JN0-636 Security Professional (JNCIP-SEC) Questions and Answers

According to the exhibit, which is a configuration snippet of the SRX Series device, the global mode for the device is set to switching mode. This means that the device is operating as a Layer 2 switch and does not apply any security policies to the traffic between hosts in the same broadcast domain1. Therefore, the traffic between two hosts in the same broadcast domain are not matching any security policies.

To solve this problem, the user should change the global mode to transparent bridge mode. This means that the device will operate as a Layer 2 transparent bridge and apply security policies to the traffic between hosts in the same broadcast domain2. This will allow the user to enforce security policies based on the source and destination IP addresses, ports, and protocols of the traffic.

To change the global mode to transparent bridge mode, the user should use the following command:

set protocols l2-learning global-mode transparent-bridge

This command will set the global mode for the SRX Series device as Layer 2 transparent bridge mode. After changing the mode, the user must reboot the device for the configuration to take effect2.

References: 1: global-mode (Protocols) 2: Configuring Layer 2 Transparent Mode

According to the Juniper documentation, filter-based forwarding (FBF) is a technique that allows the SRX Series device to forward packets based on firewall filter rules, rather than the default routing table1. FBF can be used to implement policy-based routing, load balancing, or traffic engineering2. To deploy FBF on the SRX Series device for incoming traffic sourced from the 10.10.100.0/24 network, the following steps are required:

• You must create a forwarding-type routing instance. A forwarding-type routing instance is a special type of routing instance that is used for FBF. It does not have any interfaces or routing protocols associated with it, but it has its own routing table that can be populated by static routes, RIB groups, or routing policies3. You can create a forwarding-type routing instance by using the following command:

set routing-instances instance-type forwarding

• You must create and apply a firewall filter that matches on the source address 10.10.100.0/24 and then sends this traffic to your routing instance. A firewall filter is a set of rules that can match on various packet attributes, such as source and destination addresses, ports, protocols, and so on. You can use the then routing-instance action to specify the routing instance that the packet should be forwarded to4. You can create and apply a firewall filter by using the following commands:

set firewall family inet filter term from source-address 10.10.100.0/24 set firewall family inet filter term then routing-instance  set interfaces unit family inet filter input

• You must create a RIB group that adds interface routes to your routing instance. A RIB group is a mechanism that allows you to import routes from one routing table to another. You can use a RIB group to add the interface routes of the ingress interface to the routing table of the forwarding-type routing instance. This will ensure that the SRX device can forward the packets to the correct next hop based on the destination address5. You can create a RIB group by using the following commands:

set routing-options rib-groups import-rib inet.0 set routing-options rib-groups import-rib .inet.0 set routing-instances routing-options instance-import

The following steps are not required or incorrect:

• You do not need to create a VRF-type routing instance. A VRF-type routing instance is a type of routing instance that is used for virtual routing and forwarding. It allows you to create multiple logical routers on the same physical device, each with its own interfaces, routing protocols, and routing tables. VRF-type routing instances are typically used for VPNs, MPLS, or network segmentation. However, they are not necessary for FBF, which can be achieved with a forwarding-type routing instance.
• You do not need to create and apply a firewall filter that matches on the destination address 10.10.100.0/24 and then sends this traffic to your routing instance. This would be redundant and unnecessary, as the destination address of the incoming traffic is already determined by the routing table of the forwarding-type routing instance. Moreover, this would create a loop, as the traffic would be sent back to the same routing instance that it came from.

References: 1: Filter-Based Forwarding Overview 2: Configuring Filter-Based Forwarding 3: forwarding (Routing Instances) 4: routing-instance (Firewall Filter Action) 5: Configuring RIB Groups : [vrf (Routing Instances)]

Referring to the exhibit, your company’s infrastructure team implemented new printers. To make sure that the policy enforcer pushes the updated IP address list to the SRX, you need to perform the following actions:

