Juniper Security, Professional JN0-636 JNCIP-SEC Exam Practice Test

Answer : A, C

https://www.juniper.net/documentation/en_US/junos-space18.1/policy-enforcer/topics/task/configuration/junos-space-policyenforcer-custom-feeds-infected-host-configure.html

Answer : B, D, E

The exhibit shows the output of the 'show interfaces ge-0/0/5.0 extensive' command on an SRX Series device. The output includes a section called 'Security' that lists the protocols that are allowed on the ge-0/0/5.0 interface. The protocols that are allowed on the ge-0/0/5.0 interface are:

OSPF

DHCP

NTP

It's important to notice that the output don't have IBGP, IPsec, so these protocols are not allowed on the ge-0/0/5.0 interface.

Answer : B

This is the port used for encrypted communication between the SRX series device and the Juniper ATP Appliance

In order to enroll an SRX Series device with Juniper ATP Appliance, the firewall device must have port 443 open. Port 443 is the default port used for HTTPS traffic, the communication between the SRX Series device and the ATP Appliance needs to be encrypted, that's why this port should be opened.

Answer : C

According to the Juniper documentation, the local identity for an IPsec VPN tunnel must match the remote identity of the peer device. The local identity can be configured as an IP address, a hostname, a distinguished name, or an advpn identifier. The advpn identifier is used for dynamic VPNs that support multiple remote endpoints. In the exhibit, the corporate device has the local identity configured as inet advpn, which means it expects the branch1 device to have the same remote identity. However, the branch1 device has the local identity configured as inet, which does not match the corporate device's remote identity. Therefore, the IKE negotiation fails and the IPsec tunnel is not established.To solve this problem, the local identity on the branch1 device should be changed to inet advpn, so that it matches the corporate device's remote identity.Reference: [Configuring an IKE Gateway]1, [Configuring Local and Remote Identities]2

1: https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/task/configuration/security-ike-gateway-configuring.html2: https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-ipsec-vpn-identities.html

Answer : B

According to the Juniper documentation, reflexive NAT is a type of source NAT that allows an internal host to communicate with an external host using a single public IP address and port. The reflexive NAT session is created when the internal host initiates the traffic to the external host, and the session is deleted when the traffic stops. The reflexive NAT session is bidirectional, meaning that the external host can send traffic back to the internal host using the same public IP address and port that the internal host used to reach the external host. However, the external host cannot initiate a new session to the internal host using the same public IP address and port, unless the internal host has already established a session with the external host. Therefore, only the Internet host that the internal host originally communicated with can initiate traffic to reach the internal host using the 203.0.113.1 address, a random source port, and destination port 54311.Reference: [Configuring Reflexive NAT]

Answer : D

Juniper ATP Cloud is a cloud-based service that provides advanced threat prevention and detection for SRX Series devices. To enroll an SRX Series device with Juniper ATP Cloud, you need to have a valid license and authorization code, and you need to run a Junos OS op script on the device. The op script performs the following tasks:

Downloads and installs certificate authority (CA) licenses onto your SRX Series device.

Creates local certificates and enrolls them with the cloud server.

Performs basic Juniper ATP Cloud configuration on the SRX Series device.

Establishes a secure connection to the cloud server.

You can run the op script either by copying the CLI command from the Juniper ATP Cloud Web Portal and running it on the device, or by using theenrollcommand on the device. The op script is the only way to enroll an SRX Series device with Juniper ATP Cloud. You cannot enroll the device manually or by using other methods.

The other statements in the question are incorrect for the following reasons:

If a device is already enrolled in a realm and you enroll it in a new realm, none of the device data or configuration information is propagated to the new realm. This includes history, infected hosts feeds, logging, API tokens, and administrator accounts. You can view and change the realm association of a device from the Realm Management page in the Juniper ATP Cloud Web Portal.

The only way to enroll an SRX Series device is not to interact with the Juniper ATP Cloud Web Portal. You can also use theenrollcommand on the device, which performs all the necessary enrollment steps without requiring you to access the Web Portal.

When the license expires, the SRX Series device is not disenrolled from Juniper ATP Cloud without a grace period. The device enters a grace period of 30 days, during which it can still send files to the cloud for inspection and receive threat intelligence feeds. After the grace period, the device is disenrolled and stops communicating with the cloud.

How to Enroll Your SRX Series Firewalls in Juniper Advanced Threat Prevention (ATP) Cloud Using Policy Enforcer

Enroll an SRX Series Firewall using Juniper ATP Cloud Web Portal

ATP Cloud | Step 2: Up and Running

Enroll an SRX Series Firewall Using the CLI

Answer : C, D, E

The three profiles that are configurable in a threat prevention policy are infected host profile, C&C profile, and malware profile. A threat prevention policy is a feature of Juniper ATP Cloud that provides protection and monitoring for selected threat profiles, including command and control servers, infected hosts, and malware. Using feeds from Juniper ATP Cloud and optional custom feeds that you configure, ingress and egress traffic is monitored for suspicious content and behavior. Based on a threat score, detected threats are evaluated and action may be taken once a verdict is reached. You can create a threat prevention policy by selecting one or more of the following profiles:

Infected host profile: This profile detects and blocks traffic from hosts that are infected with malware or compromised by attackers. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.

C&C profile: This profile detects and blocks traffic to or from command and control servers that are used by attackers to control malware or botnets. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.

Malware profile: This profile detects and blocks traffic that contains malware or malicious content. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable protocol-specific settings for HTTP and SMTP traffic, such as file type filtering, file size filtering, and file name filtering.

The other two profiles, device profile and SSL proxy profile, are not configurable in a threat prevention policy. A device profile is a feature of Policy Enforcer that defines the device type, the device group, and the device settings for the SRX Series devices that are enrolled with Juniper ATP Cloud. An SSL proxy profile is a feature of SRX Series devices that enables SSL proxy to decrypt and inspect SSL/TLS traffic for threats and policy violations.