suitable or incorrect for this situation:

• EX Series devices: EX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.
• QFX Series devices: QFX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.

References: 1: SecIntel Threat Intelligence 2: Configuring SecIntel Service 3: Configuring SecIntel Policy 4: Applying SecIntel Policy : [SecIntel Logging] : [SecIntel Integration with EX Series Switches] : [SecIntel Integration with QFX Series Switches]

The flow-session resource is needed in order to ensure adequate and secure communication between the two logical systems.

• The flow-session resource must be defined in the security profile for the interconnect logical system because the interconnect logical system is responsible for forwarding traffic between other logical systems. The flow-session resource determines the maximum number of sessions that the interconnect logical system can create and maintain. If the flow-session resource is not allocated or is insufficient, the interconnect logical system might drop packets or fail to establish sessions1.
• The NAT resources are not needed to be allocated to the interconnect logical system because the interconnect logical system does not perform any NAT operations on the traffic. The NAT resources are only relevant for the logical systems that need to translate the source or destination IP addresses or ports of the traffic1.
• No resources are not needed to be allocated to the interconnect logical system is incorrect because the interconnect logical system still requires some resources to function properly, such as the flow-session resource. The interconnect logical system cannot operate without any resources allocated to it1.
• The resources must be calculated based on the amount of traffic that will flow between the logical systems is partially correct, but not the best answer. The resources must be calculated based on the amount of traffic and the type of traffic that will flow between the logical systems. For example, the flow-session resource depends on the number and duration of sessions, the security-log-stream-number resource depends on the number and size of logs, and the NAT resource depends on the number and type of NAT rules1.

References:

• Security Profiles for Logical Systems | Junos OS | Juniper Networks

Juniper ATP Cloud provides zero-day malware protection for non-Juniper firewalls. It's a cloud-based service that analyzes files and network traffic to detect and prevent known and unknown (zero-day) threats. It uses a combination of static and dynamic analysis techniques, as well as machine learning, to detect and block malicious files, even if they are not known to traditional anti-virus software. It also provides real-time visibility and detailed forensics for incident response and remediation.

In transparent mode, all interfaces involved are configured with the bridge protocol family. This allows the SRX device to act as a bridge between the interfaces and forward traffic transparently without any modification. The bridge interfaces can be configured to forward traffic based on layer 2 headers, such as MAC addresses, without the need for routing or IP addressing.

According to the exhibit, which is a security flow trace on an SRX Series device, the following statements are true:

• The packet’s destination is to an interface on the SRX Series device. This is indicated by the line packet dropped for self but not interested, which means that the packet is destined to the SRX device itself, but the device does not have the corresponding service configured in the host-inbound-traffic stanza for the interface1.
• The packet originated within the Trust zone. This is indicated by the line zone name: Trust, which shows that the packet belongs to the Trust zone. The Trust zone is typically the zone where the internal network is connected to the SRX device2.
• The packet is dropped before making an SSH connection. This is indicated by the line flow_first_inline_processing: pak(0x4a9c0d0), which shows that the packet is the first packet in the session and is processed by the firewall. The packet is dropped because it does not match any security policy or host-inbound-traffic rule1. The packet is trying to make an SSH connection, which uses TCP port 22, as shown by the line source port: 22.

The following statements are false:

• The packet’s destination is to a server in the DMZ zone. There is no indication of the DMZ zone in the trace output. The DMZ zone is typically the zone where the external servers are connected to the SRX device2.
• The packet is allowed to make an SSH connection. The packet is not allowed to make an SSH connection, as explained above.

References: 1: SRX Getting Started - Troubleshoot Security Policy 2: SRX Getting Started - Configure Security Zones

Certificate RenewalThe renewal of certificates is much the same as initial certificate enrollment except you are just replacing an old certificate(about to expire) on the VPN device with a new certificate. As with the initial certificate request, only manual renewal issupported. SCEP can be used to re-enroll local certificates automatically before they expire. Refer to Appendix D for moredetails.

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/policy-based-vpn-using-j-series-srxseries-device-configuring.html

According to the exhibit, which is a configuration snippet of the SRX Series device, the global mode for the device is set to switching mode. This means that the device is operating as a Layer 2 switch and does not apply any security policies to the traffic between hosts in the same broadcast domain1. Therefore, the traffic between two hosts in the same broadcast domain are not matching any security policies.

To solve this problem, the user should change the global mode to transparent bridge mode. This means that the device will operate as a Layer 2 transparent bridge and apply security policies to the traffic between hosts in the same broadcast domain2. This will allow the user to enforce security policies based on the source and destination IP addresses, ports, and protocols of the traffic.

To change the global mode to transparent bridge mode, the user should use the following command:

set protocols l2-learning global-mode transparent-bridge

This command will set the global mode for the SRX Series device as Layer 2 transparent bridge mode. After changing the mode, the user must reboot the device for the configuration to take effect2.

