JN0-336 Security, Specialist (JNCIS-SEC) Questions and Answers

The correct answer is B. ESP. In IPsec, the security protocol responsible for encrypting protected traffic is Encapsulating Security Payload (ESP). Juniper defines ESP as the IPsec protocol used for encrypting the IP packet and authenticating its contents. In practical SRX VPN design, ESP is the normal protocol selected when confidentiality is required because it can provide encryption, packet integrity, authentication, and anti-replay protection depending on the configured IPsec proposal.

Option A, SHA-1, is incorrect because SHA-1 is an authentication/hash algorithm, not an IPsec security protocol and not a payload encryption mechanism. Option C, AH, is incorrect because Authentication Header validates packet source and integrity but does not encrypt payload data. AH is therefore unsuitable when the requirement explicitly says payload data must be encrypted. Option D, PFS, is incorrect because Perfect Forward Secrecy is a key-exchange property used during Phase 2 rekeying; it strengthens key independence but does not itself encrypt packets. In Junos IPsec configuration logic, the security protocol decision is between ESP and AH, and encryption requires ESP. Reference topics: IPsec VPN, ESP, AH, IPsec security protocols, payload confidentiality, IPsec proposal design.

The correct answer is D. drop packet. In IDP terminology, a silent discard means the offending packet is discarded without sending reset packets or other connection-closing signals back to the endpoints. Juniper defines the Drop Packet IDP action as dropping a matching packet before it reaches its destination while not closing the connection. That is the closest and correct IDP action for “silent discard” in the listed choices.

Option A, no action, is wrong because it does not discard anything; Juniper describes No Action as taking no enforcement action, typically used when the administrator only wants logging. Option B, close client and server, is wrong because that action actively closes the session by sending TCP RST packets to both sides, which is explicitly not silent. Option C, ignore connection, is wrong because it stops further IDP scanning for the rest of the connection; it does not discard the packet. Juniper distinguishes these actions clearly: drop packet discards the offending packet, drop connection blocks the whole connection, and close actions send reset packets. Reference topics: IDP actions, drop packet, close client and server, ignore connection, silent discard behavior.

The correct answers are A and C. To log denied traffic on an SRX Series Firewall, the security policy must deny the traffic and must generate a log at session initiation. Juniper’s security policy monitoring documentation states that to view logs from denied connections, you enable logging on session-init. Juniper’s traffic-logging guidance also states that for a security policy with a deny action, traffic logs must be generated when a session starts.

Option C is required because the policy action must be deny; otherwise the traffic is not denied by that policy. Option A is required because denied traffic does not complete a normal permitted session lifecycle, so session-init is the correct logging stage for denied connection attempts. Option B, session-close, is used to log permitted sessions after teardown or conclusion; it is not the required parameter for denied traffic. Option D, count, increments policy counters but does not create traffic logs. The correct configuration concept is: match the unwanted traffic, apply then deny, and enable then log session-init. Reference topics: SRX security policies, deny action, session-init logging, traffic log generation, policy counters.

The correct answers are B and C. IDP false positives occur when legitimate traffic matches an attack signature or attack object incorrectly. One valid way to reduce false positives is to remove the problematic attack object from the IDP rule, especially when that object is not relevant to the protected application, server role, or traffic direction. Juniper defines attack objects as the items specified in IDP rules to identify malicious activity, so removing an irrelevant or noisy attack object directly reduces unwanted matches.

Option C is also correct because Juniper specifically recommends using an exempt rulebase when an IDP rule uses an attack object group containing attack objects that produce false positives or irrelevant log records. Exempt rules can exclude a specific source, destination, or source/destination pair from matching an IDP rule, preventing unnecessary alarms.

Option A is wrong because changing the action to a lower severity response does not reduce the false positive; it only changes what happens after the false match occurs. Option D is wrong because a terminal rule at the end of the rule base does not prevent earlier false-positive matches. Reference topics: IDP, attack objects, exempt rulebase, false-positive tuning, IDP rule matching.

The correct answer is B. count. In Junos security policy configuration, count is the policy parameter used for accounting and tabular operational visibility. Juniper’s security policy configuration rules state that accounting and auditing elements can be specified with count and log, while logging itself is enabled at either session-init or session-close.