• A. Configure the server feed URL as http://172.25.10.254/myprinters. The server feed URL is the address of the remote server that provides the custom feed data. You need to configure the server feed URL to match the location of the file that contains the IP addresses of the new printers. In this case, the file name is myprinters and the server IP address is 172.25.10.254, so the server feed URL should be http://172.25.10.254/myprinters1.
• B. Create a security policy that uses the dynamic address feed to allow access. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You need to create a security policy that uses the dynamic address feed as the source or destination address to allow access to the new printers. A dynamic address feed is a custom feed that contains a group of IP addresses that can be entered manually or imported from external sources. The dynamic address feed can be used in security policies to either deny or allow traffic based on either source or destination IP criteria2.
• C. Configure Security Director to create a dynamic address feed. Security Director is a Junos Space application that enables you to create and manage security policies and objects. You need to configure Security Director to create a dynamic address feed that contains the IP addresses of the new printers. You can create a dynamic address feed by using the local file or the remote file server option. In this case, you should use the remote file server option and specify the server feed URL as http://172.25.10.254/myprinters3.

The other options are incorrect because:

• D. Configuring Security Director to create a C&C feed is not required to complete the requirement. A C&C feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The C&C feed is not related to the new printers or the dynamic address feed.
• E. Configuring the server feed URL as https://172.25.10.254/myprinters is not required to complete the requirement. The server feed URL can use either the HTTP or the HTTPS protocol, depending on the configuration of the remote server. In this case, the exhibit shows that the remote server is using the HTTP protocol, so the server feed URL should use the same protocol1.

References:

• Configuring the Server Feed URL
• Dynamic Address Overview
• Creating Custom Feeds
• [Command and Control Feed Overview]

Certificate RenewalThe renewal of certificates is much the same as initial certificate enrollment except you are just replacing an old certificate(about to expire) on the VPN device with a new certificate. As with the initial certificate request, only manual renewal issupported. SCEP can be used to re-enroll local certificates automatically before they expire. Refer to Appendix D for moredetails.

To control access to network resources based on the identity of an authenticated device on the SRX Series firewalls, you need to perform the following steps:

• A. Configure an end-user-profile that characterizes a device or set of devices. An end-user-profile is a device identity profile that contains a collection of attributes that are characteristics of a specific group of devices, or of a specific device, depending on the attributes configured in the profile. The end-user-profile must contain a domain name and at least one value in each attribute. The attributes include device-identity, device-category, device-vendor, device-type, device-os, and device-os-version1. You can configure an end-user-profile by using the Junos Space Security Director or the CLI2.
• C. Reference the end-user-profile in the security policy. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You can reference the end-user-profile in the source-end-user-profile field of the security policy to identify the traffic source based on the device from which the traffic issued. The SRX Series device matches the IP address of the device to the end-user-profile and applies the security policy accordingly3. You can reference the end-user-profile in the security policy by using the Junos Space Security Director or the CLI4.
• E. Configure the authentication source to be used to authenticate the device. An authentication source is a system that provides the device identity information to the SRX Series device. The authentication source can be Microsoft Windows Active Directory or a third-party network access control (NAC) system. You need to configure the authentication source to be used to authenticate the device and to send the device identity information to the SRX Series device. The SRX Series device stores the device identity information in the device identity authentication table5. You can configure the authentication source by using the Junos Space Security Director or the CLI6.

The other options are incorrect because:

• B. Referencing the end-user-profile in the security zone is not a valid step to control access to network resources based on the identity of an authenticated device. A security zone is a logical grouping of interfaces that have similar security requirements. You can reference the user role in the security zone to identify the user who is accessing the network resources, but not the end-user-profile7.
• D. Applying the end-user-profile at the interface connecting the devices is also not a valid step to control access to network resources based on the identity of an authenticated device. You cannot apply the end-user-profile at the interface level, but only at the security policy level. The end-user-profile is not a firewall filter or a security policy, but a device identity profile that is referenced in the security policy1.

References:

• End User Profile Overview
• Creating an End User Profile
• source-end-user-profile
• Creating Firewall Policy Rules
• Understanding the Device Identity Authentication Table and Its Entries
• Configuring the Authentication Source for Device Identity
• user-role

The three profiles that are configurable in a threat prevention policy are infected host profile, C&C profile, and malware profile. A threat prevention policy is a feature of Juniper ATP Cloud that provides protection and monitoring for selected threat profiles, including command and control servers, infected hosts, and malware. Using feeds from Juniper ATP Cloud and optional custom feeds that you configure, ingress and egress traffic is monitored for suspicious content and behavior. Based on a threat score, detected threats are evaluated and action may be taken once a verdict is reached. You can create a threat prevention policy by selecting one or more of the following profiles:

• Infected host profile: This profile detects and blocks traffic from hosts that are infected with malware or compromised by attackers. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.
• C&C profile: This profile detects and blocks traffic to or from command and control servers that are used by attackers to control malware or botnets. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.
• Malware profile: This profile detects and blocks traffic that contains malware or malicious content. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable protocol-specific settings for HTTP and SMTP traffic, such as file type filtering, file size filtering, and file name filtering.

