Pass the Juniper JNCIS-SEC JN0-335 Questions and answers with CertsForce

 To implement IPS on your SRX Series device, you need to download and install the IPS signature database. The IPS signature database contains the attack signatures and predefined attack groups that are used to detect and prevent intrusions. You can download the IPS signature database from the Juniper Networks website or from a local server. You can install the IPS signature database manually or automatically. You do not need to enroll the SRX Series device with Juniper ATP Cloud or reboot the SRX Series device to implement IPS34 References:

Configuring the IPS Policy on SRX Series Devices Using NSM

Installing SRX 1400 with IPS activation ??? | SRX - Juniper Networks

Download an IPS Signature | J-Web for SRX Series 21.2 - Juniper Networks

IPS Configuration (CLI) | Junos OS | Juniper Networks

 To create a security policy that will automatically add infected hosts to the infected hosts feed and block further communication through the SRX Series device, you need to add a security intelligence policy to the permit portion of the security policy. A security intelligence policy is a set of rules that defines the actions to be taken for traffic thatmatches a specific category of threat feeds, such as infected hosts, command and control servers, or botnets. By adding a security intelligence policy to the permit portion of the security policy, you can enable the SRX Series device to dynamically update the infected hosts feed based on the advanced anti-malware policy results, and block the traffic from or to the infected hosts. Options B, C, and D are not correct because they do not enable the automatic addition of infected hosts to the feed or the blocking of their communication. References: The answer can be verified from Juniper’s official documentation on security intelligence and advanced anti-malware available on their website. Here are some relevant links:

Security Intelligence Feature Guide for Security Devices

Advanced Anti-Malware Feature Guide for Security Devices

Configuring Security Intelligence Policy on the SRX Series Device

[Configuring Advanced Anti-Malware Policy on the SRX Series Device]

AppFW and APPID are two application security features that can be used to block malicious applications regardless of the port number being used. AppFW provides policy-based enforcement and control on traffic based on application signatures. By using AppFW, you can block any application traffic not sanctioned by the enterprise. APPID identifies applications based on their behavior and characteristics, regardless of port, protocol, or encryption method. By using APPID, you can classify applications and apply appropriate security policies to them123 References:

AppSecure: Application Visibility and Control Solution Brief

Application Firewall | Junos OS | Juniper Networks

Security Policy Applications and Application Sets | Junos OS | Juniper Networks

 Logging for a security policy can be configured to generate log entries at session initialization, at session close, or both. Logging at session initialization records the initial packet that matches the policy and triggers the session creation. Logging at session close records the summary statistics of the session, such as bytes and packets transmitted and received, and the reason for session termination. Logging at session initialization and close provides the most complete information about the traffic that matches the policy. Logging at fixed intervals, such as every 10 minutes or every 60 seconds, is not supported by Junos OS security policies. References:

Security, Professional (JNCIP-SEC) Exam Objectives, Firewall Filters section

Junos OS Security Configuration Guide, Understanding Security Policy Logging section

Advanced Juniper Security (AJSEC) Course, Chapter 4: Advanced Logging and Reporting

B: Chassis cluster member devices synchronize configuration using the control link. The control link is used to exchange control messages and configuration information between the two nodes of a chassis cluster1. The primary node pushes the configuration to the secondary node and ensures that both nodes have the same configuration2.

C: A control link failure causes the secondary cluster node to be disabled. If the control link fails, the primary node cannot communicate with the secondary node and assumes that the secondary node is down1. The primary node then disables the secondary node and takes over all the traffic processing2.

E: Heartbeat messages verify that the chassis cluster control link is working. The control link also carries heartbeat messages that are exchanged between the two nodes every 500 milliseconds by default1. The heartbeat messages indicate the status and health of the nodes and the control link2.

A: Chassis cluster control links must be configured using RFC 1918 IP addresses. This is a false statement. The control link can use any IP address range as long as it is not in conflict with other interfaces or routes on the cluster nodes1. RFC 1918 IP addresses are private addresses that are not routable on the Internet4.

