JN0-636 Security, Professional (JNCIP-SEC) Questions and Answers

When enrolling your devices, you only need to enroll one node: The Juniper ATP Cloud automatically recognizes the HA configuration and applies the same license and configuration to both nodes of the cluster.

You must use the same license key on both cluster nodes: The HA cluster needs to share the same license key in order to be recognized as a single device by the Juniper ATP Cloud.

You must set up your HA cluster before enrolling your devices with Juniper ATP Cloud. And it is not necessary to use different license keys on both cluster nodes because the HA cluster shares the same license key.

The two statements that are correct in this scenario are:

When enrolling your devices, you only need to enroll one node. This is because the Juniper ATP Cloud service supports chassis cluster mode for SRX Series devices. When you enroll a chassis cluster, you only need to enroll the primary node of the cluster. The secondary node will be automatically enrolled and synchronized with the primary node. You do not need to enroll the secondary node separately or perform any additional configuration on it.

You must use the same license key on both cluster nodes. This is because the Juniper ATP Cloud service requires a license key to activate the service on the SRX Series devices. The license key is tied to the serial number of the device. When you enroll a chassis cluster, you must use the same license key on both nodes of the cluster. The license key must match the serial number of the primary node of the cluster. You cannot use different license keys on the cluster nodes.

References : Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-atp-cloud-enrolling-srx-series.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud-licensing-overview.html

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html

According to the Juniper documentation, Juniper ATP Cloud supports the following modes:

Layer 3 mode: In this mode, the SRX Series device acts as a Layer 3 gateway and routes traffic between different subnets. The SRX Series device performs NAT and security policy enforcement on the traffic and sends a copy of the traffic to Juniper ATP Cloud for analysis.  This mode is suitable for networks that have multiple subnets and require NAT and firewall functions 1

Transparent mode: In this mode, the SRX Series device acts as a Layer 2 bridge and forwards traffic between the same subnet. The SRX Series device does not perform NAT or security policy enforcement on the traffic, but sends a copy of the traffic to Juniper ATP Cloud for analysis.  This mode is suitable for networks that have a single subnet and do not require NAT or firewall functions 1

The other two modes, global mode and private mode, are not supported by Juniper ATP Cloud. Global mode is a configuration option for Juniper ATP Appliance, which is an on-premises solution that provides threat detection and prevention.  Private mode is a configuration option for Juniper ATP Private Cloud, which is a cloud-based solution that provides threat detection and prevention within a private network 2 3

References :

1 :  Juniper Advanced Threat Prevention Cloud | ATP Cloud | Juniper Networks   2 :  Juniper Advanced Threat Prevention Appliance | ATP Appliance | Juniper Networks   3 : [Juniper Advanced Threat Prevention Private Cloud | ATP Private Cloud | Juniper Networks]

According to the security flow trace shown in the exhibit, which is a snippet of a packet capture on an SRX Series device, the two statements that are correct are:

This packet arrived on interface ge-0/0/4.0.  This is indicated by the line  In: 10.0.1.129/22 - > 10.0.1.129/3382;1,0x0 , which shows that the ingress interface of the packet is ge-0/0/4.0, as the interface name is prefixed to the source and destination IP addresses and ports of the packet 1 .

An existing session is found in the table.  This is indicated by the line  Found: session id 0x12. sess tok 28685 , which shows that the packet matches an existing session in the session table with the session ID 0x12 and the session token 28685 2 .

The following statements are incorrect or not supported by the output:

Destination NAT occurs. This is not supported by the output, as there is no indication of destination NAT being applied to the packet. The destination IP address of the packet is 10.0.1.129, which is the same as the destination IP address of the original packet. If destination NAT was applied, the destination IP address of the packet would be different from the destination IP address of the original packet.

The capture is a packet from the source address 172.20.101.10 destined to 10.0.1.129. This is false, as the output shows that the source address of the packet is 10.0.1.129, not 172.20.101.10. The source IP address of the packet is prefixed to the ingress interface name ge-0/0/4.0.

