JN0-335 Questions and Answers

SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design. References: Chassis Cluster Overview, Connecting SRX Series Firewalls to Create a Chassis Cluster

The cSRX is a containerized version of the SRX Series device that runs on Linux platforms. The cSRX has the following benefits for deploying in a virtual environment:

• The cSRX supports Layer 2 and Layer 3 deployments, which means it can operate as a transparent or a routed firewall. The cSRX can also support multiple routing instances and virtual routers2
• The cSRX supports firewall, NAT, IPS, and UTM services, which means it can provide comprehensive security features for protecting the virtual network. The cSRX can also support application identification, user firewall, and VPN services2

The cSRX default configuration does not contain three default zones: trust, untrust, and management. The cSRX default configuration contains only one zone: junos-host. The cSRX does not have low memory requirements. The cSRX requires at least 2 GB of memory and 2 CPU cores to run2 References:

• 1: Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide 3
• 2: Junos OS Security Configuration Guide | cSRX Overview 4

The fab interface is the data link between the nodes of a chassis cluster and is used to forward traffic between the chassis and to synchronize the data plane software’s dynamic runtime state. Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization for operations such as authentication, NAT, ALGs, and IPsec. In an active/active configuration, inter-chassis transit traffic is sent over the fab interface, as traffic arriving on a node that needs to be processed on the other or traffic processed on a node that needs to exit through an interface on the other is forwarded over the fabric. The fab interface does not enable configuration synchronization, as this is done by the control link. Heartbeat signals sent on the fab interface monitor the health of the data plane link, not the control plane link. References: Chassis Cluster Fabric Interfaces, HA Chassis cluster, difference between Swfab and Fab

Juniper Secure Analytics (JSA) is a security information and event management (SIEM) system that consolidates, analyzes, and manages surveillance data from network devices, endpoints, and applications. JSA uses two types of data collectors: Event Collector and Flow Collector1

The Event Collector collects and parses logs from various log sources, such as firewalls, routers, servers, and intrusion detection or prevention systems. The Event Collector normalizes the log data into a common format and sends it to the JSA console for further analysis and correlation. The Event Collector supports different protocols for log collection, such as syslog, SNMP, JDBC, and SDEE12

The Flow Collector collects and processes network traffic data from various flow sources, such as Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer. The Flow Collector enriches the flow data with additional information, such as application identification, geolocation, and threat intelligence. The Flow Collector sends the flow data to the JSA console for further analysis and correlation. The Flow Collector can use statistical sampling to reduce the amount of flow data that is collected and processed, which can improve the performance and scalability of the system12

The Event Collector does not collect information using BGP FlowSpec, which is a protocol that allows the distribution of traffic flow specification rules among BGP peers. BGP FlowSpec is not a supported flow source for JSA3

The Flow Collector does not parse logs, which are textual records of network activity generated by log sources. The Flow Collector only handles flow data, which are binary records of network traffic generated by flow sources12

References: 1: Data Collection | JSA 7.5.0 | Juniper Networks 2: Data Collection - TechLibrary - Juniper Networks 3: Understanding BGP FlowSpec - TechLibrary - Juniper Networks

• Referring to the SRX Series flow module diagram shown in the exhibit, application security is processed at the Services ALGs stage. Application Layer Gateways (ALGs) are software components that enable the SRX Series device to provide application-level security for specific protocols and applications1.
• ALGs inspect the application layer payload of packets and perform various actions, such as modifying the payload, opening pinholes, creating sessions, applying security policies, and enforcing application-specific behavior12.
• ALGs are required for protocols and applications that embed IP address information or port numbers in the application layer data, that open secondary connections, or that are dynamically assigned ports1. Some examples of protocols and applications that require ALGs are FTP, SIP, H.323, RTSP, PPTP, and DNS2.
• ALGs are configured as part of the security policy and are applied to the traffic that matches the policy criteria. ALGs can also be enabled or disabled globally or per zone12.

