Which security policy type will be evaluated first?
- A . A zone policy with no dynamic application set
- B . A global with no dynamic application set
- C . A zone policy with a dynamic application set
- D . A global policy with a dynamic application set
Which Web filtering solution uses a direct Internet-based service for URL categorization?
- A . Juniper ATP Cloud
- B . Websense Redirect
- C . Juniper Enhanced Web Filtering
- D . local blocklist
C
Explanation:
Juniper Enhanced Web Filtering is a web filtering solution that uses a direct Internet-based service for URL categorization. This service allows Enhanced Web Filtering to quickly and accurately categorize URLs and other web content, providing real-time protection against malicious content. Additionally, Enhanced Web Filtering is able to provide detailed reporting on web usage, as well as the ability to define and enforce acceptable use policies.
References:
https://www.juniper.net/documentation/en_US/junos-space-security-director/topics/task/configuration/security-services-web-filtering-enhanced.html
https://www.juniper.net/documentation/en_US/junos-space-security-director/topics/task/configuration/security-services-web-filtering-enhanced-overview.html
What is the default value of the dead peer detection (DPD) interval for an IPsec VPN tunnel?
- A . 20 seconds
- B . 5 seconds
- C . 10 seconds
- D . 40 seconds
B
Explanation:
The default value of the dead peer detection (DPD) interval for an IPsec VPN tunnel is 5 seconds. DPD is a mechanism that enables the IPsec device to detect if the peer is still reachable or if the IPsec VPN tunnel is still active. The DPD interval determines how often the IPsec device sends DPD packets to the peer to check the status of the VPN tunnel. A value of 5 seconds is a common default, but the specific value can vary depending on the IPsec device and its configuration.
Reference:
Juniper Networks Technical Documentation: Configuring IPsec VPNs: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ipsec-vpn-overview-srx-series.html
Which three operating systems are supported for installing and running Juniper Secure Connect client software? (Choose three.)
- A . Windows 7
- B . Android
- C . Windows 10
- D . Linux
- E . macOS
A,C,E
Explanation:
Juniper Secure Connect client software is supported on the following three operating systems: Windows 7, Windows 10, and macOS. For more information, please refer to the Juniper Secure Connect Administrator Guide, which can be found on Juniper’s website. The guide states: "The Juniper Secure Connect client is supported on Windows 7, Windows 10, and macOS." It also provides detailed instructions on how to install and configure the software for each of these operating systems.
Which two statements are correct about the integrated user firewall feature? (Choose two.)
- A . It maps IP addresses to individual users.
- B . It supports IPv4 addresses.
- C . It allows tracking of non-Windows Active Directory users.
- D . It uses the LDAP protocol.
When creating a site-to-site VPN using the J-Web shown in the exhibit, which statement is correct?
- A . The remote gateway is configured automatically based on the local gateway settings.
- B . RIP, OSPF, and BGP are supported under Routing mode.
- C . The authentication method is pre-shared key or certificate based.
- D . Privately routable IP addresses are required.
You are installing a new SRX Series device and you are only provided one IP address from your ISP.
In this scenario, which NAT solution would you implement?
- A . pool-based NAT with PAT
- B . pool-based NAT with address shifting
- C . interface-based source NAT
- D . pool-based NAT without PAT
Which statement is correct about Web filtering?
- A . The Juniper Enhanced Web Filtering solution requires a locally managed server.
- B . The decision to permit or deny is based on the body content of an HTTP packet.
- C . The decision to permit or deny is based on the category to which a URL belongs.
- D . The client can receive an e-mail notification when traffic is blocked.
C
Explanation:
Web filtering is a feature that allows administrators to control access to websites by categorizing URLs into different categories such as gambling, social networking, or adult content. The decision to permit or deny access to a website is based on the category to which a URL belongs. This is done by comparing the URL against a database of categorized websites and making a decision based on the policy defined by the administrator.
Reference:
Juniper Networks SRX Series Services Gateway Web Filtering Configuration Guide: https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/security-services-web-filtering.html
Which two non-configurable zones exist by default on an SRX Series device? (Choose two.)
- A . Junos-host
- B . functional
- C . null
- D . management
A,C
Explanation:
Junos-host and null are two non-configurable zones that exist by default on an SRX Series device. Junos-host is the default zone for all internal interfaces and services, such as management and other loopback interfaces. The null zone is used to accept all traffic that is not explicitly accepted by other security policies, and is the default zone for all unclassified traffic. Both zones cannot be modified or deleted.
References:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-zones-overview.html
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-zones-default-zone-configuration.html
Which two statements about the Junos OS CLI are correct? (Choose two.)
- A . The default configuration requires you to log in as the admin user.
- B . A factory-default login assigns the hostname Amnesiac to the device.
- C . Most Juniper devices identify the root login prompt using the % character.
- D . Most Juniper devices identify the root login prompt using the > character.
A,D
Explanation:
The two correct statements about the Junos OS CLI are that the default configuration requires you to log in as the admin user, and that most Juniper devices identify the root login prompt using the > character. The factory-default login assigns the hostname "juniper" to the device and the root login prompt is usually identified with the % character. More information about the Junos OS CLI can be found in the Juniper Networks technical documentation here: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/cli-overview.html.
What is the default timeout value for TCP sessions on an SRX Series device?
- A . 30 seconds
- B . 60 minutes
- C . 60 seconds
- D . 30 minutes
D
Explanation:
By default, TCP has a 30-minute idle timeout, and UDP has a 60-second idle timeout. Additionally, known IP protocols have a 30-minute timeout, whereas unknown ones have a 60-second timeout. Setting the inactivity timeout is very useful, particularly if you are concerned about applications either timing out or remaining idle for too long and filling up the session table. According to the Juniper SRX Series Services Guide, this can be configured using the ‘timeout inactive’ statement for the security policy.
What is the number of concurrent Secure Connect user licenses that an SRX Series device has by default?
- A . 3
- B . 4
- C . 2
- D . 5
C
Explanation:
The number of concurrent Secure Connect user licenses that an SRX Series device has by default is 2. Secure Connect is a feature of Juniper SRX Series devices that allows you to securely connect to remote networks via IPsec VPN tunnels. Each SRX Series device comes with two concurrent Secure Connect user licenses by default, meaning that it can support up to two simultaneous IPsec VPN connections. For more information, please refer to the Juniper Networks SRX Series Services Gateways Security Configuration Guide, which can be found on Juniper’s website.
Which two statements are correct about IPsec security associations? (Choose two.)
- A . IPsec security associations are bidirectional.
- B . IPsec security associations are unidirectional.
- C . IPsec security associations are established during IKE Phase 1 negotiations.
- D . IPsec security associations are established during IKE Phase 2 negotiations.
A,D
Explanation:
The two statements that are correct about IPsec security associations are that they are bidirectional and that they are established during IKE Phase 2 negotiations. IPsec security associations are bidirectional, meaning that they provide security for both incoming and outgoing traffic. IPsec security associations are established during IKE Phase 2 negotiations, which negotiates the security parameters and establishes the security association between the two peers. For more information, please refer to the Juniper Networks IPsec VPN Configuration Guide, which can be found on Juniper’s website.
Which statement is correct about Junos security policies?
- A . Security policies enforce rules that should be applied to traffic transiting an SRX Series device.
- B . Security policies determine which users are allowed to access an SRX Series device.
- C . Security policies control the flow of internal traffic within an SRX Series device.
- D . Security policies identity groups of users that have access to different features on an SRX Series device.
A
Explanation:
The correct statement about Junos security policies is that they enforce rules that should be applied to traffic transiting an SRX Series device. Security policies control the flow of traffic between different zones on the SRX Series device, and dictate which traffic is allowed or denied. They can also specify which application and service requests are allowed or blocked. More information about Junos security policies can be found in the Juniper Networks technical documentation here: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-policies-overview.html.
Which two statements are correct about global policies? (Choose two.)
- A . Global policies are evaluated after default policies.
- B . Global policies do not have to reference zone context.
- C . Global policies are evaluated before default policies.
- D . Global policies must reference zone contexts.
B,C
Explanation:
Global policies are used to define rules for traffic that is not associated with any particular zone. This type of policy is evaluated first, before any rules related to specific zones are evaluated.
For more detailed information about global policies, refer to the Juniper Networks Security Policy Overview guide, which can be found at https://www.juniper.net/documentation/en_US/junos/topics/reference/security-policy-overview.html. The guide provides an overview of the Juniper Networks security policy architecture, as well as detailed descriptions of the different types of policies and how they are evaluated.
