JN0-335 Security, Specialist (JNCIS-SEC) Questions and Answers

SSL proxy uses application identification services to dynamically detect if a particular session is SSL encrypted. https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy-unified-policies.html

 JSA supports high availability (HA) clusters, which are two JSA hosts that act as a single system. The primary host is the active host and the secondary host is the standby host.  If the primary host fails, the secondary host takes over and becomes the active host 1  To configure an HA cluster, you must ensure that the software versions on both primary and secondary hosts are the same, and that the cluster virtual IP address is an unused IP address on the same subnet as the primary and secondary hosts 1  The secondary host does not backup multiple JSA primary hosts, as each HA cluster consists of only one primary and one secondary host 1  The primary and secondary hosts do not need to be configured with the same storage devices, as long as they have enough disk space to store the same amount of data 2   References :

1 : HA Clusters | Junos OS | Juniper Networks

2 : JSA Virtual Appliance | Juniper Networks US

SSL proxy is a feature that allows SRX Series devices to act as an intermediary between the client and the server for SSL/TLS encrypted traffic. SRX Series devices support two types of SSL proxy: SSL forward proxy and SSL reverse proxy.  SSL forward proxy is also known as web proxy or client-protection, and SSL reverse proxy is also known as server-protection 1 .

SSL forward proxy enables the SRX Series device to decrypt the client-side traffic and apply security policies before re-encrypting and forwarding it to the server.  This allows the SRX Series device to inspect the application data and identify the applications and threats in the encrypted traffic 2 .

SSL reverse proxy enables the SRX Series device to decrypt the server-side traffic and apply security policies before re-encrypting and forwarding it to the client.  This allows the SRX Series device to protect the server from malicious clients and provide load balancing and high availability for the server 3 .

References :

Configuring SSL Proxy

SSL Forward Proxy Overview

SSL Reverse Proxy Overview

A reth LAG is a redundant Ethernet interface that includes one or more physical interfaces from each node of a chassis cluster. A reth LAG provides increased bandwidth and link availability for the cluster. To configure a reth LAG, you need to follow these steps:

Configure the physical interfaces on each node as aggregated Ethernet interfaces with the same speed and duplex settings. This is required to ensure that the links can form a LAG and pass traffic correctly. You can use different cable types (such as copper or fiber-optic) for the links, but the speed must be the same.

Configure the reth interface with the redundant-ether-options statement and specify the aggregated Ethernet interfaces as child links. You should have at least two interfaces (one from each node) in the reth LAG, but you can add more for redundancy and load balancing. You can also specify the minimum-links statement to set the minimum number of child links that must be up for the reth interface to be up. The default value is one, but you can change it to a higher value if needed.

Configure the reth interface with the appropriate IP address, security zone, and other settings as needed. You can also enable LACP on the reth interface to dynamically negotiate the LAG parameters with the peer devices.

References :

[Aggregated Ethernet Interfaces in a Chassis Cluster]  1

[Chassis Cluster Redundant Ethernet Interfaces]  2

[LACP / LAG on Chassis Cluster - Interface Monitoring?]  3

[URGENT (LAG - RETH Interconnect)]  4

 A chassis cluster is a pair of SRX Series devices that are connected and configured to operate as a single node, providing high availability and load balancing for traffic flows 1 . A chassis cluster consists of two nodes: one primary and one secondary.  Each node can host one or more redundancy groups, which are logical entities that group the interfaces and services that need to fail over together in case of a node failure 2 . Redundancy group 0 is a special group that monitors the control plane of the cluster, such as the routing engine and the control link.  Redundancy group 0 is always active on the primary node and standby on the secondary node 3 . Therefore, option A is false.  Each chassis cluster member requires a unique node ID value, which can be either 0 or 1, to identify itself within the cluster 4 . However, the cluster ID value is the same for both nodes, and it is used to identify the cluster as a whole. Therefore, option B is false. Each chassis cluster member device can host active redundancy groups, depending on the configuration and the status of the nodes. By default, the primary node hosts all the redundancy groups, but you can configure some groups to be preempted by the secondary node if it has a higher priority or load-sharing between the nodes if they have the same priority. Therefore, option C is true. Chassis cluster member devices must be the same model, because different models have different hardware and software specifications that may not be compatible with each other in a cluster. Therefore, option D is true.  References :