The operational result is visible through commands such as show security policies hit-count, which displays a table of policy hit counters, including fields such as index, from-zone, to-zone, policy name, policy count, and action. Juniper defines this command as displaying the number of times a security policy rule matches traffic, and the sample output is explicitly tabular. Option A, permit, is an action, not a counter or logging/accounting parameter. Option C, session-init, logs at the beginning of a session, and option D, session-close, logs at session teardown. Those two parameters generate logs, but they do not provide the tabular policy-count view being asked about. Reference topics: security policy accounting, count parameter, hit-count, operational-mode policy monitoring, session-init/session-close logging.

The correct answer is A. the action taken is defined in the IDP policy that includes this attack object. The exhibit defines a custom attack object named BGP-DEFEND under the security idp custom-attack hierarchy. The custom object includes metadata such as recommended-action drop, severity critical, and signature match conditions such as BGP update AS-path context and pattern 65501. However, an attack object by itself does not determine the final enforcement behavior. The attack object defines what to match; the IDP policy rule that references the object defines what action to take when that match occurs. Juniper describes attack objects as objects used inside IDP rules to identify malicious activity, while IDP rules include rule actions such as drop-packet, drop-connection, close-client, close-server, recommended, and others.

Option B is wrong because the firewall security policy enables IDP inspection by applying an IDP policy, but the IDP action is not selected directly by the normal security policy. Options C and D are too absolute. Even though the custom object shows recommended-action drop, that is only used if the IDP rule action invokes recommended behavior. Without seeing the IDP policy rule action, you cannot conclude reject or drop. Reference topics: IDP custom attack objects, IDP policy rule actions, recommended action, signature-based attack matching.

The correct answer is D. You have too many domain controllers. The exhibit shows 15 Active Directory domain controllers. Juniper’s integrated Active Directory identity-source configuration for SRX identity-aware firewall supports a limited number of domain controllers; Juniper documentation states that an SRX Series device can configure a maximum of 10 domain controllers for Active Directory identity-source integration. Because this environment has 15 domain controllers, the direct Active Directory identity-source method exceeds the supported scale and JIMS must be used instead.

Option A is wrong because SRX devices can use Active Directory directly as an identity source; JIMS is not the only possible method. Option B is wrong because 1,500 users does not exceed the relevant identity-source scale shown here; Juniper documentation also notes probe functionality support well above this number. Option C is wrong because the issue being tested is not the Windows Server version. JIMS is designed for larger identity-aware deployments and can centralize identity collection from Active Directory, domain controllers, Exchange servers, and syslog sources, then provide identity mappings to SRX firewalls. Juniper’s JIMS datasheet shows much higher scale, including up to 100 active directories, 25 domains, and 500,000 user entries. Reference topics: Identity-Aware Security Policies, Active Directory identity source limits, JIMS scalability, domain controller scale limitations.

The correct answers are A and D. Juniper provides predefined IDP policy templates to simplify IDP deployment. These templates are supplied by Juniper Networks and include common templates such as client protection, server protection, DMZ services, DNS server, file server, web server, IDP default, and recommended policies. Juniper’s IDP documentation states that predefined templates are available from a secured Juniper Networks website, and the listed templates are explicitly described as being provided by Juniper Networks.

Option D is correct because these templates are not automatically present as usable policies in a factory-default SRX configuration. Juniper’s procedure says that to use predefined IDP policy templates, you download the policy templates and then install them. The CLI process includes request security idp security-package download policy-templates followed by request security idp security-package install policy-templates; committing then makes them available under the IDP policy hierarchy.

Option B is wrong because Juniper specifically says you should customize these templates for your network and recommends using a copied template so you can safely make changes. Option C is wrong because they must be downloaded and installed, so they are not simply available in the factory-default configuration. Reference topics: IDP, predefined IDP policy templates, security-package download, security-package install, active IDP policy.

The correct answer is A. The same cluster ID was used on both clusters. In an SRX chassis cluster, a redundant Ethernet interface, or reth, uses a cluster-derived virtual MAC address. When two separate chassis clusters are placed in the same Layer 2 domain and use the same cluster ID, their corresponding reth interfaces can generate the same virtual MAC address. That is exactly why the network team sees the same MAC address for reth0 from both clusters on VLAN 1042. Juniper community guidance states bluntly that the reth interface MAC address is derived from the cluster ID and that two clusters using the same ID produce identical MAC addresses.