The other two profiles, device profile and SSL proxy profile, are not configurable in a threat prevention policy. A device profile is a feature of Policy Enforcer that defines the device type, the device group, and the device settings for the SRX Series devices that are enrolled with Juniper ATP Cloud. An SSL proxy profile is a feature of SRX Series devices that enables SSL proxy to decrypt and inspect SSL/TLS traffic for threats and policy violations.

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos-space23.1/policy-enforcer/topics/concept/threat-management-policy-overview.html https://www.juniper.net/documentation/en_US/junos-space23.1/policy-enforcer/topics/task/configuration/junos-space-policy-enforcer-threat-management-policy-configure.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-enforcer-device-profile-overview.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-ssl-proxy-overview.html

 You are connecting two remote sites to your corporate headquarters site. You must ensure that traffic passes through the corporate headquarters. In this scenario, the VPN that should be used is:

• D. Hub-and-spoke IPsec VPN with the corporate firewall acting as the hub device. A hub-and-spoke IPsec VPN is a type of VPN that connects multiple remote sites to a central site, or hub, over a public network. The hub site acts as a gateway for the remote sites and provides security and routing services. The remote sites, or spokes, communicate with each other through the hub site. The hub site and the spoke sites use IPsec tunnels to encrypt and authenticate the traffic between them. A hub-and-spoke IPsec VPN is suitable for connecting two remote sites to your corporate headquarters site, because it allows you to control the traffic flow and enforce security policies at the hub site. The corporate firewall can act as the hub device and provide IPsec VPN services to the remote sites1.

The other options are incorrect because:

• A. Full mesh IPsec VPNs with tunnels between all sites. A full mesh IPsec VPN is a type of VPN that connects every site to every other site over a public network. Each site has an IPsec tunnel with every other site, forming a mesh topology. A full mesh IPsec VPN provides direct and secure communication between any pair of sites, but it also requires a large number of IPsec tunnels and complex configuration. A full mesh IPsec VPN is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate headquarters site, and it may introduce unnecessary overhead and complexity2.
• B. A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device. A full mesh Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider’s network. Each site has a BGP session with every other site, forming a full mesh topology. A BGP route reflector is a device that reduces the number of BGP sessions required in a full mesh topology by reflecting routes between its clients. A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate firewall device, and it may require additional configuration and coordination with the service provider3.
• C. A Layer 3 VPN with the corporate firewall acting as the hub device. A Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider’s network. A Layer 3 VPN can have different topologies, such as full mesh, hub-and-spoke, or partial mesh. A Layer 3 VPN with the corporate firewall acting as the hub device is not suitable for connecting two remote sites to your corporate headquarters site, because the corporate firewall may not support MPLS and BGP, and it may require additional configuration and coordination with the service provider3.

References:

• Hub-and-Spoke VPNs Overview
• Full Mesh VPNs Overview
• Layer 3 VPNs Overview

The Juniper ATP Appliance platform collects, inspects and analyzes advanced and stealthy web, file, and email-based threats that exploit and infiltrate client browsers, operating systems, emails and applications. Juniper ATP Appliance’s detection of malicious attacks generates incident and event details that can be sent to connected SIEM platforms in CEF, LEEF or Syslog formats1. CEF (Common Event Format) is an open log management standard that improves the interoperability of security-related information from different vendors2. Juniper ATP Appliance supports CEF format for sending events and system audit notifications to SIEM servers. You can configure the CEF format in the Juniper ATP Appliance Central Manager WebUI Config > Notifications > SIEM Settings1. Therefore, the correct answer is C. CEF is a supported logging output format for Juniper ATP Appliance. The other options are incorrect because:

• A. WELF (WebTrends Enhanced Log Format) is a proprietary log format developed by WebTrends Corporation for web analytics3. Juniper ATP Appliance does not support WELF format for SIEM integration.
• B. JSON (JavaScript Object Notation) is a lightweight data-interchange format that is easy for humans and machines to read and write4. Juniper ATP Appliance supports JSON format for HTTP API results, but not for SIEM notifications1.
• D. Binary is a numeric system that uses only two digits: 0 and 1. Binary is not a logging output format for Juniper ATP Appliance or any SIEM platform.

