Juniper JN0-335 Security, Specialist Exam Practice Test

Answer : C, D

Two benefits of using a cSRX in your virtual environment are:

The cSRX supports firewall, NAT, IPS, and UTM services: The cSRX is a containerized version of the SRX Series firewall that runs as a Docker container on Linux hosts. It provides the same features and functionality as the SRX Series physical firewalls, such as firewall, NAT, IPS, and UTM services. The cSRX can protect your virtual workloads and applications from various threats and attacks.

The cSRX has low memory requirements: The cSRX is designed to be lightweight and efficient, with low memory and CPU requirements. The cSRX can run on as little as 1 GB of RAM and 1 vCPU, making it suitable for resource-constrained environments.

Answer : B

The logging parameter that will provide the function of showing tabular data for operational mode commands is count. The count parameter displays the number of packets and bytes that match a security policy and the action taken by the policy. The count parameter can be used with the show security policies hit-count command to display the policy counters in a tabular format. The count parameter can also be used with the show security flow session command to display the session counters in a tabular format.Reference:=show security policies hit-count,show security flow session

Answer : C

The sequence that an SRX Series device uses when implementing stateful session security policies using Layer 3 routes is:

An SRX Series device will conduct a longest-match Layer 3 route table lookup before performing a security policy search: When an SRX Series device receives a packet, it first looks up the destination IP address in the routing table and finds the longest matching route to forward the packet. Then, it performs a security policy search based on the source zone, destination zone, source address, destination address, protocol, and application of the packet. If there is a matching policy that allows the packet, it creates or updates a session entry for the packet and applies any security services configured in the policy.

Answer : A, D

Application identification is a feature that enables SRX Series devices to identify and classify network traffic based on application signatures or custom rules. Application identification can enhance security, visibility, and control over network applications. Two statements that are true about application identification are:

Application identification can identify nested applications that are within Layer 7: Nested applications are applications that run within another application protocol, such as HTTP or SSL. For example, Facebook or YouTube are nested applications within HTTP. Application identification can identify nested applications by inspecting the application payload and matching it against predefined or custom signatures.

Application signatures are not the same as IDP signatures: Application signatures are patterns of bytes or strings that uniquely identify an application protocol or a nested application. IDP signatures are patterns of bytes or strings that indicate an attack or an exploit against a vulnerability. Application signatures are used for application identification and classification, while IDP signatures are used for intrusion detection and prevention.

Answer : A, B

The fab interface is a fabric link that connects the two nodes in a chassis cluster. A chassis cluster is a high-availability feature that groups two identical SRX Series devices into a cluster that acts as a single device. The fab interface has two functions:

Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization: RTOs are data structures that store information about active sessions, such as source and destination IP addresses, ports, protocols, and security policies. RTOs are exchanged between the nodes on the fab interface to ensure that both nodes have the same session information and can take over the traffic in case of a failover.

In an active/active configuration, inter-chassis transit traffic is sent over the fab interface: In an active/active configuration, both nodes in a cluster can process traffic for different redundancy groups (RGs). RGs are collections of interfaces or services that fail over together from one node to another. If traffic needs to transit from one RG to another RG that is active on a different node, it is sent over the fab interface.

Answer : A, D

To control when cluster failovers occur, you need to configure two specific parameters on an SRX Series device: heartbeat-interval and heartbeat-threshold. These parameters determine how often the nodes in a cluster exchange heartbeat messages and how many consecutive heartbeats can be missed before a failover is triggered. The heartbeat-interval specifies the time interval in seconds between each heartbeat message. The default value is 1 second and the range is from 0.1 to 10 seconds. The heartbeat-threshold specifies the number of consecutive heartbeats that must be missed before a failover occurs. The default value is 3 and the range is from 2 to 255.Reference:=Configuring Chassis Clustering on SRX Series Devices,Chassis Cluster Redundancy Group Failover

Answer : C

The exhibit shows a configuration snippet for security intelligence on an SRX Series device. Security intelligence is a feature that allows you to block or monitor traffic from malicious sources based on threat intelligence feeds from Juniper ATP Cloud or other providers. The configuration defines a profile for ATP Infected-Hosts, which is a feed that contains IP addresses of hosts that are infected with malware and communicate with command-and-control servers. The configuration also defines a rule for threat level 8, which is a parameter that indicates the severity of the threat. Based on this configuration, the SRX Series device will do the following:

Packets from the infected hosts with a threat level of 8 or above will be dropped: The action block-and-drop under the rule means that the device will block any traffic from the infected hosts that have a threat level equal to or higher than 8. This will prevent the hosts from sending or receiving malicious commands or data.

No log message will be generated: The absence of any log option under the rule means that the device will not generate any log message for the blocked traffic. This may reduce the load on the device and the logging server, but it may also limit the visibility and analysis of the security events.