Option B is wrong because split-brain would describe both nodes inside the same cluster thinking they are primary, not two separate chassis clusters producing the same reth MAC address. Option C is wrong because multiple SRX clusters can exist on the same VLAN if their cluster IDs are unique. Option D is wrong because LACP synchronization affects bundled link operation, not the generation of the reth virtual MAC address. The correction is to assign unique cluster IDs to clusters sharing the same Layer 2 segment. Reference topics: HA Clustering, chassis cluster ID, reth virtual MAC address, duplicate MAC prevention, Layer 2 cluster design.

The correct answers are A, B, and D. In Security Director, the Shared Objects workspace is used for reusable objects that can be referenced by policies across managed devices. Juniper documentation shows that address objects are created from Configure > Shared Objects > Addresses, and those address objects can be used across devices in firewall, NAT, IPS, and VPN services. This supports option B, because IP address/address objects are classic shared objects.

Option A is correct because Geo IP policies are created from Configure > Shared Objects > Geo IP. Juniper’s procedure explicitly places Geo IP under the Shared Objects path. Option D is also correct because policy enforcement groups are created from Configure > Shared Objects > Policy Enforcement Groups and are used to group endpoints such as IP addresses, subnets, or locations for policy-enforcement workflows.

Option C is wrong because audit logs are monitoring records, not reusable shared objects; Juniper places them under Monitor > Audit Logs, where they track login history and user-initiated tasks. Option E is wrong because policy rules are created and managed inside firewall, NAT, IPS, or threat policies, not as independent Shared Objects. Reference topics: Security Director, Shared Objects, address objects, Geo IP, policy enforcement groups.

The correct answer is C. fxp0 or fxp1 on either device has an existing configuration. The exhibit shows each node reporting itself in hold state and the peer as lost under redundancy group 0. Juniper’s chassis cluster troubleshooting documentation shows this same hold/lost symptom and states that when a node is in hold, it is not ready to operate in a chassis cluster. For branch SRX devices, when cluster mode is enabled, specific physical interfaces are automatically converted into fxp0 for out-of-band management and fxp1 for the HA control link. These interfaces cannot retain normal transit or standalone interface configuration. If the ports that become fxp0 or fxp1 already have configuration, the cluster can enter the hold/lost condition shown in the exhibit.

Option A is wrong because the output does not indicate a Junos version mismatch. Option B is wrong because hardware mismatch is not the symptom being shown. Option D is too specific: a factory-default configuration can cause this problem because it may include configuration on interfaces that become fxp0/fxp1, but the exhibit does not prove specifically that node1 alone is running factory-default configuration. The tested issue is the existing configuration on the interfaces reserved for chassis-cluster management/control. Reference topics: HA Clustering, chassis cluster hold/lost state, fxp0, fxp1, branch SRX cluster initialization.

The correct answer is B. The node with the highest priority will become a primary node. In an SRX chassis cluster, redundancy groups determine which node is primary and which node is secondary. Juniper states that when priorities are assigned to nodes in a redundancy group, the node with the higher configured priority is initially designated as the primary, while the other node becomes secondary. This is the direct mechanism an administrator uses to influence primary-node selection for a redundancy group.

Option A is wrong because the burnt-in address is not the administrative method used to designate the primary node. BIA can be part of deterministic hardware identity behavior, but primary election is controlled through redundancy-group priority, preemption behavior, and failover state. Option C is the opposite of Juniper behavior; the lower-priority node does not win the election. Option D is also wrong because a priority of one is still a valid low priority. The ineligible value is 0, and Juniper specifically warns about failover behavior involving nodes with priority 0 because such nodes are not ready to accept traffic.

Reference topics: HA Clustering, redundancy groups, node priority, primary/secondary election, preemption, chassis cluster failover.

The correct answers are B and D. A terminal rule is specifically designed to stop further rule evaluation. Juniper states that the IDP rule-matching algorithm normally checks traffic against all matching rules in the rulebase, but when a terminal rule matches the source, destination, zones, and application, IDP does not continue to check subsequent rules for that same traffic. Juniper also warns that traffic matching a terminal rule is not compared to later rules even if it does not match the attack object inside that terminal rule.

