JN0-336 Security, Specialist (JNCIS-SEC) Question and Answers

The correct answer is A. fab. In SRX Series chassis clustering, the fabric interface, shown as fab0/fab1, is the data-plane HA link used between cluster nodes. Juniper states that SRX chassis clusters use the fabric interface for session synchronization and traffic forwarding, and that the fabric link synchronizes dynamic runtime state, including session-state objects created by NAT, ALG, authentication, and IPsec processing. This is what enables stateful failover and session continuity when traffic processing moves between nodes.

Option B, fxp0, is wrong because fxp0 is the out-of-band management interface, not the chassis-cluster synchronization path. Option C, fxp1, is tempting but wrong for this question: fxp1 is the control-link interface used for control-plane cluster functions such as heartbeats and cluster control communication, not the main session-state synchronization path. Option D, swfab, is not the standard SRX chassis-cluster fabric interface name used for this function. Juniper’s clustering configuration examples specifically define fab0 and fab1 as the interfaces used for the fabric connection and data-plane RTO/session synchronization.

The correct answers are C and D. Juniper Secure Connect is Juniper’s remote-access VPN client for SRX Series Firewalls. Juniper describes it as a flexible SSL VPN and IPsec application that gives remote workers secure access to corporate and cloud-protected resources. That directly supports option D, because SSL VPN provides a connection method that is useful when traditional IPsec ports are restricted or blocked. Juniper’s Secure Connect guide also states that enabling SSL VPN gives the client flexibility in connecting to SRX Series Firewalls and that SSL VPN is enabled by default.

Option C is also correct because Juniper Secure Connect supports external authentication, allowing users to authenticate with enterprise identity systems rather than relying only on local firewall credentials. Juniper’s external authentication procedure notes that this method lets users use the same username and password as their domain login and is recommended for authenticating users.

Option A is not the best answer because having a client application is not the specific connection/authentication flexibility being tested. Option B is wrong because Kerberos is not the stated Secure Connect authentication method in this context. Reference topics: Juniper Secure Connect, remote-access VPN, SSL VPN, IPsec, external authentication.

The correct answers are A and C. Juniper ATP Cloud uses a malware-analysis pipeline. When a file is submitted, the first step is a cache lookup based on the file hash. Juniper explains that if the file has already been analyzed, the stored verdict is returned to the SRX Series Firewall and there is no need to re-analyze the file. That directly supports C and eliminates B, because analysis does not continue when a cached verdict is found.

If the cache lookup does not return a verdict, the remaining ATP Cloud analysis techniques are used. Juniper describes the pipeline model in which each analysis technique creates a verdict number, and those verdicts are combined into a final verdict score from 0 to 10. That final threat score is what the SRX compares against ATP Cloud policy settings to permit or block the session.

Option D is wrong because ATP Cloud does not simply return the first score generated by any one feature. The expected behavior is cumulative/final scoring across the remaining analysis pipeline. Reference topics: Juniper ATP Cloud, malware analysis pipeline, cache lookup, verdict number, threat score, SRX enforcement.

The correct answer is B. ESP. In IPsec, the security protocol responsible for encrypting protected traffic is Encapsulating Security Payload (ESP). Juniper defines ESP as the IPsec protocol used for encrypting the IP packet and authenticating its contents. In practical SRX VPN design, ESP is the normal protocol selected when confidentiality is required because it can provide encryption, packet integrity, authentication, and anti-replay protection depending on the configured IPsec proposal.

Option A, SHA-1, is incorrect because SHA-1 is an authentication/hash algorithm, not an IPsec security protocol and not a payload encryption mechanism. Option C, AH, is incorrect because Authentication Header validates packet source and integrity but does not encrypt payload data. AH is therefore unsuitable when the requirement explicitly says payload data must be encrypted. Option D, PFS, is incorrect because Perfect Forward Secrecy is a key-exchange property used during Phase 2 rekeying; it strengthens key independence but does not itself encrypt packets. In Junos IPsec configuration logic, the security protocol decision is between ESP and AH, and encryption requires ESP. Reference topics: IPsec VPN, ESP, AH, IPsec security protocols, payload confidentiality, IPsec proposal design.