Chassis Cluster User Guide for SRX Series Devices

Understanding Chassis Cluster Redundancy Groups

Understanding Redundancy Group 0

Understanding Chassis Cluster Node IDs

[Understanding Chassis Cluster Cluster IDs]

[Configuring Chassis Cluster Redundancy Group Settings]

[Chassis Cluster Feature Guide for SRX Series Devices]

Juniper ATP Cloud is the threat intelligence hub for Juniper customers, identifying indicators of compromise for users and devices across the network. It provides security intelligence feeds, such as command and control (C & C) and infected hosts, that can be used to block or log malicious traffic. When you configure the C & C category with Juniper ATP Cloud, you need to specify the authentication token, the URL, and the update interval for the feeds. After you commit the configuration, the feeds are downloaded automatically from the Juniper ATP Cloud server. This may take a few minutes, depending on the network latency and the size of the feeds. Therefore, no action is required from the user, and the feeds will have non-zero objects once the download is complete. You can verify the status of the feeds by using the show services security intelligence category summary command, as shown in the exhibit.  References :

Introduction to Juniper ATP Cloud

security-intelligence (services)

Juniper ATP Cloud CLI Reference Guide

Adaptive Threat Profiling is a feature that allows SRX Series Firewalls to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events. This feature enables you to configure security or IDP policies that, when matched, inject the source IP address, destination IP address, source identity, or destination identity into a threat feed, which can be leveraged by other devices as a dynamic-address-group (DAG). With adaptive threat profiling, the Juniper ATP Cloud service acts as a feed-aggregator and consolidates feeds from SRX across your enterprise and shares the deduplicated results back to all SRX Series Firewalls in the realm at regular intervals. SRX Series Firewalls can then use these feeds to perform further actions against the traffic.  This feature allows you to find systems running applications that increase the risks on your network and ensure these systems are processed through IPS and Juniper ATP Cloud for malware and virus protection 1 .  References :

Adaptive Threat Profiling Overview and Configuration

Adaptive Threat Profiling Overview

Juniper Launches Adaptive Threat Profiling, New VPN Features

Juniper Networks Answers Who and What is On the Network with Risk-Based Access Control Capabilities and New VPN Application

Adaptive Threat Profiling Overview | SD Cloud

 JIMS domain PC probes are a mechanism to obtain username to IP address mapping information from devices in a customer’s domain. JIMS initiates a domain PC probe when it receives a request from an SRX Series device for a username to IP address mapping that is not found in the domain security event log.  JIMS uses the administrative credentials configured for PC probes to access the device and query the Windows Management Instrumentation (WMI) service for the username to IP address mapping 1 2   References :

1 : Juniper Identity Management Service Feature Guide - TechLibrary - Juniper Networks

2 : Juniper Identity Management Service (JIMS) Documentation - Juniper Networks

JIMS uses eventlogs on Domain contollers or Exchange Servers to determine logon events. So to decrease the load on a Domain Controller you could use the Exchange Server to read logs.

References:

Juniper Identity Management Service (JIMS) Documentation

Juniper Identity Management Service User Guide

Overview | JIMS | Juniper Networks

Juniper - ExamsBoost

Juniper Identity Management Service Overview

Encrypted Traffic Insights is a feature of Juniper ATP Cloud and SRX Series firewalls that can detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic.  It permits organizations greater visibility and policy control over encrypted traffic, without requiring resource-intensive SSL Decryption 1 .

Encrypted Traffic Insights assesses the threat of the traffic by using two methods:

It validates the certificates used by the external servers that the internal hosts are trying to connect to. It compares the certificate signatures with a blocklist of known malicious certificates and also checks the certificate validity, issuer, and subject.  If the certificate is invalid or matches a malicious signature, the connection is blocked or alerted 2 .

It reviews the timing and frequency of the connections to the external servers. It uses behavior analysis and machine learning to identify patterns and anomalies that indicate malicious activity, such as command and control (C & C) communications, botnet traffic, or data exfiltration.  It also uses threat intelligence feeds to enrich the analysis and provide additional context 2 .