Option D is also correct because the Ignore Connection action stops scanning traffic for the rest of the connection if an attack match is found. Juniper defines Ignore Connection as disabling the rulebase for that specific connection after a match. Option A is wrong because a close action closes the connection by sending reset behavior, but it is not the rule-processing control mechanism being tested. Option C is a trap: the exempt rulebase is used to suppress known false positives after an IPS rule match, but the two direct mechanisms that end IDP rule processing are terminal rule matching and ignore connection. Reference topics: IDP rulebases, terminal rules, Ignore Connection action, rule-matching algorithm, false-positive exemption.

The correct answers are B, D, and E. Security Director device onboarding depends on management reachability and valid administrative access. Juniper’s device discovery documentation states that Junos Space discovers network devices using SSH, with optional ping and SNMP, and connects to the physical device to retrieve running configuration and status information. It also explains that device authentication uses administrator login credentials, SSH credentials, SNMP settings, or keys depending on the discovery method.

Option E is required because Security Director must target a reachable management IP address or hostname. Juniper’s discovery-profile workflow explicitly uses the target IP address, hostname, IP range, or subnet to locate devices. Option D is required because invalid username/password or insufficient privileges prevent discovery and management; Juniper’s device-management guidance identifies credentials as required input for discovering devices. Option B is required because onboarding uses SSH, so the correct SSH service and port must be reachable. Juniper’s device access procedure explicitly includes a Port field for the SSH connection.

Option A is wrong because chassis serial number is not the normal troubleshooting field for Security Director discovery. Option C is wrong because active security policies do not determine whether Security Director can initially discover and onboard the device. Reference topics: Security Director, device discovery, SSH access, management IP reachability, authentication credentials.

The correct answers are C and D. The exhibit shows ESP encrypted bytes = 0, ESP decrypted bytes = 0, encrypted packets = 0, and decrypted packets = 0. That means no traffic is successfully passing through the IPsec tunnel. Juniper’s show security ipsec statistics command displays ESP encrypted/decrypted packet and byte counters, so zero values on these counters indicate that the tunnel is not successfully carrying protected ESP traffic.

Option C is also correct because the output shows ESP authentication failures and ESP decryption failures. Since ESP is the IPsec protocol responsible for encrypted payload handling, failures in ESP authentication/decryption point to an ESP/IPsec Phase 2 mismatch or incorrect configuration, such as mismatched authentication algorithm, encryption algorithm, keys, proposal parameters, or incompatible negotiated SA settings. Juniper’s IPsec overview explains that Phase 2 negotiates the IPsec SA used to authenticate traffic flowing through the tunnel, so ESP-related failures belong to the IPsec/ESP configuration path rather than AH.

Option A is wrong because the AH counters and AH authentication failures are zero; the evidence is not pointing to AH. Option B is unsupported because the output does not show peer reboot behavior. Reference topics: IPsec VPN, ESP statistics, Phase 2/IPsec SA negotiation, ESP authentication failures, ESP decryption failures.

The correct answers are B and C. To form an SRX chassis cluster, both devices must be assigned the same cluster ID and different node IDs. Juniper states that the cluster ID identifies the cluster, while the node ID identifies the individual node within that cluster. A valid two-node SRX chassis cluster uses node 0 on one chassis and node 1 on the other chassis. Juniper’s example shows the operational-mode commands as set chassis cluster cluster-id 1 node 0 reboot on the first device and set chassis cluster cluster-id 1 node 1 reboot on the second device.

Option A is wrong because cluster-id 0 disables clustering rather than forming a cluster. It also shows configuration-mode prompt #, while this chassis cluster node assignment is performed from operational mode. Option D is doubly wrong: cluster-id 0 disables clustering, and node 2 is invalid because SRX chassis cluster node IDs are limited to 0 and 1. The exam options omit the reboot keyword, but the only logically valid pair is still SRX1 as node 0 and SRX2 as node 1 under the same nonzero cluster ID. Reference topics: HA Clustering, chassis cluster ID, node ID, operational-mode cluster enablement.