Pass the Juniper JNCIS-SEC JN0-335 Questions and answers with ValidTests

A stateful firewall in SRX Series devices keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets that match a known active connection. Sessions are created when a TCP SYN packet is received and permitted by the security policy1.

A security policy is a set of rules that defines how traffic is processed by the SRX Series device. A security policy applies the security rules to the transit traffic within a context (from-zone to to-zone) and each policy is uniquely identified by its name. The traffic is classified by matching the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane2.

A Layer 3 route is a path that a packet takes to reach its destination based on the destination IP address. The SRX Series device performs a longest-match Layer 3 route table lookup to determine the next hop for the packet3.

An Application Layer Gateway (ALG) is a software component that provides application-level awareness, security, and control for specific protocols. An ALG inspects the application-layer payload of a packet and modifies it if necessary to allow the application to traverse the SRX Series device. For example, an ALG can rewrite IP addresses and port numbers in the payload of FTP or SIP packets4.

The sequence that an SRX Series device uses when implementing stateful session security policies using Layer 3 routes is as follows3:

The SRX Series device receives a packet and conducts a longest-match Layer 3 route table lookup to determine the next hop for the packet.

The SRX Series device performs a security policy search to find a matching policy for the packet based on the source and destination zones, addresses, and application.

If a matching policy is found, the SRX Series device checks the action of the policy, which can be permit, deny, reject, or tunnel. If the action is permit, the SRX Series device allows the packet to pass through and creates a session for the packet. If the action is deny or reject, the SRX Series device drops the packet and sends an ICMP message to the sender. If the action is tunnel, the SRX Series device encapsulates the packet and forwards it to the tunnel destination.

If the packet requires an ALG, the SRX Series device applies the ALG to the packet and modifies the payload if necessary. The ALG also creates additional sessions for the packet if needed.

The SRX Series device forwards the packet to the next hop based on the routing information.

References:

1: Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks

2: Best Practices for Defining Policies on High-End SRX Series Devices - TechLibrary - Juniper Networks

3: [SRX] Example: Configuring TCP SYN Check options on a per-policy basis

4: Application Layer Gateways Overview | Junos OS | Juniper Networks

 The policy rematch feature enables the device to reevaluate an active session when its associated security policy is modified. The session remains open if it still matches the policy that allowed the session initially. The session is closed if its associated policy is renamed, deactivated, or deleted1

When a policy change includes changing the policy’s action from permit to deny, all existing sessions are dropped. This is because the policy rematch feature does not allow a session to continue if it violates the new policy action1

When a policy change includes changing the policy’s source or destination address match condition, all existing sessions are reevaluated. This is because the policy rematch feature tries to find a suitable policy that can still permit the session based on the new address criteria. If no such policy exists, the session is dropped12

References: 1: policy-rematch | Junos OS | Juniper Networks 2: What is session rematch and how to use it to avoid traffic disruption during a policy update via NSM - Juniper Networks

B: Chassis cluster member devices synchronize configuration using the control link. The control link is used to exchange control messages and configuration information between the two nodes of a chassis cluster1. The primary node pushes the configuration to the secondary node and ensures that both nodes have the same configuration2.

C: A control link failure causes the secondary cluster node to be disabled. If the control link fails, the primary node cannot communicate with the secondary node and assumes that the secondary node is down1. The primary node then disables the secondary node and takes over all the traffic processing2.

E: Heartbeat messages verify that the chassis cluster control link is working. The control link also carries heartbeat messages that are exchanged between the two nodes every 500 milliseconds by default1. The heartbeat messages indicate the status and health of the nodes and the control link2.

A: Chassis cluster control links must be configured using RFC 1918 IP addresses. This is a false statement. The control link can use any IP address range as long as it is not in conflict with other interfaces or routes on the cluster nodes1. RFC 1918 IP addresses are private addresses that are not routable on the Internet4.

D: Recovery from a control link failure requires that the secondary member device be rebooted. This is also a false statement. Recovery from a control link failure does not require rebooting the secondary node1. The secondary node can rejoin the cluster when the control link is restored and the configuration is synchronized2.

References:

1: Configuring Chassis Clustering on SRX Series Devices

2: Chassis Cluster User Guide for SRX Series Devices

3: Connecting SRX Series Firewalls to Create a Chassis Cluster

4: RFC 1918 - Address Allocation for Private Internets

https://supportportal.juniper.net/s/article/SRX-Secondary-node-of-a-Chassis-Cluster-is-in-Disabled-state-how-do-you-find-the-cause

The cSRX is a containerized version of the SRX Series firewall that provides advanced security services, including content security, AppSecure, and unified threat management (UTM) in the form of a container1. The cSRX supports easy, flexible, and highly scalable deployment options covering various customer use cases, including application protection, microsegmentation, or as an edge gateway for secure IoT deployments through a Docker container management solution2. The cSRX also supports SDN via Contrail Enterprise Multicloud, OpenContrail, and other third-party solutions2. The cSRX also integrates with other next-generation cloud orchestration tools such as Kubernetes3.