D: Recovery from a control link failure requires that the secondary member device be rebooted. This is also a false statement. Recovery from a control link failure does not require rebooting the secondary node1. The secondary node can rejoin the cluster when the control link is restored and the configuration is synchronized2.

References:

1: Configuring Chassis Clustering on SRX Series Devices

2: Chassis Cluster User Guide for SRX Series Devices

3: Connecting SRX Series Firewalls to Create a Chassis Cluster

4: RFC 1918 - Address Allocation for Private Internets

https://supportportal.juniper.net/s/article/SRX-Secondary-node-of-a-Chassis-Cluster-is-in-Disabled-state-how-do-you-find-the-cause

AppTrack is a logging and reporting tool that provides statistics for analyzing bandwidth usage of your network. It can be enabled on any logical system on an SRX Series device1. AppTrack collects byte, packet, and duration statistics for application flows in the specified zone2. AppTrack sends log messages through syslog providing application activity update messages1.

AppTrack does not identify or block traffic flows that might be malicious. That is the function of AppSecure, which is a suite of application security tools that includes AppID, AppFW, AppQoS, and AppDoS3. AppTrack is a complementary tool that provides visibility into the types of applications traversing through the SRX Series gateway4.

AppTrack can be configured in any logical system on an SRX Series device, not just the main one1. This allows for more flexibility and granularity in monitoring application traffic across different logical systems.

References:

1: Application Tracking | Junos OS | Juniper Networks

2: application-tracking | Junos OS | Juniper Networks

3: Juniper Networks AppSecure | NetworkScreen.com

4: [SRX] AppTrack log messages continue to get generated even after disabling the feature - Juniper Networks

The Juniper Networks solution that will accomplish the task of alerting if the wrong password is used more than three times on a single device within five minutes is Juniper Secure Analytics (JSA). JSA is a security intelligence platform that collects, analyzes, and correlates network data from various sources, such as firewalls, routers, switches, servers, and applications. JSA can detect and respond to threats, anomalies, and vulnerabilities in real time using rules, offenses, reports, and dashboards. JSA can also integrate with JIMS (Juniper Identity Management Service) to obtain user identity information from Active Directory domains or syslog sources. JSA can use this information to create custom rules that trigger offenses or alerts based on user behavior or activity, such as failed login attempts or password changes.

References := Juniper Secure Analytics Troubleshooting Guide, Juniper Identity Management Service User Guide

SRX chassis clustering is a high availability feature that allows two SRX Series devices to operate as a single logical device. The two devices are connected by a control link and a fabric link, which are used to synchronize the configuration, state, and traffic between the nodes. The control plane is responsible for managing the cluster configuration, monitoring the health and status of the nodes, and performing failover operations. The data plane is responsible for processing and forwarding the traffic through the cluster. SRX chassis clustering supports two modes for the data plane: active/passive and active/active. In active/passive mode, only one node is active for each redundancy group, which is a logical grouping of interfaces and services. The active node handles all the traffic for the redundancy group, while the passive node acts as a backup. In active/active mode, both nodes are active for different redundancy groups, and they can share the traffic load for the cluster. SRX chassis clustering supports only one mode for the control plane: active/passive. In this mode, only one node is the primary node, which is the master of the cluster configuration and the source of truth for the cluster state. The primary node also initiates the failover process in case of a node or interface failure. The other node is the secondary node, which is the slave of the cluster configuration and the backup of the cluster state. The secondary node takes over the primary role if the primary node fails or is manually disabled. References: Chassis Cluster Overview, SRX Series Chassis Cluster Configuration Overview, Chassis Cluster Overview

You can create an exempt rule to skip detection of a set of attacks in certain traffic. You can specify the source and destination IP addresses as the match criteria for the exempt rule. This allows you to exclude traffic from specific hosts or networks from being examined by the IPS rulebase. You can also specify other parameters such as protocol, application, and attack objects for the exempt rule, but source and destination IP addresses are the most common ones. References: = Create IPS or Exempt Rules and rulebase-exempt