Encrypted Traffic Insights does not decrypt the file or the data in a sandbox or to validate the hash, as these methods would require breaking the encryption of the traffic, which would violate data privacy laws and introduce latency and performance issues 2 1 .  References :

3 :  SRX5400, SRX5600, SRX5800 Firewalls Datasheet - Juniper Networks

2 :  Encrypted Traffic Insights Overview and Benefits | ATP Cloud | Juniper …

1 :  Juniper Networks Expands Connected Security Portfolio with Encrypted …

The cSRX is a containerized version of the SRX Series device that runs on Linux platforms. The cSRX has the following benefits for deploying in a virtual environment:

The cSRX supports Layer 2 and Layer 3 deployments, which means it can operate as a transparent or a routed firewall.  The cSRX can also support multiple routing instances and virtual routers 2

The cSRX supports firewall, NAT, IPS, and UTM services, which means it can provide comprehensive security features for protecting the virtual network.  The cSRX can also support application identification, user firewall, and VPN services 2

The cSRX default configuration does not contain three default zones: trust, untrust, and management. The cSRX default configuration contains only one zone: junos-host. The cSRX does not have low memory requirements.  The cSRX requires at least 2 GB of memory and 2 CPU cores to run 2   References :

1 : Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide  3

2 : Junos OS Security Configuration Guide | cSRX Overview  4

SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design.  References :  Chassis Cluster Overview ,  Connecting SRX Series Firewalls to Create a Chassis Cluster

 This is because the error message indicates that the client device does not trust the certificate authority that issued the certificate for the external server. Therefore, you need to import the root CA certificate from the SRX Series device to the client device and add it to the trusted certificate store.  This will allow the client device to verify the identity of the SRX Series device and accept the certificates it generates for the external servers 3 .

The other options are not correct because:

A. Load a known good, but expired. CA certificate onto the SRX Series device . This will not solve the problem because the client device will still reject the certificates from the SRX Series device if they are signed by an expired CA certificate.  The expiration date of the CA certificate is one of the factors that the client device checks when validating the certificate 2 .

B. Install a new SRX Series device to act as the client proxy . This will not solve the problem because the new SRX Series device will still need to have a root CA certificate configured and imported to the client devices.  The problem is not with the SRX Series device itself, but with the trust relationship between the SRX Series device and the client devices 2 .

C. Reboot the SRX Series device . This will not solve the problem because rebooting the SRX Series device will not change the configuration or the certificates on the SRX Series device or the client devices.  The problem is not caused by a temporary glitch or a malfunction, but by a mismatch between the certificates on the SRX Series device and the client devices 2 .

I hope this helps you understand the problem and the solution better. If you want to learn more about SSL client protection proxy, you can check out the following references:

SSL Proxy Overview

Configuring SSL Forward Proxy

Configuring a Root CA Certificate

SSL Proxy - Client Protection

The fab interface is a physical connection between two nodes of a chassis cluster that is used to forward traffic and synchronize session state between the nodes. The fab interface can be any pair of Ethernet interfaces on the same LAN, but they must be the same media type. You need to specify the physical interfaces to be used for the fab link in the configuration, as the system does not determine them automatically. The Junos OS supports only one fab link per node, and it does not support traditional interface features such as IP addressing, routing protocols, or firewall filters. The fab interface is assigned an internally derived IP address by the system for packet transmission. The fab link also does not support fragmentation, so the MTU size of the fab interface must be equal to or greater than the MTU size of the largest interface in the cluster.  References :

Chassis Cluster Fabric Interfaces

HA Chassis cluster, difference between Swfab and Fab

 SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server. It allows inspection of encrypted traffic by terminating the SSL connection from either end and applying security policies to the clear text. SSL proxy can leverage pre-match or post-match results to determine whether to apply SSL proxy to a session. Pre-match results are based on the initial packet of the session, while post-match results are based on the application identification after the session is established. In the exhibit, the session shows that the application services identification is “ssl-proxy”, which means that SSL proxy is applied based on the pre-match results. The cache lookup status for application services is “on”, which means that the SRX Series device uses the application system cache to store the pre-match results for faster processing. Therefore, the correct answer is D. SSL proxy leverages pre-match result.  References : =  SSL Proxy ,  Configuring SSL Proxy , and  Application System Cache

 vSRX is a virtual firewall that runs on various cloud platforms, including AWS and OpenStack. AWS is a cloud service provider that offers infrastructure as a service (IaaS) solutions, such as compute, storage, and networking resources. OpenStack is an open source software platform that enables cloud orchestration, which is the automated management of cloud resources and services. vSRX supports both AWS and OpenStack as deployment options, and integrates with their features and tools. For example, vSRX can use cloud-init to automate the initialization of vSRX instances in AWS and OpenStack environments. vSRX can also leverage the security groups and elastic IP addresses of AWS, and the network and security services of OpenStack.  References :

vSRX Deployment Guide for AWS

vSRX Virtual Firewall

Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Instances

 To implement IPS on your SRX Series device, you need to download and install the IPS signature database. The IPS signature database contains the attack signatures and predefined attack groups that are used to detect and prevent intrusions. You can download the IPS signature database from the Juniper Networks website or from a local server. You can install the IPS signature database manually or automatically.  You do not need to enroll the SRX Series device with Juniper ATP Cloud or reboot the SRX Series device to implement IPS 3 4   References :

