JN0-336 Security, Specialist (JNCIS-SEC) Questions and Answers

The correct answers are A and D. Juniper provides predefined IDP policy templates to simplify IDP deployment. These templates are supplied by Juniper Networks and include common templates such as client protection, server protection, DMZ services, DNS server, file server, web server, IDP default, and recommended policies. Juniper’s IDP documentation states that predefined templates are available from a secured Juniper Networks website, and the listed templates are explicitly described as being provided by Juniper Networks.

Option D is correct because these templates are not automatically present as usable policies in a factory-default SRX configuration. Juniper’s procedure says that to use predefined IDP policy templates, you download the policy templates and then install them. The CLI process includes request security idp security-package download policy-templates followed by request security idp security-package install policy-templates; committing then makes them available under the IDP policy hierarchy.

Option B is wrong because Juniper specifically says you should customize these templates for your network and recommends using a copied template so you can safely make changes. Option C is wrong because they must be downloaded and installed, so they are not simply available in the factory-default configuration. Reference topics: IDP, predefined IDP policy templates, security-package download, security-package install, active IDP policy.

The correct answers are B and D. In Junos SSL proxy terminology, client protection maps to SSL forward proxy. In a forward-proxy deployment, the SRX sits between internal clients and external SSL/TLS servers. The firewall intercepts the server certificate, generates a substitute certificate, signs it with the configured root CA, decrypts the SSL session for inspection, and then re-encrypts traffic toward the destination server. Juniper’s SSL proxy configuration table shows that a forward-proxy profile uses root-ca configured = Yes and server-certificate configured = No. It also states that configuring neither certificate type fails commit validation, while configuring both root-ca and server-certificate in the same profile is unsupported.

Option A is wrong because a server certificate is required for reverse proxy/server protection, not for client-protection forward proxy. Option C is wrong because without a trusted root CA, client browsers would not trust the certificates generated by the SRX during interception. Juniper separately notes that the root CA certificate is required for client browsers to trust certificates signed by the firewall. Reference topics: SSL Proxy, client protection, SSL forward proxy, root CA, server protection, SSL reverse proxy.

The correct answer is B. The node with the highest priority will become a primary node. In an SRX chassis cluster, redundancy groups determine which node is primary and which node is secondary. Juniper states that when priorities are assigned to nodes in a redundancy group, the node with the higher configured priority is initially designated as the primary, while the other node becomes secondary. This is the direct mechanism an administrator uses to influence primary-node selection for a redundancy group.

Option A is wrong because the burnt-in address is not the administrative method used to designate the primary node. BIA can be part of deterministic hardware identity behavior, but primary election is controlled through redundancy-group priority, preemption behavior, and failover state. Option C is the opposite of Juniper behavior; the lower-priority node does not win the election. Option D is also wrong because a priority of one is still a valid low priority. The ineligible value is 0, and Juniper specifically warns about failover behavior involving nodes with priority 0 because such nodes are not ready to accept traffic.

Reference topics: HA Clustering, redundancy groups, node priority, primary/secondary election, preemption, chassis cluster failover.

The correct answers are A and B. In SRX chassis clustering, the fabric link, represented by fab interfaces, is the data-plane connection between the two cluster nodes. Juniper describes the fabric as the back-to-back data connection used when traffic on one node must be processed on the other node or must exit through an interface on the other node; session-state information also passes over the fabric. This is especially visible in active/active clustering, where ingress and egress interfaces can reside on different nodes and transit traffic must cross the fabric link.

Option B is also correct because the fabric link still exists in active/passive clustering for cluster data-plane synchronization and inter-node state handling, even though active/passive designs minimize fabric transit traffic because only one node normally forwards traffic at a time. Juniper specifically states that active/passive mode minimizes traffic over the fabric link, not that the fabric link is unused.

Options C and D are not the intended answers. The cluster is identified by a configured cluster ID, and each chassis is identified by a node ID, but the fabric interface names themselves are not where the cluster ID is reflected. Reference topics: HA Clustering, fabric link, active/active clustering, active/passive clustering, session synchronization, inter-node traffic.