References:

• SIEM Syslog, LEEF and CEF Logging
• Common Event Format Configuration Guide
• WebTrends Enhanced Log Format
• JSON

According to the Juniper documentation, a tenant system is a logical system that supports routing, services, and security features. A tenant system can be configured to log binary security events to a remote server using the pi security profile. The pi security profile specifies the tenant name, the server address, the server port, and the protocol for logging binary security events. In the exhibit, the pi security profile is configured with the server address 10.0.0.1, the server port 514, and the protocol UDP. However, the tenant name is missing from the configuration. To complete the configuration, the tenant name must be configured as local for the pi security profile. This is because the local tenant name is used to identify the tenant system that is sending the binary security events to the remote server. Therefore, the correct statement to complete the configuration is D. Configure the tenant as local for the pi security profile. References: [Tenant Systems Overview] 1, [Configuring Binary Security Event Logging for Tenant Systems] 2

1: https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/topic-map/tenant-systems-overview.html  2: https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/task/security-tenant-systems-binary-logging-configuring.html

According to the trace options output in the exhibit, the following statements are correct:

• This packet is part of an existing session. This is indicated by the line flow session id 0x00000000, hash 0x00000000, table 0x00000000, flow process exit, which shows that the packet matches an existing session entry in the flow table1.
• The SRX device is changing the destination address on this packet from 10.0.1.1 to 172.20.101.10. This is indicated by the line nat: translated 10.0.1.1->172.20.101.10, which shows that the packet undergoes destination NAT2.

The following statements are incorrect:

• The SRX device is changing the source address on this packet. There is no indication of source NAT in the trace options output2.
• This is the first packet in the session. The first packet in a session would have a different trace options output, which would include the line flow_first_inline_processing and show the creation of a new session entry in the flow table1.

References: 1: SRX Getting Started – Troubleshooting Traffic Flows and Session Establishment 2: SRX Getting Started - Configure NAT (Network Address Translation)

According to the security flow trace shown in the exhibit, which is a snippet of a packet capture on an SRX Series device, the two statements that are correct are:

• This packet arrived on interface ge-0/0/4.0. This is indicated by the line In: 10.0.1.129/22 -> 10.0.1.129/3382;1,0x0, which shows that the ingress interface of the packet is ge-0/0/4.0, as the interface name is prefixed to the source and destination IP addresses and ports of the packet1.
• An existing session is found in the table. This is indicated by the line Found: session id 0x12. sess tok 28685, which shows that the packet matches an existing session in the session table with the session ID 0x12 and the session token 286852.

The following statements are incorrect or not supported by the output:

• Destination NAT occurs. This is not supported by the output, as there is no indication of destination NAT being applied to the packet. The destination IP address of the packet is 10.0.1.129, which is the same as the destination IP address of the original packet. If destination NAT was applied, the destination IP address of the packet would be different from the destination IP address of the original packet.
• The capture is a packet from the source address 172.20.101.10 destined to 10.0.1.129. This is false, as the output shows that the source address of the packet is 10.0.1.129, not 172.20.101.10. The source IP address of the packet is prefixed to the ingress interface name ge-0/0/4.0.

References: 1: Understanding Security Flow Trace 2: show security flow session - Technical Documentation - Support - Juniper Networks

The two valid modes for the Juniper ATP Appliance are all-in-one and core. The all-in-one mode is a single appliance that performs both the collector and the core functions. The collector function collects traffic from the network and sends it to the core function for analysis and detection. The core function performs the threat detection, mitigation, and analytics. The all-in-one mode is suitable for small to medium-sized networks that do not require high scalability or performance. The core mode is a dedicated appliance that performs only the core function. The core mode is used in conjunction with one or more collector appliances that collect traffic from the network and send it to the core appliance for analysis and detection. The core mode is suitable for large-scale networks that require high scalability and performance. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-appliance-overview.html

The exhibit shows a security policy configuration with a threshold of 1000 policy violations by a source network identifier and a threshold of 10 policy violations to an application within a specified period. If either of these thresholds are exceeded, an alarm will be generated. Therefore, the correct answer is A and D. The other options are incorrect because:

• B. The ratio of policy violation traffic compared to accepted traffic is not a criterion for triggering an alarm. The security policy configuration does not specify any ratio or percentage of policy violation traffic that would cause an alarm.
• C. The number of policy violation by a destination TCP port is also not a criterion for triggering an alarm. The security policy configuration does not specify any threshold or duration for policy violation by a destination TCP port.

