JN0-336 Exam Dumps - Juniper JNCIS-SEC Questions and Answers

The correct answer is B. Add custom-attack Custom-FTP-Attack to the attacks section and change the action to drop-packet. In the exhibit, the IDP rule is built under rulebase-ips with a match block and a then block. Attack objects belong inside the match attacks hierarchy because they define what malicious pattern the IDP rule is trying to detect. Juniper’s IDP documentation states that attack objects are specified in rules to identify malicious activity and that the rule’s attack objects/groups are the attacks the device matches in monitored traffic.

The enforcement behavior belongs in the then action hierarchy. The current rule uses close-client; to meet the requirement, it must be changed to drop-packet. Juniper defines Drop Packet as an IDP action that drops a matching packet before it reaches its destination without closing the connection. Option A keeps the wrong action. Option C is structurally wrong because a custom attack object is not configured under the action section. Option D is also wrong because the notification section controls logging/alert behavior, not attack matching. Reference topics: IDP rulebase, custom attack objects, match attacks hierarchy, IDP actions, drop-packet behavior.

The correct answer is C. Enable connectivity between the SRX Series device and Juniper ATP Cloud. Juniper ATP Cloud cannot inspect files, receive verdicts, or apply cloud-based malware intelligence until the SRX is enrolled and has a working secure connection to the ATP Cloud service. Juniper states that SRX enrollment establishes a secure connection between the SRX Series Firewall and the Juniper ATP Cloud server, downloads and installs certificate authorities, creates local certificates, enrolls them with the cloud server, and establishes the secure cloud connection.

Option A is not the first required configuration setting because the anti-malware service depends on successful cloud onboarding and connectivity. Option B is premature because firewall/security policies can reference malware inspection only after the device is properly connected and enrolled. Option D is also later in the workflow; anti-malware policies define how files are inspected and what action is taken, but those policies are useless if the SRX cannot communicate with ATP Cloud. Juniper also notes that ATP Cloud requires both the Routing Engine and Packet Forwarding Engine to reach the Internet, and DNS must resolve the cloud URL. Reference topics: ATP Cloud onboarding, SRX enrollment, advanced anti-malware connection, secure cloud connectivity, anti-malware policy deployment.

The correct answers are A, D, and E. In IPsec VPN terminology, DES, 3DES, and AES are encryption algorithms used to provide confidentiality for protected IP traffic. Juniper’s IPsec material identifies AES, DES, and Triple DES/3DES as IPsec encryption standards, while separating them from authentication hash algorithms such as MD5, SHA-1, and SHA-2. This distinction matters heavily in JNCIS-SEC because IPsec proposals contain different cryptographic functions: encryption protects packet confidentiality, while authentication/hash algorithms validate integrity and origin.

Option B, SHA-1, is incorrect because SHA-1 is a hashing/authentication algorithm, not an encryption algorithm. It produces a message digest used for integrity checking and authentication, commonly as an HMAC variant. Option C, MD5, is also incorrect for the same reason: MD5 is a message-digest algorithm used for authentication/integrity, not for encrypting payload data. AES is the modern preferred encryption family because it is cryptographically stronger than DES and 3DES at comparable key strengths, while DES and 3DES remain historically recognized IPsec encryption algorithms. Reference topics: IPsec VPN, IPsec proposals, encryption algorithms, authentication algorithms, DES, 3DES, AES, SHA, and MD5.

The correct answers are A and B. The exhibit shows show chassis cluster statistics. Under Control link statistics, Control link 0 has heartbeat packets sent and received, with heartbeat packet errors: 0. That is the clearest indication that the control link is operating normally. Juniper describes chassis-cluster control-plane verification as checking control-link heartbeat packets sent and received, along with heartbeat errors. If both send and receive counters are incrementing and errors are zero, the control link is functioning.

Option A is also correct because under Fabric link statistics, Child link 0 shows probes sent and probes received. Juniper uses fabric-link probe counters to verify fabric-link operation; nonzero sent and received probe counters indicate that the link is participating in fabric monitoring. Option C is not the safest conclusion from this exhibit alone. Child link 1 shows zero probes sent and received, but the output does not prove that a second fabric child link is configured and failing; it could simply be unused or not configured in this deployment. Option D is directly contradicted by the healthy heartbeat counters. Reference topics: HA Clustering, chassis cluster statistics, control-link heartbeat, fabric-link probes, cluster health verification.

The correct answers are C and D. The cSRX is Juniper’s containerized SRX firewall, intended for lightweight virtual and container environments where rapid deployment and high density matter. Juniper’s cSRX documentation lists supported security capabilities including basic firewall policy, NAT, Intrusion Detection and Prevention, content security/UTM functions, ATP Cloud, SSL Proxy, AppID, AppFW, and AppTrack. That supports option C, because cSRX provides SRX security services in a containerized footprint rather than requiring a full VM-based firewall appliance.

Option D is also correct because Juniper identifies the cSRX’s small footprint and minimum resource reservation requirements as key benefits; it is designed to scale more densely than VM-based firewall options. Juniper’s Day One cSRX guide specifically identifies faster deployment, a small footprint, and reduced resource consumption as major benefits. Option A is not the best answer for this exam item because the question asks for cSRX deployment benefits, not merely forwarding-mode support. Option B is wrong because the tested cSRX advantage is not a default three-zone configuration. Reference topics: cSRX container firewall, virtual SRX deployment, firewall/NAT/IPS/UTM services, lightweight resource footprint.