Configuring the IPS Policy on SRX Series Devices Using NSM

Installing SRX 1400 with IPS activation ??? | SRX - Juniper Networks

Download an IPS Signature | J-Web for SRX Series 21.2 - Juniper Networks

IPS Configuration (CLI) | Junos OS | Juniper Networks

SRX300 Series devices support an on-device antivirus scanning engine, Avira, that scans the data by accessing the virus pattern database. It provides a full file-based antivirus scanning function that is available through a separately licensed subscription service. However, there is a limit on the number of files that can be submitted for scanning per day, depending on the SRX platform size. If you exceed this limit, the files will not be scanned until the next day.  The limit for SRX300 Series devices is 1000 files per day 1 .  References :  SRX Series On-Device Antivirus Scan Engine Overview

AppQoS is a feature that enables you to identify and control access to specific applications and provides the granularity of the stateful firewall rule base to match and enforce quality of service (QoS) at the application layer.  AppQoS expands the capability of Junos OS class of service (CoS) to include the following capabilities 1 2 :

Re-write DSCP values  based on Layer-7 application types. DSCP values are used to convey the packet’s quality of service through both the forwarding class and a loss priority.

Assign a forwarding class  based on the application type. Forwarding classes are used to group packets with similar QoS requirements and map them to output queues on the egress interface.

Rate-limit traffic  based on the application type. Rate limiters are used to control the transmission speed and volume for the associated queues. You can configure rate limiters and profiles to specify the bandwidth, burst size, and action for each application type.

AppQoS does not have the capability to re-write the TTL or reserve bandwidth. Re-writing the TTL is not related to QoS and could cause routing loops or packet drops. Reserving bandwidth is a function of traffic engineering, not AppQoS.  References :

1 : Application QoS | Junos OS | Juniper Networks

2 : AppQoS for Tenant Systems | Junos OS | Juniper Networks

The session table is a limited resource for SRX Series devices. If the session table is full, any new sessions will be rejected by the device. The aggressive session-aging mechanism accelerates the session timeout process when the number of sessions in the session table exceeds the specified high-watermark threshold.  This mechanism minimizes the likelihood that the SRX Series devices will reject new sessions when the session table becomes full 1 .  To perform aggressive session aging, you need to configure the following parameters 1 :

early-ageout –During aggressive session aging, the sessions with an age-out time lower than the early-ageout threshold are marked as invalid. The early-ageout configuration specifies the timeout value, in seconds, that will be applied once the high-watermark value is met.  For example, if you set the early-ageout to 30 seconds, any session that has been inactive for at least 30 seconds will be aged out when the high-watermark is reached 2 .

high-watermark –The device performs aggressive session aging when the number of sessions in the session table exceeds the high-watermark threshold. The high-watermark configuration specifies the percentage of how much of the session table can be allocated before applying a more aggressive age-out timer.  For example, if you set the high-watermark to 90 percent, the device will start aging out sessions more aggressively when the session table reaches 90 percent of its capacity 3 .

Therefore, the correct statements are B and D.

References :  Understanding Aggressive Session Aging   high-watermark   early-ageout

After JSA receives external events and flows, the data goes through the following steps in the event and flow pipeline  1 :

Event and flow collection: JSA accepts event logs and flow records from various sources by using different protocols and methods. The data is parsed and normalized into a JSA-usable format.

Event and flow processing: JSA applies rules, custom properties, and anomaly detection to the data. The data is also coalesced, filtered, and forwarded as needed. The data is stored in an asset database and an Ariel database for further analysis and reporting.

Event and flow correlation: JSA analyzes the data for patterns that indicate malicious activity or policy violations. JSA generates offenses, alerts, and notifications based on the correlation rules and building blocks.