References:   1 :  Understanding Security Flow Trace   2 :  show security flow session - Technical Documentation - Support - Juniper Networks

The exhibit shows a security policy configuration with a threshold of 1000 policy violations by a source network identifier and a threshold of 10 policy violations to an application within a specified period. If either of these thresholds are exceeded, an alarm will be generated. Therefore, the correct answer is A and D. The other options are incorrect because:

B. The ratio of policy violation traffic compared to accepted traffic is not a criterion for triggering an alarm. The security policy configuration does not specify any ratio or percentage of policy violation traffic that would cause an alarm.

C. The number of policy violation by a destination TCP port is also not a criterion for triggering an alarm. The security policy configuration does not specify any threshold or duration for policy violation by a destination TCP port.

References:

policy (Security Alarms)

Monitoring Security Policy Violations

The solution to this problem is to enable address persistence. This will ensure that the same external IP address is used for multiple sessions between an internal host and an external host. This will result in only one authentication being required, as the same external IP address will be used for all sessions.

The command that will allow traffic to bypass the SRX Series device flow daemon based on the source address is set firewall family inet filter bypass_flowd term t1 then packet-mode. This command configures a stateless firewall filter named bypass_flowd that has one term t1. The term t1 can match the traffic based on the source address or any other criteria. The term t1 then applies the action packet-mode, which means that the traffic will be forwarded using packet-based processing and will not be sent to the flow daemon for stateful inspection. This feature is known as selective stateless packet-based forwarding and it allows you to use both flow-based and packet-based forwarding on the same device for different types of traffic. You can apply the firewall filter to the input or output direction of an interface to enable selective stateless packet-based forwarding for the traffic passing through that interface.  References : Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html https://www.juniper.net/documentation/en_US/junos/topics/example/filter-based-forwarding-example.html

This is the port used for encrypted communication between the SRX series device and the Juniper ATP Appliance

In order to enroll an SRX Series device with Juniper ATP Appliance, the firewall device must have port 443 open. Port 443 is the default port used for HTTPS traffic, the communication between the SRX Series device and the ATP Appliance needs to be encrypted, that ' s why this port should be opened.

The three profiles that are configurable in a threat prevention policy are infected host profile, C & C profile, and malware profile. A threat prevention policy is a feature of Juniper ATP Cloud that provides protection and monitoring for selected threat profiles, including command and control servers, infected hosts, and malware. Using feeds from Juniper ATP Cloud and optional custom feeds that you configure, ingress and egress traffic is monitored for suspicious content and behavior. Based on a threat score, detected threats are evaluated and action may be taken once a verdict is reached. You can create a threat prevention policy by selecting one or more of the following profiles:

Infected host profile: This profile detects and blocks traffic from hosts that are infected with malware or compromised by attackers. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.

C & C profile: This profile detects and blocks traffic to or from command and control servers that are used by attackers to control malware or botnets. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.

Malware profile: This profile detects and blocks traffic that contains malware or malicious content. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable protocol-specific settings for HTTP and SMTP traffic, such as file type filtering, file size filtering, and file name filtering.

The other two profiles, device profile and SSL proxy profile, are not configurable in a threat prevention policy. A device profile is a feature of Policy Enforcer that defines the device type, the device group, and the device settings for the SRX Series devices that are enrolled with Juniper ATP Cloud. An SSL proxy profile is a feature of SRX Series devices that enables SSL proxy to decrypt and inspect SSL/TLS traffic for threats and policy violations.

References : Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos-space23.1/policy-enforcer/topics/concept/threat-management-policy-overview.html https://www.juniper.net/documentation/en_US/junos-space23.1/policy-enforcer/topics/task/configuration/junos-space-policy-enforcer-threat-management-policy-configure.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-enforcer-device-profile-overview.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-ssl-proxy-overview.html

You must set up a DDoS solution for your ISP. The solution must be agile and not block legitimate traffic. The two products that will accomplish this task are:

B. MX Series device. MX Series devices are high-performance routers that can provide DDoS protection at the network edge by integrating with Corero SmartWall Threat Defense Director (TDD) software. MX Series devices can leverage the packet processing capabilities of the MX-SPC3 Services Card to perform real-time DDoS detection and mitigation at line rate, scaling from 50 Gbps to 40 Tbps. MX Series devices can also use Juniper Networks Security Intelligence (SecIntel) to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies.  MX Series devices can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic 1 2 .