References:

• 1: Application Layer Gateways Overview
• 2: Application Layer Gateways Feature Guide for Security Devices

• Cluster failovers occur when one node in a chassis cluster becomes inactive or unreachable, and the other node takes over the processing of traffic and services. To control when cluster failovers occur, you can configure two specific parameters on an SRX Series device: heartbeat-interval and heartbeat-threshold12.
• Heartbeat-interval is the time interval, in milliseconds, between heartbeat messages sent by each node to the other node. The default value is 1000 ms. You can configure the heartbeat-interval value from 100 through 3000 ms1.
• Heartbeat-threshold is the number of consecutive heartbeat messages that can be missed before a node is considered to be down. The default value is 3. You can configure the heartbeat-threshold value from 2 through 2551.
• The combination of heartbeat-interval and heartbeat-threshold determines the failover time, which is the maximum time it takes for a node to detect the failure of the other node and initiate a failover. The failover time is calculated as follows: failover time = heartbeat-interval x heartbeat-threshold1.
• For example, if the heartbeat-interval is 1000 ms and the heartbeat-threshold is 3, the failover time is 3000 ms. This means that if a node does not receive three consecutive heartbeat messages from the other node within 3000 ms, it will assume that the other node is down and initiate a failover1.
• You can configure the heartbeat-interval and heartbeat-threshold parameters using the set chassis cluster redundancy-group group-id node node-id priority priority heartbeat-interval interval heartbeat-threshold threshold command1.

References:

• 1: Configuring Chassis Cluster Redundancy Group Properties | Junos OS | Juniper Networks
• 2: Example: Configuring an Active/Passive Cluster Deployment | Junos OS | Juniper Networks

 The show security policies policy-name detail command shows policy counters for a configured policy. Policy counters display the number of packets and bytes that match the policy, as well as the number of sessions that are created, denied, or closed by the policy. Policy counters can help monitor and troubleshoot the traffic flow and security policy enforcement on the SRX firewall1.

The show security policies policy-name detail command does not display details about the default security policy, which is the implicit policy that is applied when no other policy matches the traffic. The default security policy can be viewed by using the show security policies default-policy command2.

The show security policies policy-name detail command does not identify the different custom policies enabled, which are the user-defined policies that specify the action and conditions for the traffic between zones. The custom policies can be viewed by using the show security policies command without any options1.

The show security policies policy-name detail command does not show the system log files for the local SRX Series device, which are the files that record the events and messages generated by the device. The system log files can be viewed by using the show log command with the name of the file3. References:

• 1: show security policies | Junos OS | Juniper Networks
• 2: Understanding Default Security Policies | Junos OS | Juniper Networks
• 3: show log | Junos OS | Juniper Networks

SSL proxy uses application identification services to dynamically detect if a particular session is SSL encrypted.https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy-unified-policies.html

References:

• [Juniper Security, Professional (JNCIP-SEC) Reference Materials] 1
• [Juniper Security, Specialist (JNCIS-SEC) Reference Materials] 2
• [How to configure a custom signature to block specific URLs using application firewall (AppFW)] 3

The fab interface is a physical connection between two nodes of a chassis cluster that is used to forward traffic and synchronize session state between the nodes. The fab interface can be any pair of Ethernet interfaces on the same LAN, but they must be the same media type. You need to specify the physical interfaces to be used for the fab link in the configuration, as the system does not determine them automatically. The Junos OS supports only one fab link per node, and it does not support traditional interface features such as IP addressing, routing protocols, or firewall filters. The fab interface is assigned an internally derived IP address by the system for packet transmission. Thefab link also does not support fragmentation, so the MTU size of the fab interface must be equal to or greater than the MTU size of the largest interface in the cluster. References:

• Chassis Cluster Fabric Interfaces
• HA Chassis cluster, difference between Swfab and Fab