References:

• policy (Security Alarms)
• Monitoring Security Policy Violations

An IKE security association (SA) is a set of parameters that define how the Internet Key Exchange (IKE) protocol will authenticate and establish the secure channel between the IPsec VPN peers. When you configure an IPsec VPN, one IKE SA is created between the peers, regardless of how many CoS forwarding classes are used to separate the traffic. The SA will be used to negotiate the IPsec SA parameters, such as encryption algorithms and keys.

In this scenario, only 1 IKE security association is required between the IPsec peers, no matter how many CoS forwarding classes are used to separate the voice and data traffic.

The appropriate mitigation actions for the selected incident are to block malware IP addresses (download server or CnC server) and to deploy IVP integration (if configured) to confirm if the endpoint has executed the malware and is infected. This is because the incident shows a progression level of “Download” in the kill chain, which means that the malware has been downloaded and is likely to be executed. Blocking the malware IP addresses can prevent further communication with the malicious server and stop the malware from receiving commands or exfiltrating data. Deploying IVP integration can help verify the infection status of the endpoint and provide additional information about the malware behavior and impact. IVP integration is an optional feature that allows the ATP Appliance to interact with third-party endpoint security solutions such as Carbon Black, Cylance, and CrowdStrike. References:

• Advanced Threat Prevention Appliance Solution Brief
• Advanced Threat Prevention Appliance Datasheet
• [Advanced Threat Prevention Appliance Mitigation Actions]
• [Advanced Threat Prevention Appliance IVP Integration]

• When enrolling your devices, you only need to enroll one node: The Juniper ATP Cloud automatically recognizes the HA configuration and applies the same license and configuration to both nodes of the cluster.
• You must use the same license key on both cluster nodes: The HA cluster needs to share the same license key in order to be recognized as a single device by the Juniper ATP Cloud.

You must set up your HA cluster before enrolling your devices with Juniper ATP Cloud. And it is not necessary to use different license keys on both cluster nodes because the HA cluster shares the same license key.

The two statements that are correct in this scenario are:

• When enrolling your devices, you only need to enroll one node. This is because the Juniper ATP Cloud service supports chassis cluster mode for SRX Series devices. When you enroll a chassis cluster, you only need to enroll the primary node of the cluster. The secondary node will be automatically enrolled and synchronized with the primary node. You do not need to enroll the secondary node separately or perform any additional configuration on it.
• You must use the same license key on both cluster nodes. This is because the Juniper ATP Cloud service requires a license key to activate the service on the SRX Series devices. The license key is tied to the serial number of the device. When you enroll a chassis cluster, you must use the same license key on both nodes of the cluster. The license key must match the serial number of the primary node of the cluster. You cannot use different license keys on the cluster nodes.

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-atp-cloud-enrolling-srx-series.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud-licensing-overview.html

The SRX Series device will continue to send requests to authentication servers 192.168.30.190 and 192.168.30.191. This is because the exhibit shows the output of the show network-access aaa radius-servers command. This command displays the status of the RADIUS servers configured on the device. In the output, we can see that there are three RADIUS servers configured - 192.168.30.190, 192.168.30.191, and 2001:DB8:0:f101::2. However, the status of the third server is shown as “DOWN”. This means that the device is not able to communicate with this server. Therefore, the device will continue to send requests to the other two servers - 192.168.30.190 and 192.168.30.191. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-network-access-aaa-radius-servers.html

https://kb.juniper.net/InfoCenter/index?page=content &id=KB30443&cat=SRX_SERIES&actp=LIST