C. Corero SmartWall TDD. Corero SmartWall TDD is a software solution that runs on MX Series devices and PTX Series devices to provide DDoS protection at the network edge. Corero SmartWall TDD uses behavioral analytics and detailed network visibility to detect and block DDoS attacks in seconds, without affecting the normal traffic. Corero SmartWall TDD can also provide advanced protection from “carpet bombing” attacks, 5G DDoS visibility, and multi-tenant portal for as-a-service offerings or views by department within an enterprise.  Corero SmartWall TDD can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic 3 4 .

The other options are incorrect because:

A. Contrail Insights. Contrail Insights is a software solution that provides network analytics and visibility for cloud and data center environments. Contrail Insights can help you monitor, troubleshoot, and optimize the performance and security of your network, but it does not provide DDoS protection by itself.  Contrail Insights can integrate with other Juniper products, such as Contrail Enterprise Multicloud, Contrail Service Orchestration, and AppFormix, to provide a comprehensive network management solution, but it is not a DDoS solution for your ISP 5 .

D. SRX Series device. SRX Series devices are high-performance firewalls that can provide DDoS protection at the network perimeter by integrating with Juniper ATP Cloud and Juniper Threat Labs. SRX Series devices can use SecIntel to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies. SRX Series devices can also use IDP to detect and prevent application-level attacks, such as SQL injection, cross-site scripting, and buffer overflow. SRX Series devices can provide a robust and effective DDoS solution for your network, but they are not designed to handle high-volume DDoS attacks at the network edge, as MX Series devices and Corero SmartWall TDD are .

References:

Juniper and Corero Joint DDoS Protection Solution

MX-SPC3 Services Card Overview

Corero SmartWall Threat Defense Director (TDD)

Juniper Networks and Corero: A Modern Approach to DDoS Protection at Scale

Contrail Insights Overview

[SRX Series Services Gateways]

[Juniper Networks Security Intelligence (SecIntel)]

To enable inter-tenant communication with tenant system, you need to use an external router or a logical tunnel interface. The other options are incorrect because:

A. Interconnecting EVPN switch is not a valid solution for inter-tenant communication with tenant system. EVPN (Ethernet VPN) is a technology that provides layer 2 connectivity over an IP network. It can be used to connect different logical systems on the same device, but not tenant systems.  Tenant systems are isolated from each other and do not share the same layer 2 domain 1 .

B. Interconnecting VPLS switch is also not a valid solution for inter-tenant communication with tenant system. VPLS (Virtual Private LAN Service) is another technology that provides layer 2 connectivity over an IP network. It can also be used to connect different logical systems on the same device, but not tenant systems.  Tenant systems are isolated from each other and do not share the same layer 2 domain 1 .

Therefore, the correct answer is C and D. You need to use an external router or a logical tunnel interface to enable inter-tenant communication with tenant system. To do so, you need to perform the following steps:

For external router, you need to connect the external router to the interfaces of the tenant systems that you want to communicate with. You also need to configure the routing protocols and policies on the external router and the tenant systems to exchange routes and traffic.  The external router acts as a gateway between the tenant systems and provides layer 3 connectivity 2 .

For logical tunnel interface, you need to create a logical tunnel interface on the device and assign it to a tenant system. You also need to configure the IP address and routing protocols on the logical tunnel interface and the tenant systems that you want to communicate with.  The logical tunnel interface acts as a virtual link between the tenant systems and provides layer 3 connectivity 3 .

References:

Tenant Systems Overview

Example: Configuring Inter-Tenant Communication Using External Router

Example: Configuring Inter-Tenant Communication Using Logical Tunnel Interface

An IKE security association (SA) is a set of parameters that define how the Internet Key Exchange (IKE) protocol will authenticate and establish the secure channel between the IPsec VPN peers. When you configure an IPsec VPN, one IKE SA is created between the peers, regardless of how many CoS forwarding classes are used to separate the traffic. The SA will be used to negotiate the IPsec SA parameters, such as encryption algorithms and keys.