A vSRX is a virtualized security platform that runs on various hypervisors and cloud environments. It provides firewall and NAT services, as well as other security features, such as IPS, VPN, UTM, and AppSecure. A single vSRX can fulfill the minimum requirements for providing firewall and NAT services in a private cloud, as it can be deployed as a gateway or an edge device, and can scale up or down as needed. A vSRX can also interoperate with other Juniper and third-party products, such as Contrail Networking, Junos Space Security Director, and Sky ATP. A single vSRX is more cost-effective and simpler to manage than having separate vSRX instances for firewall and NAT services. A cSRX is a containerized version of vSRX that runs on Linux-based platforms. It provides similar security features as vSRX, but with a smaller footprint and faster deployment. However, a cSRX is not yet supported on all cloud environments, and it may have some limitations compared to vSRX, such as lower throughput and fewer interfaces. Therefore, a single cSRX may not be able to fulfill the minimum requirements for providing firewall and NAT services in a private cloud, depending on the specific cloud platform and the performance and scalability needs. A cSRX for firewall services and a separate cSRX for NAT services would also introduce more complexity and overhead than a single vSRX. References: vSRX Overview, cSRX Overview, JNCIP-SEC Certification

Adaptive Threat Profiling is a feature that allows SRX Series Firewalls to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events. This feature enables you to configure security or IDP policies that, when matched, inject the source IP address, destination IP address, source identity, or destination identity into a threat feed, which can be leveraged by other devices as a dynamic-address-group (DAG). With adaptive threat profiling, the Juniper ATP Cloud service acts as a feed-aggregator and consolidates feeds from SRX across your enterprise and shares the deduplicated results back to all SRX Series Firewalls in the realm at regular intervals. SRX Series Firewalls can then use these feeds to perform further actions against the traffic. This feature allows you to find systems running applications that increase the risks on your network and ensure these systems are processed through IPS and Juniper ATP Cloud for malware and virus protection1. References:

• Adaptive Threat Profiling Overview and Configuration
• Adaptive Threat Profiling Overview
• Juniper Launches Adaptive Threat Profiling, New VPN Features
• Juniper Networks Answers Who and What is On the Network with Risk-Based Access Control Capabilities and New VPN Application
• Adaptive Threat Profiling Overview | SD Cloud

 JIMS domain PC probes are a mechanism to obtain username to IP address mapping information from devices in a customer’s domain. JIMS initiates a domain PC probe when it receives a request from an SRX Series device for a username to IP address mapping that is not found in the domain security event log. JIMS uses the administrative credentials configured for PC probes to access the device and query the Windows Management Instrumentation (WMI) service for the username to IP address mapping12 References:

• 1: Juniper Identity Management Service Feature Guide - TechLibrary - Juniper Networks
• 2: Juniper Identity Management Service (JIMS) Documentation - Juniper Networks

References: SSL Proxy Overview Configuring Certificate Authority Profiles Configuring a Root CA Certificate

• vSRX is a virtual firewall that provides security and networking services at the perimeter or edge of virtualized environments1. vSRX can be deployed in various cloud environments, such as AWS, Azure, Google Cloud Platform, and VMware2.
• AWS is a cloud computing platform that offers a variety of services, such as compute, storage, networking, security, and analytics3. AWS enables customers to deploy vSRX instances in a virtual private cloud (VPC), which is a logically isolated section of the AWS cloud4.
• AWS satisfies the requirements for a vSRX deployment as follows:

References:

• 1: vSRX Overview | Junos OS | Juniper Networks
• 2: vSRX Deployment Guide | Junos OS | Juniper Networks
• 3: What is AWS? - Amazon Web Services
• 4: Configure an Amazon Virtual Private Cloud for vSRX Virtual Firewall | Junos OS | Juniper Networks
• 5: Juniper Networks vSRX - Amazon Web Services (AWS)
• [6]: Deploying Juniper Security in AWS and Azure Education Services
• [7]: Scaling vSRX Virtual Firewall Instances on AWS | Junos OS | Juniper Networks
• [8]: Load Balancing vSRX Virtual Firewall Instances on AWS | Junos OS | Juniper Networks
• [9]: Juniper Networks vSRX Pricing - Amazon Web Services (AWS)
• [10]: AWS Free Tier - Amazon Web Services (AWS)