The correct answers are B and D. The command output is from the SRX Series device: show services user-identification identity-management status. Under Primary server, the exhibit shows Address: 192.168.1.10, Port: 443, Connection method: HTTPS, and Connection status: Online. In Juniper Identity Management Service integration, the SRX is the client that connects to the configured primary JIMS server. Juniper’s configuration workflow specifically describes configuring “the IP address of the primary JIMS server” under services user-identification identity-management connection primary address, and the verification output shows that primary server address with its connection status.

Option A is wrong because 192.168.1.10 is listed under Primary server, not as the local SRX address. Option C is also wrong because this SRX command verifies the SRX-to-JIMS identity-management connection, not the backend JIMS-to-domain-controller connection. Domain controller reachability would be validated from JIMS or through JIMS-specific status/monitoring, not by this SRX-side output. The displayed Online state and OK (200) status confirm that the SRX successfully reached the JIMS HTTPS service and received a valid response. Juniper examples use the same status command to validate that the SRX identity-management connection to JIMS is online.

Reference topics: Identity-Aware Security Policies, Juniper Identity Management Service, SRX-to-JIMS connectivity, identity-management status verification.

The correct answer is A. It uses AppID services. Juniper SSL proxy does not rely only on TCP/443 or a static destination-port assumption. It uses Application Identification services to dynamically determine whether the session is SSL/TLS encrypted. Juniper states directly that SSL proxy uses application identification services to detect whether a session is SSL encrypted, and SSL proxy is allowed only when the session is identified as encrypted. If the application system cache marks the session as Encrypted=Yes, SSL proxy can transition into proxy processing; if the session is marked Encrypted=No, SSL proxy ignores it.

Option B is wrong because packet length does not reliably identify SSL/TLS encryption. Option C is a common trap: many SSL/TLS sessions use port 443, but SSL/TLS can run on nonstandard ports, and non-SSL applications can also use port 443. Junos uses AppID to avoid that weak assumption. Option D is wrong because a CA is used to sign or validate certificates during SSL forward or reverse proxy operations; it is not the mechanism used to detect whether a session is encrypted. Reference topics: SSL Proxy, AppID, encrypted session detection, application system cache, SSL/TLS inspection.

The correct answers are A and C. In an SRX chassis cluster, redundant Ethernet interfaces are configured as reth interfaces. Juniper defines a reth interface as a pseudointerface that includes at least one physical interface from each node in the cluster. Therefore, assigning a physical interface from node0 and a physical interface from node1 to the same reth interface is mandatory for redundant Ethernet operation. Juniper also states that before configuring chassis cluster redundant Ethernet interfaces, you must set the number of redundant Ethernet interfaces.

Option C maps to the required reth-count configuration under the chassis cluster hierarchy. Without defining the number of reth interfaces, Junos does not know how many redundant Ethernet pseudointerfaces are available for the cluster configuration. Option B is wrong because setting a retry interval is not a required step for creating a reth interface or redundancy group. Option D is wrong because heartbeat behavior belongs to cluster control-link monitoring and chassis-cluster node health, not to the required configuration steps for Ethernet reth membership. The required design steps are: define reth capacity, create/configure the reth interface, assign child physical links from both nodes, and associate the reth with the proper redundancy group. Reference topics: HA Clustering, redundant Ethernet interfaces, reth-count, reth child interfaces, redundancy groups.

The correct answers are B and C. Juniper ATP Cloud improves security by delivering cloud-based threat detection, malware analysis, and enforcement integration with SRX Series Firewalls. Juniper describes ATP Cloud as using shared cloud intelligence so customers benefit from new threat intelligence in near real time. It also provides zero-day threat protection, machine-learning-based malware detection, inline malware blocking, and policy actions that can stop malware, quarantine infected systems, prevent data exfiltration, and disrupt lateral movement.

Option C is also correct because Juniper ATP Cloud uses dynamic analysis, commonly called sandboxing. In this process, a suspicious file is executed in a secure environment while tools monitor its activity. Juniper further explains that ATP Cloud uses deception techniques to make the sandbox appear like a real user environment, including simulated mouse movement, keystrokes, common software packages, realistic network access, stored credentials, and vulnerable OS areas. This encourages evasive malware to execute and reveal malicious behavior.

Option A is weaker and not the best answer because logging alone is not the key ATP Cloud security-improvement mechanism being tested. Option D is wrong because ATP Cloud is a threat-prevention service, not a performance-acceleration technology. Reference topics: ATP Cloud, malware analysis, dynamic sandboxing, machine learning, threat intelligence, inline malware blocking.