In this scenario, only 1 IKE security association is required between the IPsec peers, no matter how many CoS forwarding classes are used to separate the voice and data traffic.

According to the output of the command  show configuration services security-intelligence url , the SRX Series device is directly enrolled with Juniper ATP Cloud.  This is indicated by the URL  https://cloudfeeds.argon.junipersecurity.net/api/manifest.xml , which is the default URL for Juniper ATP Cloud 1 .  This means that the device is not enrolled with Policy Enforcer, which would use a different URL that includes the IP address of the Policy Enforcer server 2 . Therefore, the problem in this scenario is that the device is directly enrolled with Juniper ATP Cloud, which prevents it from being enrolled with Policy Enforcer.

To enroll the device with Policy Enforcer, the user needs to disenroll the device from Juniper ATP Cloud first. This can be done by using the following command:

delete services security-intelligence url

This command will remove the Juniper ATP Cloud URL from the device configuration and stop the device from receiving threat feeds from Juniper ATP Cloud 1 .  After that, the user can enroll the device with Policy Enforcer by using the Security Director GUI or the SLAX script 2 .

References:   1 :  Configuring Juniper ATP Cloud on SRX Series Devices   2 :  Enrolling SRX Series Devices with Policy Enforcer

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-configure-jims.html

Referring to the exhibit, your company’s infrastructure team implemented new printers. To make sure that the policy enforcer pushes the updated IP address list to the SRX, you need to perform the following actions:

A. Configure the server feed URL as http://172.25.10.254/myprinters. The server feed URL is the address of the remote server that provides the custom feed data. You need to configure the server feed URL to match the location of the file that contains the IP addresses of the new printers.  In this case, the file name is myprinters and the server IP address is 172.25.10.254, so the server feed URL should be http://172.25.10.254/myprinters 1 .

B. Create a security policy that uses the dynamic address feed to allow access. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You need to create a security policy that uses the dynamic address feed as the source or destination address to allow access to the new printers. A dynamic address feed is a custom feed that contains a group of IP addresses that can be entered manually or imported from external sources.  The dynamic address feed can be used in security policies to either deny or allow traffic based on either source or destination IP criteria 2 .

C. Configure Security Director to create a dynamic address feed. Security Director is a Junos Space application that enables you to create and manage security policies and objects. You need to configure Security Director to create a dynamic address feed that contains the IP addresses of the new printers. You can create a dynamic address feed by using the local file or the remote file server option.  In this case, you should use the remote file server option and specify the server feed URL as http://172.25.10.254/myprinters 3 .

The other options are incorrect because:

D. Configuring Security Director to create a C & C feed is not required to complete the requirement. A C & C feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The C & C feed is not related to the new printers or the dynamic address feed.

E. Configuring the server feed URL as https://172.25.10.254/myprinters is not required to complete the requirement. The server feed URL can use either the HTTP or the HTTPS protocol, depending on the configuration of the remote server.  In this case, the exhibit shows that the remote server is using the HTTP protocol, so the server feed URL should use the same protocol 1 .

References:

Configuring the Server Feed URL

Dynamic Address Overview

Creating Custom Feeds

[Command and Control Feed Overview]

Referring to the exhibit, the following statements are correct:

B. All of the entries are command and control entries. Command and control entries are dynamic addresses that represent the IP addresses of servers that are used by malware to communicate with infected hosts. The SRX Series device can block or log the traffic to or from these IP addresses based on the security policies.  The exhibit shows that all of the entries have the category DC/1, which stands for command and control 1 .

C. All of the entries are Dshield entries. Dshield is a feed source that provides a list of IP addresses that are associated with malicious activities, such as scanning, spamming, or attacking. The SRX Series device can download the Dshield feed and use it to populate the dynamic address entries.  The exhibit shows that all of the entries have the feed dshield, which indicates that they are from the Dshield feed source 2 .