According to the Juniper documentation, the infected host score is a global setting that determines the minimum threat level required for a host to be considered infected and blocked by Juniper ATP Cloud. The infected host score can be configured from 1 to 10, where 1 is the lowest and 10 is the highest. The default infected host score is 5, which means that any host with a threat level of 5 or higher will be automatically blocked by Juniper ATP Cloud. However, the infected host score can be changed to a higher value, such as 6 or 7, to reduce the number of false positives and allow more traffic to pass through. In the exhibit, the host has a threat level of 5, which indicates that it is infected with malware and has attempted to contact command-and-control servers. However, some of the events have not been automatically mitigated, which means that the host has not been blocked by Juniper ATP Cloud. A possible reason for this behavior is that the infected host score is globally set above a threat level of 5, such as 6 or 7, which means that the host does not meet the minimum threshold for blocking. Therefore, the correct answer is C. The infected host score is globally set above a threat level of 5. References: [Configuring the Infected Host Score] 1, [Compromised Hosts: More Information] 2

1: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/task/sky-atp-infected-host-score.html  2: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/concept/sky-atp-infected-host-overview.html

The security feature that bypasses routing or switching lookup is transparent mode. The other options are incorrect because:

• B. Secure wire is a feature that allows you to connect two interfaces on the same device and forward traffic between them without any processing. Secure wire does not bypass routing or switching lookup, but rather eliminates them altogether1.
• C. Mixed mode is a mode of operation for SRX Series devices that allows you to configure both transparent mode and switching mode on the same device. Mixed mode does not bypass routing or switching lookup, but rather uses them depending on the interface type2.
• D. MACsec (Media Access Control Security) is a feature that provides encryption and authentication for Layer 2 traffic. MACsec does not bypass routing or switching lookup, but rather operates at a lower layer3.

Therefore, the correct answer is A. Transparent mode is a mode of operation for SRX Series devices that provides Layer 2 bridging capabilities with full security services. In transparent mode, the SRX Series device acts as a bridge between two network segments and inspects the packets without modifying the source or destination information in the IP packet header. The SRX Series device does not have an IP address in transparent mode, except for the management interface. Transparent mode bypasses routing or switching lookup, because the SRX Series device does not perform any routing or switching functions, but rather forwards the packets based on the MAC addresses4.

References:

• Secure Wire Overview
• Mixed Mode Overview
• MACsec Overview
• Transparent Mode Overview

The suspicious_Endpoints feed is a dynamic address group that is created by Juniper ATP Cloud based on the IoT device discovery and policy enforcement feature. This feature allows the SRX Series device to send IoT traffic to Juniper ATP Cloud for analysis and classification. Juniper ATP Cloud then creates a threat feed that contains the IP addresses of the suspicious IoT devices and sends it back to the SRX Series device. The SRX Series device can then use this feed to create and enforce security policies for the IoT traffic. The suspicious_Endpoints feed is usable by any SRX Series device that is a part of the same realm as SRX-1, because the feed is shared among the devices that belong to the same Juniper ATP Cloud realm. Juniper ATP Cloud automatically creates the suspicious_Endpoints feed after you commit the security policy that references the feed, because the feed is dynamically generated based on the IoT traffic analysis. You do not need to manually create the feed in the Juniper ATP Cloud interface. References:

• Example- Configure IoT Device Discovery and Policy Enforcement
• Juniper Advanced Threat Prevention Cloud Policy Overview

The command that will allow traffic to bypass the SRX Series device flow daemon based on the source address is set firewall family inet filter bypass_flowd term t1 then packet-mode. This command configures a stateless firewall filter named bypass_flowd that has one term t1. The term t1 can match the traffic based on the source address or any other criteria. The term t1 then applies the action packet-mode, which means that the traffic will be forwarded using packet-based processing and will not be sent to the flow daemon for stateful inspection. This feature is known as selective stateless packet-based forwarding and it allows you to use both flow-based and packet-based forwarding on the same device for different types of traffic. You can apply the firewall filter to the input or output direction of an interface to enable selective stateless packet-based forwarding for the traffic passing through that interface. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html https://www.juniper.net/documentation/en_US/junos/topics/example/filter-based-forwarding-example.html

In Juniper ATP Cloud, a threat prevention policy allows you to define how the system should handle an infected host. Two of the available actions are:

• Close the connection: This action will close the connection between the infected host and the destination to which it is trying to connect. This will prevent the host from communicating with the destination and will stop any malicious activity.
• Quarantine the host: This action will isolate the infected host from the network by placing it in a quarantine VLAN. This will prevent the host from communicating with other devices on the network, which will prevent it from spreading malware or exfiltrating data.