The correct answers are B and D. In Junos SSL proxy terminology, client protection maps to SSL forward proxy. In a forward-proxy deployment, the SRX sits between internal clients and external SSL/TLS servers. The firewall intercepts the server certificate, generates a substitute certificate, signs it with the configured root CA, decrypts the SSL session for inspection, and then re-encrypts traffic toward the destination server. Juniper’s SSL proxy configuration table shows that a forward-proxy profile uses root-ca configured = Yes and server-certificate configured = No. It also states that configuring neither certificate type fails commit validation, while configuring both root-ca and server-certificate in the same profile is unsupported.

Option A is wrong because a server certificate is required for reverse proxy/server protection, not for client-protection forward proxy. Option C is wrong because without a trusted root CA, client browsers would not trust the certificates generated by the SRX during interception. Juniper separately notes that the root CA certificate is required for client browsers to trust certificates signed by the firewall. Reference topics: SSL Proxy, client protection, SSL forward proxy, root CA, server protection, SSL reverse proxy.

The correct answers are B and C. Adaptive Threat Profiling allows SRX Series Firewalls to act either as inline enforcement devices or as tap-based sensors. In an inline deployment, the SRX is directly in the traffic path and can enforce policy actions such as blocking, denying, or adding threat indicators to Security Intelligence feeds for real-time mitigation. In a tap deployment, the SRX observes copied traffic from a TAP/SPAN-style feed and contributes intelligence without being the active forwarding device. Juniper’s ATP Cloud documentation states that Adaptive Threat Profiling enables SRX devices to be deployed as sensors on Tap ports, identifying and sharing intelligence to inline devices for real-time enforcement. It also describes a “Tap-based SRX Series Firewall sensor” and contrasts it with an inline device.

Option A, bridge, is not the deployment mode being tested here. Bridge/transparent forwarding is a firewall deployment style, not the named Adaptive Threat Profiling mode. Option D, promiscuous, is also wrong; promiscuous mode is an interface behavior, not the ATP Adaptive Threat Profiling deployment model. Reference topics: ATP Cloud, Adaptive Threat Profiling, tap sensors, inline enforcement, Security Intelligence feeds.

The correct answer is A. Manually configure and apply an SSL proxy profile. HTTPS traffic is encrypted, so ATP Cloud cannot extract and submit downloaded files for malware analysis unless the SRX can decrypt the SSL/TLS session first. Juniper’s ATP Cloud documentation states that to detect malware in HTTPS traffic, you must configure the SSL inspection CA used for SSL forward proxy, and the ATP Cloud policy workflow specifically includes configuring an SSL proxy profile to inspect HTTPS traffic. Juniper’s example shows the SSL proxy profile being created with a root CA and then applied so HTTPS sessions can be inspected before advanced anti-malware processing occurs.

Option B is wrong because lowering the threat score only changes the enforcement threshold after a file verdict is returned; it does not solve the inability to inspect encrypted payloads. Option C is wrong because changing the ATP device profile alone does not decrypt HTTPS traffic. The exhibit already shows a malware profile and HTTP file-download configuration, but HTTPS malware detection still requires SSL proxy. Option D is wrong because Junos ATP Cloud integration does not require redirecting encrypted traffic to a separate decryption appliance for this task. The SRX performs SSL forward proxy locally, then advanced anti-malware can inspect extracted content. Reference topics: ATP Cloud, HTTPS malware inspection, SSL forward proxy, SSL inspection CA, advanced anti-malware policy.

The correct answers are A and D. Preparing Active Directory for JIMS requires creating limited-permission service accounts and assigning those accounts to the required Active Directory groups. Juniper’s JIMS deployment guidance states that you must create service accounts so JIMS can read from the defined directory services and identity producers; if PC probing is used, a service account is also required for that function. The same JIMS documentation includes a section named Configure Limited-Permission User Accounts, followed by Add Limited Permission User Accounts to Active Directory Groups.

Option A is correct because the JIMS preparation workflow commonly uses limited-permission accounts for event log access and PC probe access. Juniper identifies accounts such as JIMS-EventLogRemoteAccess and JIMS-PC-Probe in the Active Directory group-membership procedure. Option D is correct because those limited accounts must be added to the proper AD groups, including Event Log Readers and the groups required for remote management or PC probe operation.