The other statements are incorrect because:

A. All of the entries are not a threat level 8, but a threat level 10. The threat level is a numeric value that indicates the severity of the threat associated with a dynamic address entry. The higher the threat level, the more dangerous the threat. The SRX Series device can use the threat level to prioritize the actions for the dynamic address entries. The exhibit shows that all of the entries have the cc CN, which stands for country code China. According to the Juniper documentation, the country code China has a threat level of 10, which is the highest.

D. All of the entries are not a threat level 10, but they are. See the explanation for option A.

References:

Understanding Dynamic Address Categories

Understanding Dynamic Address Feed Sources

[Understanding Dynamic Address Threat Levels]

According to the output shown in the exhibit, which is a security flow session on an SRX Series device, the correct statement is that the local gateway address for the IPsec tunnel is 10.20.20.2. This is indicated by the line  In: 10.20.20.2/2060 - > 10.20.20.1/3382 , which shows that the source IP address of the incoming packet is 10.20.20.2, which is the local gateway address of the IPsec tunnel. The destination IP address of the incoming packet is 10.20.20.1, which is the remote gateway address of the IPsec tunnel.

The following statements are incorrect or not supported by the output:

The remote gateway address for the IPsec tunnel is 10.20.20.2. This is false, as explained above. The remote gateway address for the IPsec tunnel is 10.20.20.1, not 10.20.20.2.

The session information indicates that the IPsec tunnel has not been established.  This is false, as the output shows that there are two active sessions with the communication tag  IPSec VPN: vpn1 , which indicates that the IPsec tunnel has been established and is named vpn1 1 .

NAT is being used to change the source address of outgoing packets. This is not supported by the output, as there is no indication of NAT being applied to the outgoing packets. The source IP address of the outgoing packet is 192.168.1.1, which is the same as the source IP address of the original packet. If NAT was being used, the source IP address of the outgoing packet would be different from the source IP address of the original packet.

References:   1 :  show security flow session - Technical Documentation - Support - Juniper Networks

Your company wants to take your Juniper ATP Appliance into private mode. You must give them a list of impacted features for this request. The two features that are impacted in this scenario are:

A. False Positive Reporting. False Positive Reporting is a feature that allows you to report false positive detections to Juniper Networks for analysis and improvement. False Positive Reporting requires an Internet connection to send the reports to Juniper Networks.  If you take your Juniper ATP Appliance into private mode, False Positive Reporting will be disabled and you will not be able to report false positives 1 .

C. GSS Telemetry. GSS Telemetry is a feature that allows you to send anonymized threat data to Juniper Networks for analysis and improvement. GSS Telemetry requires an Internet connection to send the data to Juniper Networks.  If you take your Juniper ATP Appliance into private mode, GSS Telemetry will be disabled and you will not be able to contribute to the threat intelligence community 2 .

The other options are incorrect because:

B. Threat Progression Monitoring. Threat Progression Monitoring is a feature that allows you to monitor the threat activity and progression across your network. Threat Progression Monitoring does not require an Internet connection and can be performed locally by the Juniper ATP Appliance.  If you take your Juniper ATP Appliance into private mode, Threat Progression Monitoring will not be impacted and you will still be able to monitor the threat activity and progression 3 .

D. Cyber Kill Chain mapping. Cyber Kill Chain mapping is a feature that allows you to map the threat activity and progression to the stages of the Cyber Kill Chain framework. Cyber Kill Chain mapping does not require an Internet connection and can be performed locally by the Juniper ATP Appliance.  If you take your Juniper ATP Appliance into private mode, Cyber Kill Chain mapping will not be impacted and you will still be able to map the threat activity and progression 4 .

References:

False Positive Reporting

GSS Telemetry

Threat Progression Monitoring

Cyber Kill Chain Mapping

To create a secure fabric in your company’s network, you need to know the following facts:

A secure fabric is a collection of sites that contain network devices (switches, routers, firewalls, and other security devices) that are used in policy enforcement groups. A site is a grouping of network devices that contribute to threat prevention. When threat prevention policies are applied to policy enforcement groups, the system automatically discovers to which sites those groups belong.  This is how threat prevention is aggregated across your secure fabric 1 .