References: 1: global-mode (Protocols) 2: Configuring Layer 2 Transparent Mode

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-pr ofile-logical-system.html

According to the Juniper documentation, Juniper ATP Cloud supports the following modes:

• Layer 3 mode: In this mode, the SRX Series device acts as a Layer 3 gateway and routes traffic between different subnets. The SRX Series device performs NAT and security policy enforcement on the traffic and sends a copy of the traffic to Juniper ATP Cloud for analysis. This mode is suitable for networks that have multiple subnets and require NAT and firewall functions1
• Transparent mode: In this mode, the SRX Series device acts as a Layer 2 bridge and forwards traffic between the same subnet. The SRX Series device does not perform NAT or security policy enforcement on the traffic, but sends a copy of the traffic to Juniper ATP Cloud for analysis. This mode is suitable for networks that have a single subnet and do not require NAT or firewall functions1

The other two modes, global mode and private mode, are not supported by Juniper ATP Cloud. Global mode is a configuration option for Juniper ATP Appliance, which is an on-premises solution that provides threat detection and prevention. Private mode is a configuration option for Juniper ATP Private Cloud, which is a cloud-based solution that provides threat detection and prevention within a private network23

References:

1: Juniper Advanced Threat Prevention Cloud | ATP Cloud | Juniper Networks 2: Juniper Advanced Threat Prevention Appliance | ATP Appliance | Juniper Networks 3: [Juniper Advanced Threat Prevention Private Cloud | ATP Private Cloud | Juniper Networks]

The exhibit shows the output of the "show interfaces ge-0/0/5.0 extensive" command on an SRX Series device. The output includes a section called "Security" that lists the protocols that are allowed on the ge-0/0/5.0 interface. The protocols that are allowed on the ge-0/0/5.0 interface are:

• OSPF
• DHCP
• NTP

It's important to notice that the output don't have IBGP, IPsec, so these protocols are not allowed on the ge-0/0/5.0 interface.

Referring to the exhibit, your company’s infrastructure team implemented new printers. To make sure that the policy enforcer pushes the updated IP address list to the SRX, you need to perform the following actions:

• A. Configure the server feed URL as http://172.25.10.254/myprinters. The server feed URL is the address of the remote server that provides the custom feed data. You need to configure the server feed URL to match the location of the file that contains the IP addresses of the new printers. In this case, the file name is myprinters and the server IP address is 172.25.10.254, so the server feed URL should be http://172.25.10.254/myprinters1.
• B. Create a security policy that uses the dynamic address feed to allow access. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You need to create a security policy that uses the dynamic address feed as the source or destination address to allow access to the new printers. A dynamic address feed is a custom feed that contains a group of IP addresses that can be entered manually or imported from external sources. The dynamic address feed can be used in security policies to either deny or allow traffic based on either source or destination IP criteria2.
• C. Configure Security Director to create a dynamic address feed. Security Director is a Junos Space application that enables you to create and manage security policies and objects. You need to configure Security Director to create a dynamic address feed that contains the IP addresses of the new printers. You can create a dynamic address feed by using the local file or the remote file server option. In this case, you should use the remote file server option and specify the server feed URL as http://172.25.10.254/myprinters3.

The other options are incorrect because:

• D. Configuring Security Director to create a C&C feed is not required to complete the requirement. A C&C feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The C&C feed is not related to the new printers or the dynamic address feed.
• E. Configuring the server feed URL as https://172.25.10.254/myprinters is not required to complete the requirement. The server feed URL can use either the HTTP or the HTTPS protocol, depending on the configuration of the remote server. In this case, the exhibit shows that the remote server is using the HTTP protocol, so the server feed URL should use the same protocol1.

References:

• Configuring the Server Feed URL
• Dynamic Address Overview
• Creating Custom Feeds
• [Command and Control Feed Overview]

The three profiles that are configurable in a threat prevention policy are infected host profile, C&C profile, and malware profile. A threat prevention policy is a feature of Juniper ATP Cloud that provides protection and monitoring for selected threat profiles, including command and control servers, infected hosts, and malware. Using feeds from Juniper ATP Cloud and optional custom feeds that you configure, ingress and egress traffic is monitored for suspicious content and behavior. Based on a threat score, detected threats are evaluated and action may be taken once a verdict is reached. You can create a threat prevention policy by selecting one or more of the following profiles:

• Infected host profile: This profile detects and blocks traffic from hosts that are infected with malware or compromised by attackers. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.
• C&C profile: This profile detects and blocks traffic to or from command and control servers that are used by attackers to control malware or botnets. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.
• Malware profile: This profile detects and blocks traffic that contains malware or malicious content. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable protocol-specific settings for HTTP and SMTP traffic, such as file type filtering, file size filtering, and file name filtering.