Option B is wrong because the tested preparation requirement is not three limited-access accounts. Option C is wrong because JIMS should not be prepared by adding a broad full-access account; the course objective is least-privilege identity collection. Reference topics: JIMS, Active Directory preparation, limited-permission service accounts, Event Log Readers, PC probe account.

The correct answers are B, D, and E. Security Director device onboarding depends on management reachability and valid administrative access. Juniper’s device discovery documentation states that Junos Space discovers network devices using SSH, with optional ping and SNMP, and connects to the physical device to retrieve running configuration and status information. It also explains that device authentication uses administrator login credentials, SSH credentials, SNMP settings, or keys depending on the discovery method.

Option E is required because Security Director must target a reachable management IP address or hostname. Juniper’s discovery-profile workflow explicitly uses the target IP address, hostname, IP range, or subnet to locate devices. Option D is required because invalid username/password or insufficient privileges prevent discovery and management; Juniper’s device-management guidance identifies credentials as required input for discovering devices. Option B is required because onboarding uses SSH, so the correct SSH service and port must be reachable. Juniper’s device access procedure explicitly includes a Port field for the SSH connection.

Option A is wrong because chassis serial number is not the normal troubleshooting field for Security Director discovery. Option C is wrong because active security policies do not determine whether Security Director can initially discover and onboard the device. Reference topics: Security Director, device discovery, SSH access, management IP reachability, authentication credentials.

The correct answers are A and D. For identity-aware security policies, Junos can obtain user identity information from supported identity sources such as Active Directory and Juniper Identity Management Service (JIMS). Active Directory is the direct identity-source option where the SRX integrates with Microsoft Windows Active Directory and uses directory information for user and group mapping. Juniper’s identity-aware firewall documentation states that the firewall obtains user information from identity sources including Active Directory and JIMS, and then uses that identity data in policy decisions.

JIMS is also correct because it centralizes identity collection and provides SRX enforcement points with user, device, IP address, and group-mapping information. Juniper describes JIMS as providing SRX firewalls with high-scale identity data so they can make user-firewall policy decisions. Option B, TACACS+, is wrong because TACACS+ is primarily an administrative authentication, authorization, and accounting protocol, not the LDAP identity-source service used for identity-aware firewall mappings. Option C, RADIUS, is also wrong in this context because RADIUS can authenticate users, but it is not the LDAP directory integration service being tested here. Reference topics: Identity-Aware Firewall, Active Directory identity source, JIMS, LDAP user/group mapping, SRX authentication table.

The correct answers are C and D. Static attack object groups are manually defined groups. Juniper states that custom attack groups are static in nature because the attacks are explicitly specified in the group; therefore, those attack groups do not change when the security database is updated. This is the key difference between static groups and dynamic groups. Dynamic groups use matching criteria and can automatically update membership when the signature database changes, but static groups do not behave that way.

Option C is correct because updating the IPS/IDP signature database does not automatically add or remove members from a static attack group. Option D is correct because the administrator must explicitly add the desired attack objects to the custom static group. Option A describes dynamic matching behavior, not static group behavior. Option B is also dynamic-group behavior; Juniper Security Director documentation says dynamic group membership is automatically updated during signature updates based on the group’s matching criteria. Static groups are intentionally deterministic: they include only the attacks manually selected by the administrator. Reference topics: IDP attack objects, static attack groups, custom attack groups, dynamic attack groups, IPS signature database updates.

The correct answers are B and D. A terminal rule is specifically designed to stop further rule evaluation. Juniper states that the IDP rule-matching algorithm normally checks traffic against all matching rules in the rulebase, but when a terminal rule matches the source, destination, zones, and application, IDP does not continue to check subsequent rules for that same traffic. Juniper also warns that traffic matching a terminal rule is not compared to later rules even if it does not match the attack object inside that terminal rule.

Option D is also correct because the Ignore Connection action stops scanning traffic for the rest of the connection if an attack match is found. Juniper defines Ignore Connection as disabling the rulebase for that specific connection after a match. Option A is wrong because a close action closes the connection by sending reset behavior, but it is not the rule-processing control mechanism being tested. Option C is a trap: the exempt rulebase is used to suppress known false positives after an IPS rule match, but the two direct mechanisms that end IDP rule processing are terminal rule matching and ignore connection. Reference topics: IDP rulebases, terminal rules, Ignore Connection action, rule-matching algorithm, false-positive exemption.