MX Series devices associated with tenants can belong to multiple sites. Tenants are logical partitions of the network that can have their own security policies and enforcement points.  Sites that are associated with tenants do not need switches as enforcement points, because MX Series devices can perform tenant-based policy enforcement 1 .

SRX Series devices can belong to only one site. SRX Series devices are firewalls that can act as perimeter enforcement points for the secure fabric. They can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic.  SRX Series devices cannot belong to multiple sites, because they do not support tenant-based policy enforcement 1 .

A switch must be assigned to the site to enforce an infected host policy within the network. An infected host policy is a policy that blocks or quarantines hosts that are identified as infected by the Juniper ATP Cloud. A switch can act as an internal enforcement point for the secure fabric by applying the infected host policy to the hosts that are connected to it.  A switch must be assigned to the site where the infected hosts are located, because SRX Series devices cannot enforce infected host policies 1 .

Switches and connectors cannot be added to the same site. Connectors are software agents that can be installed on Windows or Linux servers to enable them to act as enforcement points for the secure fabric. Connectors can apply infected host policies to the hosts that are connected to them. However, connectors cannot coexist with switches in the same site, because they use different methods of policy enforcement.  Switches use VLANs and ACLs, while connectors use IPtables and WFP 1 .

Therefore, the correct answer is B, D, and E. The other options are incorrect because:

A.  MX Series devices associated with tenants can belong to multiple sites, not only one site 1 .

C.  SRX Series devices can belong to only one site, not multiple sites 1 .

References:

Secure Fabric Overview

https://forums.juniper.net/t5/Ethernet-Switching/monitor-traffic- interface/td-p/462528

The purpose of the Switch Microservice of Policy Enforcer is to isolate infected hosts. The Switch Microservice is a component of Policy Enforcer that runs on EX Series and QFX Series switches. It communicates with Policy Enforcer and Juniper ATP Cloud to receive threat intelligence and quarantine commands. When an infected host is detected by Juniper ATP Cloud, Policy Enforcer sends a command to the Switch Microservice to isolate the host by applying an access control list (ACL) on the switch port where the host is connected. The ACL blocks all traffic from or to the host except for the traffic that is required for remediation. The Switch Microservice also tracks the MAC address of the infected host and updates Policy Enforcer if the host moves to a different switch port or a different switch. This way, the Switch Microservice ensures that the infected host is isolated until it is remediated and no longer poses a threat to the network.  References : Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-enforcer-switch-microservice-overview.html

The packet is silently discarded because the traceoptions output shows that the packet is dropped with the flag flow_spu_drop, which indicates that the packet is dropped by the SPU without sending any response to the sender. The traceoptions output also shows the reason for the drop as “no session found, start first path.  in_tunnel - 0, from_cp_flag - 0” which means that the packet does not match any existing session and is not part of a tunnel or a control plane traffic 1 .

The packet is part of a new session because the traceoptions output shows that the packet is the first packet of a TCP connection with the flag flow_tcp_syn, which indicates that the packet has the SYN flag set.  The traceoptions output also shows that the packet is processed in the first path packet flow with the message “no session found, start first path” which means that the packet is initiating a new session 1 .

References :

traceoptions (Security Flow) | Junos OS | Juniper Networks

[SRX] How to interpret Flow TraceOptions output for NAT troubleshooting

To find an infected host and where the attack came from using the Juniper ATP Cloud, you need to use the Hosts and Threat Sources monitor workspaces. The other options are incorrect because:

B. The File Scanning monitor workspace shows the files that have been scanned by the Juniper ATP Cloud and their verdicts (clean, malicious, or unknown).  It does not show the infected hosts or the attack sources 1 .

D. The Encrypted Traffic monitor workspace shows the encrypted traffic that has been decrypted by the Juniper ATP Cloud and the certificates that have been used.  It does not show the infected hosts or the attack sources 2 .