The cSRX supports firewall, NAT, IPS, and UTM services, so option A is incorrect1. The cSRX does not only support Layer 2 “bump-in-the-wire” deployments, but also Layer 3 deployments with routing protocols such as BGP, OSPF, and IS-IS, so option B is correct4. The cSRX supports BGP, OSPF, and IS-IS routing services, so option C is correct4. The cSRX does not have three default zones, but instead inherits the zones from the host SRX Series device, so option D is incorrect5. References:

1: cSRX Container Firewall | Juniper Networks US

2: cSRX Container Firewall Datasheet | Juniper Networks US

3: Understanding cSRX with Kubernetes - Juniper Networks

4: Extending Security to All Points of Connection: Containerized Security …

5: cSRX Container Firewall | Juniper Networks UK&I

Chassis clustering is a high availability feature that allows two SRX Series devices to operate as a single logical device. The two devices are connected by a control link and a fabric link, which are used to synchronize the configuration, state, and traffic between the nodes. The cluster nodes are identified in the following ways:

A cluster is identified by a cluster ID (cluster-id) specified as a number 1 through 151.

A cluster node is identified by a node ID (node) specified as a number from 0 to 11.

Therefore, the node ID is used to identify each device in the chassis cluster (option B), and the cluster ID is used to identify each device in the chassis cluster (option D). The node ID value does not range from 1 to 255 (option A), and a system reboot is notrequired to activate changes to the cluster (option C)2. References: Chassis Cluster Overview, Configuring Chassis Clustering on SRX Series Devices

vSRX is a virtual firewall that provides security and networking services at the perimeter or edge of virtualized environments1. vSRX can be deployed in various cloud environments, such as AWS, Azure, Google Cloud Platform, and VMware2.

AWS is a cloud computing platform that offers a variety of services, such as compute, storage, networking, security, and analytics3. AWS enables customers to deploy vSRX instances in a virtual private cloud (VPC), which is a logically isolated section of the AWS cloud4.

AWS satisfies the requirements for a vSRX deployment as follows:

Globally distributed: AWS has a global infrastructure that spans 25 geographic regions and 81 availability zones3. Customers can deploy vSRX instances in any region or zone that meets their needs and preferences4.

Rapid provisioning: AWS allows customers to launch vSRX instances in minutes using the AWS Marketplace, which is an online store that offers software products and solutions5. Customers can also use automation tools, such as CloudFormation, Terraform, and Ansible, to provision vSRX instances in a consistent and scalable manner.

Scale based on demand: AWS supports horizontal and vertical scaling of vSRX instances based on the changing traffic and performance demands. Customers can use AWS Auto Scaling, which is a service that automatically adjusts the number of vSRX instances, or AWS Elastic Load Balancing, which is a service that distributes the traffic across multiple vSRX instances.

Low CapEx: AWS operates on a pay-as-you-go model, which means that customers only pay for the resources they use, such as the vSRX instance type, the storage volume, the data transfer, and the license. Customers can also benefit from the AWS Free Tier, which offers a limited amount of free resources for 12 months.

References:

1: vSRX Overview | Junos OS | Juniper Networks

2: vSRX Deployment Guide | Junos OS | Juniper Networks

3: What is AWS? - Amazon Web Services

4: Configure an Amazon Virtual Private Cloud for vSRX Virtual Firewall | Junos OS | Juniper Networks

5: Juniper Networks vSRX - Amazon Web Services (AWS)

[6]: Deploying Juniper Security in AWS and Azure Education Services

[7]: Scaling vSRX Virtual Firewall Instances on AWS | Junos OS | Juniper Networks

[8]: Load Balancing vSRX Virtual Firewall Instances on AWS | Junos OS | Juniper Networks

[9]: Juniper Networks vSRX Pricing - Amazon Web Services (AWS)

[10]: AWS Free Tier - Amazon Web Services (AWS)

Static attack object groups are predefined groups of attack objects that are included in Juniper’s IPS signature database. These groups do not change automatically when Juniper updates the database. You must manually add matching attack objects to a custom group34 References:

Attack Objects and Object Groups for IDP Policies | Junos OS

Attack Objects and Object Groups for IDP Policies on NFX Devices

Exam Name: Security, Specialist (JNCIS-SEC) Version: DEMO - Lead2Pass

Juniper - ExamsBoost

Security policy schedulers are a feature that allows you to activate or deactivate a policy for a specified time period. You can create schedulers for a single or recurrent time slot, and apply them to one or more policies. A policy can only have one scheduler associated with it, but a scheduler can have multiple policies associated with it. When a scheduler is active, the policy is available for policy lookup. When a scheduler is inactive, the policy is unavailable for policy lookup. A policy without a defined scheduler will always be active, unless it is explicitly disabled. References:

Scheduling Security Policies

schedulers (Security Policies)

Security Policy Schedulers

scheduler (Security Policies)