Juniper Security, Professional JN0-636 JNCIP-SEC Exam Practice Test

Page: 1 / 14
Total 115 questions
Question 1

Click the Exhibit button.

Which type of NAT is shown in the exhibit?



Answer : B


Question 2

Regarding IPsec CoS-based VPNs, what is the number of IPsec SAs associated with a peer based upon?



Answer : D

In IPsec CoS-based VPNs, the number of IPsec Security Associations (SAs) associated with a peer is based on the number of forwarding classes configured for the VPN. The forwarding classes are used to classify and prioritize different types of traffic, such as voice and data traffic. Each forwarding class requires a separate IPsec SA to be established between the peers, in order to provide the appropriate level of security and quality of service for each type of traffic.


Question 3

To analyze and detect malware, Juniper ATP Cloud performs which two functions? (Choose two.)



Question 4

Exhibit.

Referring to the exhibit, a spoke member of an ADVPN is not functioning correctly.

Which two commands will solve this problem? (Choose two.)



Answer : B, D

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html


Question 5

You want to enable inter-tenant communicaon with tenant system.

In this Scenario, Which two solutions will accomplish this task?



Answer : C, D

To enable inter-tenant communication with tenant system, you need to use an external router or a logical tunnel interface. The other options are incorrect because:

A) Interconnecting EVPN switch is not a valid solution for inter-tenant communication with tenant system. EVPN (Ethernet VPN) is a technology that provides layer 2 connectivity over an IP network. It can be used to connect different logical systems on the same device, but not tenant systems.Tenant systems are isolated from each other and do not share the same layer 2 domain1.

B) Interconnecting VPLS switch is also not a valid solution for inter-tenant communication with tenant system. VPLS (Virtual Private LAN Service) is another technology that provides layer 2 connectivity over an IP network. It can also be used to connect different logical systems on the same device, but not tenant systems.Tenant systems are isolated from each other and do not share the same layer 2 domain1.

Therefore, the correct answer is C and D. You need to use an external router or a logical tunnel interface to enable inter-tenant communication with tenant system. To do so, you need to perform the following steps:

For external router, you need to connect the external router to the interfaces of the tenant systems that you want to communicate with. You also need to configure the routing protocols and policies on the external router and the tenant systems to exchange routes and traffic.The external router acts as a gateway between the tenant systems and provides layer 3 connectivity2.

For logical tunnel interface, you need to create a logical tunnel interface on the device and assign it to a tenant system. You also need to configure the IP address and routing protocols on the logical tunnel interface and the tenant systems that you want to communicate with.The logical tunnel interface acts as a virtual link between the tenant systems and provides layer 3 connectivity3.


Tenant Systems Overview

Example: Configuring Inter-Tenant Communication Using External Router

Example: Configuring Inter-Tenant Communication Using Logical Tunnel Interface

Question 6

You are asked to share threat intelligence from your environment with third party tools so that those

tools can be identify and block lateral threat propagation from compromised hosts.

Which two steps accomplish this goal? (Choose Two)



Answer : B, C

To share threat intelligence from your environment with third party tools, you need to enable Juniper ATP Cloud to share threat intelligence and configure application tokens in the Juniper ATP Cloud to limit who has access. The other options are incorrect because:

A) Configuring application tokens in the SRX Series firewalls is not necessary or sufficient to share threat intelligence with third party tools.Application tokens are used to authenticate and authorize requests to the Juniper ATP Cloud API, which can be used to perform various operations such as submitting files, querying C&C feeds, and managing allowlists and blocklists1.However, to share threat intelligence with third party tools, you need to enable the TAXII service in the Juniper ATP Cloud, which is a different protocol for exchanging threat information2.

D) Enabling SRX Series firewalls to share threat intelligence with third party tools is not possible or supported.SRX Series firewalls can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic3. However, SRX Series firewalls cannot directly share threat intelligence with third party tools. You need to use the Juniper ATP Cloud as the intermediary for threat intelligence sharing.

Therefore, the correct answer is B and C. You need to enable Juniper ATP Cloud to share threat intelligence and configure application tokens in the Juniper ATP Cloud to limit who has access. To do so, you need to perform the following steps:

Enable and configure the TAXII service in the Juniper ATP Cloud. TAXII (Trusted Automated eXchange of Indicator Information) is a protocol for communication over HTTPS of threat information between parties. STIX (Structured Threat Information eXpression) is a language used for reporting and sharing threat information using TAXII. Juniper ATP Cloud can contribute to STIX reports by sharing the threat intelligence it gathers from file scanning.Juniper ATP Cloud also uses threat information from STIX reports as well as other sources for threat prevention2.To enable and configure the TAXII service, you need to select Configure > Threat Intelligence Sharing in the Juniper ATP Cloud WebUI, move the knob to the right to Enable TAXII, and move the slidebar to designate a file sharing threshold2.

Configure application tokens in the Juniper ATP Cloud. Application tokens are used to authenticate and authorize requests to the Juniper ATP Cloud API and the TAXII service. You can create and manage application tokens in the Juniper ATP Cloud WebUI by selecting Configure > Application Tokens. You can specify the name, description, expiration date, and permissions of each token. You can also revoke or delete tokens as needed.You can use the application tokens to limit who has access to your shared threat intelligence by granting or denying permissions to the TAXII service1.


Threat Intelligence Open API Setup Guide

Configure Threat Intelligence Sharing

About Juniper Advanced Threat Prevention Cloud

Question 7

Exhibit

You configure Source NAT using a pool of addresses that are in the same subnet range as the external ge-0/0/0 interface on your vSRX device. Traffic that is exiting the internal network can reach external destinations, but the return traffic is being dropped by the service provider router.

Referring to the exhibit, what must be enabled on the vSRX device to solve this problem?



Answer : B

Proxy ARP is a technique used by routers to answer ARP requests on one network segment on behalf of hosts on another network segment. This is useful in situations where a host on one network segment needs to communicate with a host on another network segment, but the two hosts are not directly connected. In this case, the router acts as a proxy, answering ARP requests on behalf of the other host. In the exhibit, the vSRX device is configured to use a pool of addresses that are in the same subnet as the external interface ge-0/0/0 for source NAT. This means that the vSRX device will translate the source IP address of the internal hosts to one of the addresses in the pool before sending the packets to the external network. However, the external hosts will not know how to reach the NATed addresses, since they are not directly connected to the vSRX device. They will send ARP requests for the NATed addresses, expecting to receive a MAC address from the vSRX device. If proxy ARP is not enabled on the vSRX device, it will not respond to these ARP requests, since it does not have the NATed addresses configured on its interface. The ARP requests will time out and the packets will be dropped by the external hosts or the service provider router. To solve this problem, proxy ARP must be enabled on the vSRX device for the NATed addresses. This will allow the vSRX device to respond to the ARP requests from the external hosts, providing its own MAC address as the destination. The external hosts will then send the packets to the vSRX device, which will reverse the NAT and forward the packets to the internal hosts.Reference:

Configuring Proxy ARP (CLI Procedure)

[SRX] When and how to configure Proxy ARP (https://supportportal.juniper.net/s/article/SRX-Dynamic-VPN-scenario-for-configuring-Proxy-ARP-on-SRX?language=en_US)


Page:    1 / 14   
Total 115 questions