The correct answers are A and B. In SRX chassis clustering, the fab interface is the fabric data-plane link between cluster nodes. Juniper explains that data-plane software synchronizes session state using runtime objects, or RTOs, across the fabric data link, and this fabric link also supports forwarding traffic between nodes when ingress and egress processing occur on different chassis members.

swfab is also a chassis-cluster data-plane-related interface used for Layer 2 switching fabric functionality. Juniper’s Ethernet switching on chassis cluster documentation describes swfab0 and swfab1 as pseudointerfaces created for Layer 2 fabric functionality, enabling switching across the nodes. Option C, fxp1, is wrong because fxp1 is the control link interface used for cluster control-plane communication, heartbeats, and synchronization signaling, not a data-plane fabric interface. Option D, fxp0, is wrong because fxp0 is the out-of-band management interface. The clean separation is: fxp0 = management, fxp1 = control link, fab = routed/data fabric, and swfab = Layer 2 switching fabric. Reference topics: HA Clustering, fab interfaces, swfab interfaces, control link, management interface, data-plane synchronization.

The correct answer is A. Manually configure and apply an SSL proxy profile. HTTPS traffic is encrypted, so ATP Cloud cannot extract and submit downloaded files for malware analysis unless the SRX can decrypt the SSL/TLS session first. Juniper’s ATP Cloud documentation states that to detect malware in HTTPS traffic, you must configure the SSL inspection CA used for SSL forward proxy, and the ATP Cloud policy workflow specifically includes configuring an SSL proxy profile to inspect HTTPS traffic. Juniper’s example shows the SSL proxy profile being created with a root CA and then applied so HTTPS sessions can be inspected before advanced anti-malware processing occurs.

Option B is wrong because lowering the threat score only changes the enforcement threshold after a file verdict is returned; it does not solve the inability to inspect encrypted payloads. Option C is wrong because changing the ATP device profile alone does not decrypt HTTPS traffic. The exhibit already shows a malware profile and HTTP file-download configuration, but HTTPS malware detection still requires SSL proxy. Option D is wrong because Junos ATP Cloud integration does not require redirecting encrypted traffic to a separate decryption appliance for this task. The SRX performs SSL forward proxy locally, then advanced anti-malware can inspect extracted content. Reference topics: ATP Cloud, HTTPS malware inspection, SSL forward proxy, SSL inspection CA, advanced anti-malware policy.

The correct answers are B and D. On SRX Series Firewalls, SSL proxy is configured by creating an SSL proxy profile and then applying that profile to the relevant security policy as an application service. Juniper’s SSL proxy configuration overview lists the required workflow: configure certificates and CA profile material, configure the SSL proxy profile, create a security policy matching the traffic to be inspected, and apply the SSL proxy profile to that security policy. Juniper further states that SSL proxy is enabled as an application service within a security policy, where the policy match criteria identify the traffic and the SSL proxy profile is applied to that traffic.

Option A is wrong because enabling the SSL ALG is not the required control point for SSL proxy. SSL proxy is a decryption/inspection service applied through policy, not simply an ALG toggle. Option C is wrong because creating a separate SSL application object is not the mandatory SSL proxy configuration action. The policy can match the desired traffic and then invoke SSL proxy through then permit application-services ssl-proxy profile-name. Juniper’s example explicitly shows applying the SSL proxy profile under the security policy action.

Reference topics: SSL Proxy, SSL forward proxy, SSL proxy profiles, security policy application-services, encrypted traffic inspection.

The correct answers are A and B. In an SRX chassis cluster, the cluster ID identifies the chassis cluster, and valid operational cluster IDs are nonzero values. Juniper’s chassis cluster command documentation states that the system uses the chassis cluster ID and node ID to apply the correct node-specific configuration, and the command writes the chassis cluster ID and node ID to EPROM. When the cluster ID is set to 0, clustering is disabled; therefore, the HA cluster configuration is effectively ignored because the device is no longer operating as a chassis-cluster member.

Option B is also correct because Juniper states that chassis cluster ID and node ID changes take effect only after the system is rebooted. That is why the operational command format includes the reboot behavior when setting cluster-id and node. Option C is wrong because node ID 0 is valid; it identifies node0 in the two-node cluster. Option D is wrong because SRX chassis clusters use node IDs 0 and 1 only; the 1–255 range applies to cluster IDs, not node IDs. Reference topics: HA Clustering, cluster ID, node ID, EPROM, chassis cluster enablement, node-specific configuration.