The correct answers are B and C. Juniper Secure Connect uses route-based VPN connectivity, not policy-based VPN connectivity. Juniper’s Secure Connect user guide contrasts Dynamic VPN and Juniper Secure Connect and identifies Juniper Secure Connect as using route-based VPN connectivity, with a tunnel interface selected or created to bind the VPN. This is why SRX configurations for Juniper Secure Connect use an st0 tunnel interface and routing/security policy logic, rather than policy-based encryption tied directly to individual firewall policies.

Option B is also correct because Juniper Secure Connect can use a self-signed certificate. Juniper’s certificate deployment guidance states that before deploying Juniper Secure Connect, the SRX should use an appropriate certificate, which can be a signed certificate, a self-signed certificate, or a Let’s Encrypt-signed certificate. The documentation also shows generating a self-signed certificate and binding it to the SRX for Secure Connect use.

Option A is wrong because policy-based VPN describes older Dynamic VPN behavior, not Juniper Secure Connect. Option D is directly contradicted by Juniper’s certificate guidance. Reference topics: Juniper Secure Connect, route-based VPN, st0 tunnel interface, certificate deployment, self-signed certificate support.

The correct answers are B and D. On SRX Series Firewalls, SSL proxy is configured by creating an SSL proxy profile and then applying that profile to the relevant security policy as an application service. Juniper’s SSL proxy configuration overview lists the required workflow: configure certificates and CA profile material, configure the SSL proxy profile, create a security policy matching the traffic to be inspected, and apply the SSL proxy profile to that security policy. Juniper further states that SSL proxy is enabled as an application service within a security policy, where the policy match criteria identify the traffic and the SSL proxy profile is applied to that traffic.

Option A is wrong because enabling the SSL ALG is not the required control point for SSL proxy. SSL proxy is a decryption/inspection service applied through policy, not simply an ALG toggle. Option C is wrong because creating a separate SSL application object is not the mandatory SSL proxy configuration action. The policy can match the desired traffic and then invoke SSL proxy through then permit application-services ssl-proxy profile-name. Juniper’s example explicitly shows applying the SSL proxy profile under the security policy action.

Reference topics: SSL Proxy, SSL forward proxy, SSL proxy profiles, security policy application-services, encrypted traffic inspection.

The correct answers are C and D. Juniper Secure Connect is Juniper’s remote-access VPN client for SRX Series Firewalls. Juniper describes it as a flexible SSL VPN and IPsec application that gives remote workers secure access to corporate and cloud-protected resources. That directly supports option D, because SSL VPN provides a connection method that is useful when traditional IPsec ports are restricted or blocked. Juniper’s Secure Connect guide also states that enabling SSL VPN gives the client flexibility in connecting to SRX Series Firewalls and that SSL VPN is enabled by default.

Option C is also correct because Juniper Secure Connect supports external authentication, allowing users to authenticate with enterprise identity systems rather than relying only on local firewall credentials. Juniper’s external authentication procedure notes that this method lets users use the same username and password as their domain login and is recommended for authenticating users.

Option A is not the best answer because having a client application is not the specific connection/authentication flexibility being tested. Option B is wrong because Kerberos is not the stated Secure Connect authentication method in this context. Reference topics: Juniper Secure Connect, remote-access VPN, SSL VPN, IPsec, external authentication.

The correct answers are A and C. To log denied traffic on an SRX Series Firewall, the security policy must deny the traffic and must generate a log at session initiation. Juniper’s security policy monitoring documentation states that to view logs from denied connections, you enable logging on session-init. Juniper’s traffic-logging guidance also states that for a security policy with a deny action, traffic logs must be generated when a session starts.

Option C is required because the policy action must be deny; otherwise the traffic is not denied by that policy. Option A is required because denied traffic does not complete a normal permitted session lifecycle, so session-init is the correct logging stage for denied connection attempts. Option B, session-close, is used to log permitted sessions after teardown or conclusion; it is not the required parameter for denied traffic. Option D, count, increments policy counters but does not create traffic logs. The correct configuration concept is: match the unwanted traffic, apply then deny, and enable then log session-init. Reference topics: SRX security policies, deny action, session-init logging, traffic log generation, policy counters.

The correct answer is D. AppQoS. The requirement is not to block, permit, translate, or inspect SIP signaling; it is to prioritize VoIP traffic on a low-bandwidth branch link. Juniper Application QoS, or AppQoS, is designed exactly for this purpose. Juniper states that AppQoS provides the ability to prioritize and meter application traffic so business-critical or high-priority application traffic receives better service. It can classify traffic by application, assign forwarding classes, rewrite DSCP values, set loss priority, and apply rate limiters.

Option A, AppFW, is wrong because AppFW controls application access; it is used to permit, deny, reject, or log application traffic, not primarily to prioritize voice traffic. Option B, SIP ALG, is wrong because the SIP ALG helps inspect and handle SIP control traffic and related media pinholes, but it is not a QoS prioritization service. Option C, AppQoE, is not the correct SRX edge service being tested here. For cloud-based VoIP under a broad outbound permit rule, AppQoS is the correct service because it can identify the VoIP application and give it better treatment during congestion. Reference topics: AppQoS, application traffic control, VoIP prioritization, DSCP rewrite, forwarding class, rate limiting.