Unified policies are security policies that enable you to use dynamic applications as match conditions along with the existing 5-tuple or 6-tuple (with user firewall) match conditions to detect application changes over time3 If the traffic matches the security policy rule, one or more actions defined in the policy are applied to the traffic3 During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies in the potential policy list, the SRX Series Firewall applies the default security policy until a more explicit match has occurred2 The policy that best matches the application is the final policy2 APPID results are used to determine the final security policy1 References:

• 1: Unified Security Policies | Junos OS | Juniper Networks
• 2: Unified Policies Support for Flow | Junos OS | Juniper Networks
• 3: Unified Policy Overview - TechLibrary - Juniper Networks

= The vSRX is a virtual firewall that offers the same features as the physical SRX Series firewalls, but in a virtualized form factor for delivering security services that scale to match network demand. The vSRX supports Juniper Contrail Networking and third-party software-defined networking (SDN) solutions, which enable dynamic and automated network provisioning and management. The vSRX also integrates with cloud orchestration tools such as OpenStack, which allow for flexible deployment and configuration of virtual machines and networks. The vSRX provides granular security for the workloads that run within the virtual network on the public or private cloud. It supports next-generation firewall capabilities, such as application security, intrusion prevention, user identity, and role-based access control. It also supports advanced threat prevention features, such as malware sandboxing, threat intelligence feeds, and encrypted traffic inspection. The vSRX can protect the network from both internal and external threats, and enforce consistent security policies across the entire network. References:

• vSRX Virtual Firewall | Juniper Networks US
• vSRX Documentation | Juniper Networks
• Understand vSRX Virtual Firewall with Microsoft Azure Cloud

Encrypted Traffic Insights is a feature of Juniper ATP Cloud and SRX Series firewalls that can detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. It permits organizations greater visibility and policy control over encrypted traffic, without requiring resource-intensive SSL Decryption1.

Encrypted Traffic Insights assesses the threat of the traffic by using two methods:

• It validates the certificates used by the external servers that the internal hosts are trying to connect to. It compares the certificate signatures with a blocklist of known malicious certificates and also checks the certificate validity, issuer, and subject. If the certificate is invalid or matches a malicious signature, the connection is blocked or alerted2.
• It reviews the timing and frequency of the connections to the external servers. It uses behavior analysis and machine learning to identify patterns and anomalies that indicate malicious activity, such as command and control (C&C) communications, botnet traffic, or data exfiltration. It also uses threat intelligence feeds to enrich the analysis and provide additional context2.

Encrypted Traffic Insights does not decrypt the file or the data in a sandbox or to validate the hash, as these methods would require breaking the encryption of the traffic, which would violate data privacy laws and introduce latency and performance issues21. References:

• 3: SRX5400, SRX5600, SRX5800 Firewalls Datasheet - Juniper Networks
• 2: Encrypted Traffic Insights Overview and Benefits | ATP Cloud | Juniper …
• 1: Juniper Networks Expands Connected Security Portfolio with Encrypted …

AppTrack: Tracks and reports applications passing through

the device.

• Intrusion Detection and Prevention (IDP): Applies

appropriate attack objects to applications running on

nonstandard ports. Application identification improves IDP

performance by narrowing the scope of attack signatures

for applications without decoders.

• AppFW: Implements an application firewall using

application-based rules.