The correct answer is C. Enable connectivity between the SRX Series device and Juniper ATP Cloud. Juniper ATP Cloud cannot inspect files, receive verdicts, or apply cloud-based malware intelligence until the SRX is enrolled and has a working secure connection to the ATP Cloud service. Juniper states that SRX enrollment establishes a secure connection between the SRX Series Firewall and the Juniper ATP Cloud server, downloads and installs certificate authorities, creates local certificates, enrolls them with the cloud server, and establishes the secure cloud connection.

Option A is not the first required configuration setting because the anti-malware service depends on successful cloud onboarding and connectivity. Option B is premature because firewall/security policies can reference malware inspection only after the device is properly connected and enrolled. Option D is also later in the workflow; anti-malware policies define how files are inspected and what action is taken, but those policies are useless if the SRX cannot communicate with ATP Cloud. Juniper also notes that ATP Cloud requires both the Routing Engine and Packet Forwarding Engine to reach the Internet, and DNS must resolve the cloud URL. Reference topics: ATP Cloud onboarding, SRX enrollment, advanced anti-malware connection, secure cloud connectivity, anti-malware policy deployment.

The correct answer is D. You have too many domain controllers. The exhibit shows 15 Active Directory domain controllers. Juniper’s integrated Active Directory identity-source configuration for SRX identity-aware firewall supports a limited number of domain controllers; Juniper documentation states that an SRX Series device can configure a maximum of 10 domain controllers for Active Directory identity-source integration. Because this environment has 15 domain controllers, the direct Active Directory identity-source method exceeds the supported scale and JIMS must be used instead.

Option A is wrong because SRX devices can use Active Directory directly as an identity source; JIMS is not the only possible method. Option B is wrong because 1,500 users does not exceed the relevant identity-source scale shown here; Juniper documentation also notes probe functionality support well above this number. Option C is wrong because the issue being tested is not the Windows Server version. JIMS is designed for larger identity-aware deployments and can centralize identity collection from Active Directory, domain controllers, Exchange servers, and syslog sources, then provide identity mappings to SRX firewalls. Juniper’s JIMS datasheet shows much higher scale, including up to 100 active directories, 25 domains, and 500,000 user entries. Reference topics: Identity-Aware Security Policies, Active Directory identity source limits, JIMS scalability, domain controller scale limitations.

The correct answers are A and C. In SSL forward proxy, the SRX sits between internal clients and external SSL/TLS servers. Juniper’s SSL proxy configuration documentation shows that a forward proxy profile is created when root-ca is configured and server-certificate is not configured. This root CA is used by the SRX to generate substitute certificates for intercepted SSL sessions, so internal clients must trust the CA used by the firewall. Juniper’s procedure specifically includes generating or loading a local certificate and applying it as the root-ca in the SSL proxy profile.

Option C is also correct because forward proxy terminates the client-side SSL session and establishes a separate SSL session toward the destination server. Juniper states that the SSL proxy acts as an SSL server to the client and establishes a new SSL session to the server; from the server’s perspective, the SRX is the SSL client. Option B is wrong because forward proxy intercepts the server certificate and creates a substitute certificate; forwarding the actual server certificate unchanged is associated with reverse proxy behavior. Option D is wrong because Encrypted Traffic Insights is not the required forward-proxy mechanism here. Reference topics: SSL Proxy, SSL forward proxy, root CA, client protection, certificate interception.

The correct answers are C and D. The exhibit shows ESP encrypted bytes = 0, ESP decrypted bytes = 0, encrypted packets = 0, and decrypted packets = 0. That means no traffic is successfully passing through the IPsec tunnel. Juniper’s show security ipsec statistics command displays ESP encrypted/decrypted packet and byte counters, so zero values on these counters indicate that the tunnel is not successfully carrying protected ESP traffic.

Option C is also correct because the output shows ESP authentication failures and ESP decryption failures. Since ESP is the IPsec protocol responsible for encrypted payload handling, failures in ESP authentication/decryption point to an ESP/IPsec Phase 2 mismatch or incorrect configuration, such as mismatched authentication algorithm, encryption algorithm, keys, proposal parameters, or incompatible negotiated SA settings. Juniper’s IPsec overview explains that Phase 2 negotiates the IPsec SA used to authenticate traffic flowing through the tunnel, so ESP-related failures belong to the IPsec/ESP configuration path rather than AH.

Option A is wrong because the AH counters and AH authentication failures are zero; the evidence is not pointing to AH. Option B is unsupported because the output does not show peer reboot behavior. Reference topics: IPsec VPN, ESP statistics, Phase 2/IPsec SA negotiation, ESP authentication failures, ESP decryption failures.