The other two profiles, device profile and SSL proxy profile, are not configurable in a threat prevention policy. A device profile is a feature of Policy Enforcer that defines the device type, the device group, and the device settings for the SRX Series devices that are enrolled with Juniper ATP Cloud. An SSL proxy profile is a feature of SRX Series devices that enables SSL proxy to decrypt and inspect SSL/TLS traffic for threats and policy violations.

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos-space23.1/policy-enforcer/topics/concept/threat-management-policy-overview.html https://www.juniper.net/documentation/en_US/junos-space23.1/policy-enforcer/topics/task/configuration/junos-space-policy-enforcer-threat-management-policy-configure.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-enforcer-device-profile-overview.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-ssl-proxy-overview.html

https://kb.juniper.net/InfoCenter/index?page=content &id=TN326&cat=&actp=LIST&showDraft=false

According to the output of the traceoptions file called radius, the source of the problem is that the RADIUS server IP address is unreachable. This is indicated by the line FAILURE: sendto: No route to host, which shows that the SRX device cannot send the authentication request to the RADIUS server. This could be due to a network issue, such as a misconfigured route, a firewall blocking the traffic, or a physical link failure.

To troubleshoot this issue, the user should check the following:

• The RADIUS server IP address and port are correctly configured on the SRX device. The user can verify this by using the command show configuration access radius-server1.
• The SRX device can ping the RADIUS server IP address. The user can use the command ping  to test the connectivity2.
• The SRX device has a valid route to the RADIUS server IP address. The user can use the command show route  to check the routing table3.
• The SRX device and the RADIUS server are using the same shared secret key. The user can verify this by using the command show configuration access radius-server secret1.
• The SRX device and the RADIUS server are using the same authentication protocol. The user can verify this by using the command show configuration access profile 4.
• The firewall policies on the SRX device and any intermediate devices are allowing the RADIUS traffic. The user can use the command show security policies from-zone to-zone  to check the firewall policies5.

References: 1: Configuring RADIUS Server Parameters 2: ping - Technical Documentation - Support - Juniper Networks 3: show route - Technical Documentation - Support - Juniper Networks 4: Configuring Authentication Profiles 5: show security policies - Technical Documentation - Support - Juniper Networks

According to the Juniper documentation, filter-based forwarding (FBF) is a technique that allows the SRX Series device to forward packets based on firewall filter rules, rather than the default routing table1. FBF can be used to implement policy-based routing, load balancing, or traffic engineering2. To deploy FBF on the SRX Series device for incoming traffic sourced from the 10.10.100.0/24 network, the following steps are required:

• You must create a forwarding-type routing instance. A forwarding-type routing instance is a special type of routing instance that is used for FBF. It does not have any interfaces or routing protocols associated with it, but it has its own routing table that can be populated by static routes, RIB groups, or routing policies3. You can create a forwarding-type routing instance by using the following command:

set routing-instances instance-type forwarding

• You must create and apply a firewall filter that matches on the source address 10.10.100.0/24 and then sends this traffic to your routing instance. A firewall filter is a set of rules that can match on various packet attributes, such as source and destination addresses, ports, protocols, and so on. You can use the then routing-instance action to specify the routing instance that the packet should be forwarded to4. You can create and apply a firewall filter by using the following commands:

set firewall family inet filter <filter-name> term from source-address 10.10.100.0/24 set firewall family inet filter <filter-name> term then routing-instance  set interfaces unit family inet filter input <filter-name>

• You must create a RIB group that adds interface routes to your routing instance. A RIB group is a mechanism that allows you to import routes from one routing table to another. You can use a RIB group to add the interface routes of the ingress interface to the routing table of the forwarding-type routing instance. This will ensure that the SRX device can forward the packets to the correct next hop based on the destination address5. You can create a RIB group by using the following commands:

set routing-options rib-groups import-rib inet.0 set routing-options rib-groups import-rib .inet.0 set routing-instances routing-options instance-import

The following steps are not required or incorrect:

• You do not need to create a VRF-type routing instance. A VRF-type routing instance is a type of routing instance that is used for virtual routing and forwarding. It allows you to create multiple logical routers on the same physical device, each with its own interfaces, routing protocols, and routing tables. VRF-type routing instances are typically used for VPNs, MPLS, or network segmentation. However, they are not necessary for FBF, which can be achieved with a forwarding-type routing instance.
• You do not need to create and apply a firewall filter that matches on the destination address 10.10.100.0/24 and then sends this traffic to your routing instance. This would be redundant and unnecessary, as the destination address of the incoming traffic is already determined by the routing table of the forwarding-type routing instance. Moreover, this would create a loop, as the traffic would be sent back to the same routing instance that it came from.

References: 1: Filter-Based Forwarding Overview 2: Configuring Filter-Based Forwarding 3: forwarding (Routing Instances) 4: routing-instance (Firewall Filter Action) 5: Configuring RIB Groups : [vrf (Routing Instances)]