Sending a custom message is used to notify the user and administrator of the action taken. Drop the connection silently is not an action available in Juniper ATP Cloud.

According to the Juniper documentation, the threat prevention policy in Juniper ATP Cloud is a configuration that defines the actions and notifications for different threat levels of the traffic. The threat levels are based on the verdicts returned by Juniper ATP Cloud after analyzing the files, URLs, and domains. The threat levels range from 1 to 10, where 1 is the lowest and 10 is the highest1.

The threat prevention policy allows the user to specify different actions for different threat levels. The actions can be applied to the traffic or to the infected host. The actions available for the traffic are:

• Permit: Allows the traffic to pass through the SRX Series device without any interruption.
• Block: Blocks the traffic and sends a reset packet to the client and the server.
• Drop: Drops the traffic silently without sending any reset packet.
• Redirect: Redirects the traffic to a specified URL, such as a warning page or a sinkhole server.

The actions available for the infected host are:

• None: Does not take any action on the infected host.
• Quarantine: Quarantines the infected host by applying a firewall filter that blocks all outbound traffic from the host, except for the traffic to Juniper ATP Cloud or the specified redirect URL.
• Custom: Executes a custom script on the SRX Series device to perform a user-defined action on the infected host, such as sending an email notification or triggering an external system.

Therefore, the two different actions available in a threat prevention policy to deal with an infected host are:

• Block: This action will block the traffic from or to the infected host and send a reset packet to the client and the server. This will prevent the infected host from communicating with the malicious server or spreading the malware to other hosts.
• Quarantine: This action will quarantine the infected host by blocking all outbound traffic from the host, except for the traffic to Juniper ATP Cloud or the redirect URL. This will isolate the infected host from the network and allow the user to remediate the infection.

The following actions are not available or incorrect:

• Send a custom message: This is not an action available in the threat prevention policy. However, the user can use the custom action to execute a script that can send a custom message to the infected host or the administrator.
• Drop the connection silently: This is an action available for the traffic, not for the infected host. It will drop the traffic without sending any reset packet, which may not be effective in stopping the infection or notifying the user.

References: 1: Configuring Threat Prevention Policies

The purpose of the Switch Microservice of Policy Enforcer is to isolate infected hosts. The Switch Microservice is a component of Policy Enforcer that runs on EX Series and QFX Series switches. It communicates with Policy Enforcer and Juniper ATP Cloud to receive threat intelligence and quarantine commands. When an infected host is detected by Juniper ATP Cloud, Policy Enforcer sends a command to the Switch Microservice to isolate the host by applying an access control list (ACL) on the switch port where the host is connected. The ACL blocks all traffic from or to the host except for the traffic that is required for remediation. The Switch Microservice also tracks the MAC address of the infected host and updates Policy Enforcer if the host moves to a different switch port or a different switch. This way, the Switch Microservice ensures that the infected host is isolated until it is remediated and no longer poses a threat to the network. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-enforcer-switch-microservice-overview.html

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/policy-based-vpn-using-j-series-srxseries-device-configuring.html

https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/ref/statement/family-ethernet-switching-edit-interfaces-qfx-series.html#statement-name-statement__d26608e73

The security feature that achieves the objective of identifying potential threats within SSL-encrypted sessions without requiring SSL proxy to decrypt the session contents is encrypted traffic insights. Encrypted traffic insights (ETI) is a feature of Juniper ATP Cloud that helps you to detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. ETI uses machine learning and behavioral analysis to identify anomalies and suspicious patterns in the encrypted traffic metadata, such as the SSL/TLS handshake, the certificate, the cipher suite, and the session duration. ETI can also leverage third-party feeds and threat intelligence from Juniper ATP Cloud to correlate the encrypted traffic with known indicators of compromise (IoCs). ETI can provide insights into the risk level, the threat category, the threat location, and the threat time of the encrypted traffic. ETI can also trigger mitigation actions, such as blocking, quarantining, or alerting, based on the threat severity and the policy configuration. ETI can help you to improve your security posture and visibility without compromising the privacy and performance of the encrypted traffic. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud-encrypted-traffic-insights-overview.html