Therefore, the correct answer is A and C. You need to use the Hosts and Threat Sources monitor workspaces to find an infected host and where the attack came from using the Juniper ATP Cloud. To do so, you need to perform the following steps:

For Hosts, you need to access the Hosts monitor workspace in the Juniper ATP Cloud WebUI by selecting Monitor > Hosts. You can see the list of hosts that have been detected by the Juniper ATP Cloud and their risk scores, infection levels, and threat categories. You can filter the hosts by various criteria, such as IP address, hostname, domain, or threat category. You can also drill down into each host to see the details of the files, applications, and incidents associated with the host.  You can identify the infected host by looking for the host with the highest risk score, infection level, or threat category 3 .

For Threat Sources, you need to access the Threat Sources monitor workspace in the Juniper ATP Cloud WebUI by selecting Monitor > Threat Sources. You can see the list of threat sources that have been detected by the Juniper ATP Cloud and their risk scores, threat categories, and geolocations. You can filter the threat sources by various criteria, such as IP address, domain, or threat category. You can also drill down into each threat source to see the details of the files, applications, and incidents associated with the threat source. You can identify the attack source by looking for the threat source with the highest risk score, threat category, or geolocation that matches the infected host.

References:

File Scanning

Encrypted Traffic

Hosts

[Threat Sources]

According to the Juniper documentation, the steps to detect domain generation algorithms (DGA) on an SRX Series firewall are as follows:

Define a security-metadata-streaming policy under [edit services]. A security-metadata-streaming policy is a configuration that enables the SRX Series firewall to collect and stream security metadata, such as DNS queries and responses, to Juniper ATP Cloud for analysis.  Juniper ATP Cloud uses machine learning models and known pre-computed DGA domain names to provide domain verdicts, which helps in-line blocking and sinkholing of DNS queries on SRX Series firewalls 1 . You can define a security-metadata-streaming policy by using the following command:

set services security-metadata-streaming policy < policy-name >

Attach the security-metadata-streaming policy to a security zone. A security zone is a logical grouping of interfaces that have similar security requirements. You can attach the security-metadata-streaming policy to a security zone by using the following command:

set security zones security-zone < zone-name > services security-metadata-streaming policy < policy-name >

The following steps are not required or incorrect:

Define an advanced-anti-malware policy under [edit services]. An advanced-anti-malware policy is a configuration that enables the SRX Series firewall to scan files for malware using Juniper ATP Cloud.  It is not related to DGA detection 2 .

Attach the advanced-anti-malware policy to a security policy. A security policy is a configuration that defines the rules for permitting or denying traffic between security zones.  It is not related to DGA detection 3 .

References:   1 :  Configuring Security Metadata Streaming   2 :  Configuring Advanced Anti-Malware Policies   3 :  Configuring Security Policies

The result of adding the count action to a security policy can be seen in the show security policies detail command output. The count action is a feature that allows you to enable statistics collection for sessions that enter the device for a given policy, and for the number of packets and bytes that pass through the device in both directions for a given policy. The count action can help you to monitor the traffic that matches a security policy and to troubleshoot security policy issues. The show security policies detail command displays the detailed information about the security policies configured on the device, including the count statistics. The output shows the number of packets and bytes that have been processed by the policy in both directions, as well as the number of sessions that have been created by the policy. You can use this command to verify that the count action is working as expected and to see the traffic volume and session count for each policy.  References : Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-policies-detail.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-count-overview.html

According to the trace options output in the exhibit, the following statements are correct:

This packet is part of an existing session.  This is indicated by the line  flow session id 0x00000000, hash 0x00000000, table 0x00000000, flow process exit , which shows that the packet matches an existing session entry in the flow table 1 .

The SRX device is changing the destination address on this packet from 10.0.1.1 to 172.20.101.10.  This is indicated by the line  nat: translated 10.0.1.1- > 172.20.101.10 , which shows that the packet undergoes destination NAT 2 .

The following statements are incorrect:

The SRX device is changing the source address on this packet.  There is no indication of source NAT in the trace options output 2 .

This is the first packet in the session.  The first packet in a session would have a different trace options output, which would include the line  flow_first_inline_processing  and show the creation of a new session entry in the flow table 1 .

References:   1 :  SRX Getting Started – Troubleshooting Traffic Flows and Session Establishment   2 :  SRX Getting Started - Configure NAT (Network Address Translation)