Event and flow response: JSA responds to the offenses and alerts by taking active measures such as blocking IP addresses, quarantining hosts, or updating reference data. JSA also provides investigation and remediation tools for analysts to handle the incidents.  References :

1 : JSA Events and Flows | Junos OS | Juniper Networks

An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols such as Session Initiation Protocol (SIP) or FTP on Juniper Networks devices running Junos OS.  The ALG module is responsible for Application-Layer aware packet processing on switches 1 .  The ALG can perform various functions such as modifying the payload and header of packets, opening secondary connections, translating addresses and ports, and applying security policies 1 .  The ALG does not use software processes for permitting or disallowing specific IP address ranges, as this is the function of firewall filters or security zones 2 .  The ALG does not use software that is used by a single TCP session using the same port numbers as the application, as this is the definition of a stateful firewall 3 .  The ALG does not contain protocols that use one application session for each TCP session, as this is the characteristic of some application protocols such as HTTP or SMTP 4 .  References :

1 :  ALG Overview | Junos OS | Juniper Networks

2 :  Firewall Filters Overview | Junos OS | Juniper Networks

3 :  Stateful Firewall Overview | Junos OS | Juniper Networks

4 :  Application Layer Protocols | Junos OS | Juniper Networks

The vSRX is a virtual firewall that offers the same features as the physical SRX Series firewalls, but in a virtualized form factor. It supports next-generation firewall (NGFW) capabilities, networking, and automated lifecycle management.  It also integrates with cloud orchestration tools and software-defined networking (SDN) solutions 1

The vSRX supports VMXNET3 vNICs, which are optimized for performance in virtualized environments.  VMXNET3 vNICs offer enhanced networking features such as jumbo frames, hardware offloads, and multicast filtering 2

The vSRX runs on Linux as the base OS, which provides a stable and secure platform for the Junos OS and the firewall functionality.  Linux also enables the vSRX to leverage the native hypervisor drivers and APIs for better performance and compatibility 3

References :  1 : vSRX Virtual Firewall | Juniper Networks US  2 : vSRX Virtual Firewall for VMware - TechLibrary - Juniper Networks  3 : vSRX Overview - TechLibrary - Juniper Networks

In a Juniper Networks chassis clustering setup, when you enable chassis clustering on two devices and assign a cluster ID and a node ID to each device, the correct order for rebooting the devices is: C. Reboot the primary device, then the secondary device. Explanation: After assigning the cluster ID and node ID to each device, it is a good practice to reboot the primary device first. This ensures that the primary device comes online with the specified cluster and node IDs. Once the primary device is up and running, you can then reboot the secondary device. The secondary device will recognize the existing cluster and node IDs assigned to the primary device and join the cluster accordingly.

Based on the information from the exhibit, node0 is the primary node for both redundancy group 0 (RG0) and redundancy group 1 (RG1). RG0 is responsible for the control plane, which includes the Routing Engine and the management interface. RG1 is responsible for the data plane, which includes the interfaces and services.  Therefore, node0 is the active node for the data plane, and node1 is the active node for the control plane 3 4   References :

Chassis Cluster Redundancy Groups | Junos OS | Juniper Networks

Troubleshooting a Redundancy Group that Does Not Fail Over in an SRX Chassis Cluster | Junos OS | Juniper Networks

Understanding Chassis Cluster Redundancy Group 0: Routing Engines | Junos OS | Juniper Networks

Understanding Chassis Cluster Redundancy Groups 1 Through 128 | Junos OS | Juniper Networks

Referring to the exhibit, we can see that the output of the  show chassis cluster status  command on both nodes shows that they have the same cluster ID, node ID, priority, and status.  The status for both nodes is  primary , which means that they are both active and ready to process traffic for all redundancy groups 1 .

This situation can occur when the control link between the two nodes is down or not configured properly, and the heartbeat messages cannot be exchanged.  Without the heartbeat messages, each node assumes that the other node is down and takes over the primary role for all redundancy groups 1 2 .

This is not a desirable state for the cluster, as it can cause traffic disruption, configuration inconsistency, and split-brain scenarios.  To resolve this issue, the control link should be checked and fixed, and the cluster should be synchronized 1 2 .

References :

1 :  Troubleshooting an SRX Chassis Cluster with One Node in the Primary State and the Other Node in the Disabled State

2 :  SRX Series Chassis Cluster Configuration Overview