• AppQoS: Provides quality-of-service (QoS) prioritization

based on application awareness

The AppSecure AppTrack service module is a logging and reporting tool used to share information about application visibility. Once AppID identifies an application, AppTrack notonly monitors and records its usage, it also sends regular application activity update messages. Since these messages are sent by syslog, they can be read by any compatible third-party device, including Juniper Networks JSA Series Secure Analytics Appliances and Contrail Service Orchestration.https://www.juniper.net/content/dam/www/assets/solution-briefs/us/en/appsecure-application-visibility-and-control.pdf

 The policy rematch feature enables the device to reevaluate an active session when its associated security policy is modified. The session remains open if it still matches the policy that allowed the session initially. The session is closed if its associated policy is renamed, deactivated, or deleted1

When a policy change includes changing the policy’s action from permit to deny, all existing sessions are dropped. This is because the policy rematch feature does not allow a session to continue if it violates the new policy action1

When a policy change includes changing the policy’s source or destination address match condition, all existing sessions are reevaluated. This is because the policy rematch feature tries to find a suitable policy that can still permit the session based on the new address criteria. If no such policy exists, the session is dropped12

References: 1: policy-rematch | Junos OS | Juniper Networks 2: What is session rematch and how to use it to avoid traffic disruption during a policy update via NSM - Juniper Networks

To manually failover the primary Routing Engine in an SRX Series high availability cluster pair, you need to issue the request chassis cluster failover redundancy-group group-id node node-id command on the primary node, where group-id is the redundancy group number and node-id is the node number of the secondary node. This command initiates a graceful failover of the specified redundancy group to the secondary node, making it the new primary node. The other options are not necessary or correct for this task. Option A would disable the chassis cluster and reboot the primary node, which is not a graceful failover. Option B is not relevant, as the control link recovery solution is used to restore the control link connectivity between the nodes, not to initiate a failover. Option D would not trigger a failover, as the priority of the secondary node would only take effect after a reboot or a control link failure. References:

• Chassis Cluster Redundancy Group Manual Failover
• Initiating a Chassis Cluster Manual Redundancy Group Failover
• SRX Getting Started - Troubleshoot High Availability (HA)

A policy scheduler is a feature that allows you to specify when a security policy is in effect. You can configure a policy scheduler to start at a specific date and time or start on a recurrent basis, such as daily, weekly, or monthly. A policy scheduler determines the time frame that a security policy is actively evaluated and enforced by the SRX Series device2

A policy scheduler can only be applied to security policies that have the action of permit or reject. A policy scheduler cannot be applied to security policies that have the action of deny. A policy scheduler is not related to the policy-rematch feature, which is used to reevaluate existing sessions when a security policy is modified. A policy scheduler cannot be dynamically activated based on traffic flow volumes2 References:

• 1: Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide 3
• 2: Junos OS Security Configuration Guide | Configuring Policy Schedulers 4

You can create an exempt rule to skip detection of a set of attacks in certain traffic. You can specify the source and destination IP addresses as the match criteria for the exempt rule. This allows you to exclude traffic from specific hosts or networks from being examined by the IPS rulebase. You can also specify other parameters such as protocol, application, and attack objects for the exempt rule, but source and destination IP addresses are the most common ones. References: = Create IPS or Exempt Rules and rulebase-exempt

Based on the information from the exhibit, node0 is the primary node for both redundancy group 0 (RG0) and redundancy group 1 (RG1). RG0 is responsible for the control plane, which includes the Routing Engine and the management interface. RG1 is responsible for the data plane, which includes the interfaces and services. Therefore, node0 is the active node for the data plane, and node1 is the active node for the control plane34 References:

• Chassis Cluster Redundancy Groups | Junos OS | Juniper Networks
• Troubleshooting a Redundancy Group that Does Not Fail Over in an SRX Chassis Cluster | Junos OS | Juniper Networks
• Understanding Chassis Cluster Redundancy Group 0: Routing Engines | Junos OS | Juniper Networks
• Understanding Chassis Cluster Redundancy Groups 1 Through 128 | Junos OS | Juniper Networks