The correct answers are A, C, and E. During Security Director device discovery, Junos Space first finds and connects to the managed device, then synchronizes the device inventory and configuration into the Junos Space database. Juniper’s Security Director documentation states that discovery uses a discovery profile containing target information, authentication credentials, probes, and SSH fingerprints. During discovery, Junos Space connects to the physical device and retrieves the running configuration and status information. It also states that Junos Space uses SSH, with optional ping and SNMP, to discover network devices.

Option B is wrong because device discovery is not a reboot operation. Rebooting would be disruptive and is not part of onboarding a managed SRX into Security Director. Option D is wrong because discovery does not automatically inject a local superuser into the SRX configuration. Security Director authenticates using credentials supplied in the discovery profile; it does not create privileged local accounts as a discovery action. The tested workflow is management-plane discovery: connect, authenticate, retrieve inventory/status, and import configuration state. Reference topics: Security Director, device discovery, discovery profiles, SSH, running configuration import, device status synchronization.

The correct answers are A and B. The exhibit shows show chassis cluster statistics. Under Control link statistics, Control link 0 has heartbeat packets sent and received, with heartbeat packet errors: 0. That is the clearest indication that the control link is operating normally. Juniper describes chassis-cluster control-plane verification as checking control-link heartbeat packets sent and received, along with heartbeat errors. If both send and receive counters are incrementing and errors are zero, the control link is functioning.

Option A is also correct because under Fabric link statistics, Child link 0 shows probes sent and probes received. Juniper uses fabric-link probe counters to verify fabric-link operation; nonzero sent and received probe counters indicate that the link is participating in fabric monitoring. Option C is not the safest conclusion from this exhibit alone. Child link 1 shows zero probes sent and received, but the output does not prove that a second fabric child link is configured and failing; it could simply be unused or not configured in this deployment. Option D is directly contradicted by the healthy heartbeat counters. Reference topics: HA Clustering, chassis cluster statistics, control-link heartbeat, fabric-link probes, cluster health verification.

The correct answers are A and C. In an SRX chassis cluster, redundant Ethernet interfaces are configured as reth interfaces. Juniper defines a reth interface as a pseudointerface that includes at least one physical interface from each node in the cluster. Therefore, assigning a physical interface from node0 and a physical interface from node1 to the same reth interface is mandatory for redundant Ethernet operation. Juniper also states that before configuring chassis cluster redundant Ethernet interfaces, you must set the number of redundant Ethernet interfaces.

Option C maps to the required reth-count configuration under the chassis cluster hierarchy. Without defining the number of reth interfaces, Junos does not know how many redundant Ethernet pseudointerfaces are available for the cluster configuration. Option B is wrong because setting a retry interval is not a required step for creating a reth interface or redundancy group. Option D is wrong because heartbeat behavior belongs to cluster control-link monitoring and chassis-cluster node health, not to the required configuration steps for Ethernet reth membership. The required design steps are: define reth capacity, create/configure the reth interface, assign child physical links from both nodes, and associate the reth with the proper redundancy group. Reference topics: HA Clustering, redundant Ethernet interfaces, reth-count, reth child interfaces, redundancy groups.

The correct answers are B and D. IKE Phase 2 negotiates the IPsec security associations used to protect actual user data through the VPN tunnel. Juniper explains that after Phase 1 establishes a secure authenticated channel, Phase 2 negotiates SAs for the data transmitted through the IPsec tunnel. A Phase 2 proposal includes the IPsec security protocol, which is either ESP or AH, along with selected encryption and authentication algorithms. In the wording of this question, that maps to the tunnel/security protocol property.

Option D, Perfect Forward Secrecy, is also correct because Phase 2 proposals can specify a Diffie-Hellman group when PFS is desired. PFS forces a new DH key exchange for Phase 2 keys so that compromise of earlier keying material does not expose later IPsec encryption keys. Option A is wrong because routing protocols are not negotiated by IKE Phase 2; routing is handled separately over or toward the tunnel interface. Option C is wrong because aggressive mode is an IKEv1 Phase 1 exchange mode, not a Phase 2 property. Juniper specifically states that Phase 2 always uses quick mode in IKEv1. Reference topics: IKE Phase 2, IPsec SA negotiation, ESP/AH, Perfect Forward Secrecy, quick mode.