What are two Juniper ATP Cloud feed analysis components? (Choose two.)
- A . IDP signature feed
- B . C&C cloud feed
- C . infected host cloud feed
- D . US CERT threat feed
A,B
Explanation:
The Juniper ATP Cloud feed analysis components are the IDP signature feed and the C&C cloud feed. The IDP signature feed provides a database of signatures from known malicious traffic, while the C&C cloud feed provides the IP addresses of known command and control servers. The infected host cloud feed and US CERT threat feed are not components of the Juniper ATP Cloud feed analysis.
To learn more about the Juniper ATP Cloud feed analysis components, refer to the Juniper Networks Security Automation and Orchestration (SAO) official documentation, which can be found at https://www.juniper.net/documentation/en_US/sao/topics/concept/security-automation-and-orchestration-overview.html. The documentation provides an overview of the SAO platform and an in-depth look at the various components of the Juniper ATP Cloud feed analysis.
Which two statements are true about Juniper ATP Cloud? (Choose two.)
- A . Juniper ATP Cloud is an on-premises ATP appliance.
- B . Juniper ATP Cloud can be used to block and allow IPs.
- C . Juniper ATP Cloud is a cloud-based ATP subscription.
- D . Juniper ATP Cloud delivers intrusion protection services.
C,D
Explanation:
Juniper ATP Cloud is a cloud-based ATP subscription that delivers advanced threat protection services, such as URL categorization, file reputation analysis, and malware analysis. It is able to quickly and accurately categorize URLs and other web content, and can also provide detailed reporting on web usage, as well as the ability to define and enforce acceptable use policies. Additionally, Juniper ATP Cloud is able to block and allow specific IPs, providing additional protection against malicious content.
References:
https://www.juniper.net/documentation/en_US/junos-space-security-director/topics/task/configuration/security-services-web-filtering-atp-cloud.html
https://www.juniper.net/documentation/en_US/junos-space-security-director/topics/task/configuration/security-services-web-filtering-atp-cloud-overview.html
An application firewall processes the first packet in a session for which the application has not yet been identified.
In this scenario, which action does the application firewall take on the packet?
- A . It allows the first packet.
- B . It denies the first packet and sends an error message to the user.
- C . It denies the first packet.
- D . It holds the first packet until the application is identified.
D
Explanation:
This is necessary to ensure that the application firewall can properly identify the application and the correct security policies can be applied before allowing any traffic to pass through.
If the first packet was allowed to pass without first being identified, then the application firewall would not know which security policies to apply – and this could potentially lead to security vulnerabilities or breaches. So it’s important that the first packet is held until the application is identified.
What are two logical properties of an interface? (Choose two.)
- A . link mode
- B . IP address
- C . VLAN ID
- D . link speed
B,C
Explanation:
https://www.juniper.net/documentation/us/en/software/junos/interfaces-security-devices/topics/topic-map/security-interface-logical.html
Which statement is correct about static NAT?
- A . Static NAT supports port translation.
- B . Static NAT rules are evaluated after source NAT rules.
- C . Static NAT implements unidirectional one-to-one mappings.
- D . Static NAT implements unidirectional one-to-many mappings.
C
Explanation:
Static NAT (Network Address Translation) is a type of NAT that maps a public IP address to a private IP address. With static NAT, a one-to-one mapping is created between a public IP address and a private IP address. This means that a single public IP address is mapped to a single private IP address, and all incoming traffic to the public IP address is forwarded to the private IP address.
Reference: https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-overview.html
What does the number ‘’2’’ indicate in interface ge―0/1/2?
- A . The interface logical number
- B . The physical interface card (PIC)
- C . The port number
- D . The flexible PIC concentrator (FPC)
Which two statements about user-defined security zones are correct? (Choose two.)
- A . Users cannot share security zones between routing instances.
- B . Users can configure multiple security zones.
- C . Users can share security zones between routing instances.
- D . User-defined security zones do not apply to transit traffic.
B,C
Explanation:
User-defined security zones allow users to configure multiple security zones and share them between routing instances. This allows users to easily manage multiple security zones and their associated policies. For example, a user can create a security zone for corporate traffic, a security zone for guest traffic, and a security zone for public traffic, and then configure policies to control the flow of traffic between each of these security zones. Transit traffic can also be managed using user-defined security zones, as the policies applied to these zones will be applied to the transit traffic as well.
References:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-zones-overview-configuring.html
https://www.juniper.net/documentation/en_US/junos/topics/task/security/security-zones-configuring-shared.html
You have configured a UTM feature profile.
Which two additional configuration steps are required for your UTM feature profile to take effect? (Choose two.)
- A . Associate the UTM policy with an address book.
- B . Associate the UTM policy with a firewall filter.
- C . Associate the UTM policy with a security policy.
- D . Associate the UTM feature profile with a UTM policy.
C,D
Explanation:
For the UTM feature profile to take effect, it must be associated with a security policy and a UTM policy. The security policy defines the traffic flow and the actions that should be taken on the traffic, while the UTM policy defines the security features to be applied to the traffic, such as antivirus, intrusion prevention, and web filtering. The UTM feature profile provides the necessary configuration for the security features defined in the UTM policy.
Reference:
Juniper Networks SRX Series Services Gateway UTM Configuration Guide: https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/security-services-utm.html
Which two statements are correct about the null zone on an SRX Series device? (Choose two.)
- A . The null zone is created by default.
- B . The null zone is a functional security zone.
- C . Traffic sent or received by an interface in the null zone is discarded.
- D . You must enable the null zone before you can place interfaces into it.
A,C
Explanation:
According to the Juniper SRX Series Services Guide, the null zone is a predefined security zone that is created on the SRX Series device when it is booted. Traffic that is sent to or received on an interface in the null zone is discarded. The null zone is not a functional security zone, so you cannot enable or disable it.
Which two addresses are valid address book entries? (Choose two.)
- A . 173.145.5.21/255.255.255.0
- B . 153.146.0.145/255.255.0.255
- C . 203.150.108.10/24
- D . 191.168.203.0/24
A,C
Explanation:
The correct address book entries are:
✑ 173.145.5.21/255.255.255.0
✑ 203.150.108.10/24
Both of these entries represent a valid IP address and subnet mask combination, which can be used as an address book entry in a Juniper device.
You want to verify the peer before IPsec tunnel establishment.
What would be used as a final check in this scenario?
- A . traffic selector
- B . perfect forward secrecy
- C . st0 interfaces
- D . proxy ID
D
Explanation:
The proxy ID is used as a final check to verify the peer before IPsec tunnel establishment. The proxy ID is a combination of local and remote subnet and protocol, and it is used to match the traffic that is to be encrypted. If the proxy IDs match between the two IPsec peers, the IPsec tunnel is established, and the traffic is encrypted.
Reference:
Juniper Networks SRX Series Services Gateway IPsec Configuration Guide:
https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/security-ipsec-vpn-configuring.html
Which feature would you use to protect clients connected to an SRX Series device from a SYN flood attack?
- A . security policy
- B . host inbound traffic
- C . application layer gateway
- D . screen option
D
Explanation:
A screen option in the SRX Series device can be used to protect clients connected to the device from a SYN flood attack. Screens are security measures that you can use to protect your network from various types of attacks, including SYN floods. A screen option specifies a set of rules to match against incoming packets, and it can take specific actions such as discarding, logging, or allowing the packets based on the rules.
Reference:
Juniper Networks SRX Series Services Gateway Screen Configuration Guide: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-screen-configuring.html
What is the main purpose of using screens on an SRX Series device?
- A . to provide multiple ports for accessing security zones
- B . to provide an alternative interface into the CLI
- C . to provide protection against common DoS attacks
- D . to provide information about traffic patterns traversing the network
C
Explanation:
The main purpose of using screens on an SRX Series device is to provide protection against common Denial of Service (DoS) attacks. Screens help prevent network resources from being exhausted or unavailable by filtering or blocking network traffic based on predefined rules. The screens are implemented as part of the firewall function on the SRX Series device, and they help protect against various types of DoS attacks, such as TCP SYN floods, ICMP floods, and UDP floods.
Reference: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-srx-series-firewall-screen-dos.html
You want to implement user-based enforcement of security policies without the requirement of certificates and supplicant software.
Which security feature should you implement in this scenario?
- A . integrated user firewall
- B . screens
- C . 802.1X
- D . Juniper ATP
D
Explanation:
In this scenario, you should implement Juniper ATP (Advanced Threat Prevention). Juniper ATP provides user-based enforcement of security policies without the requirement of certificates and supplicant software. It uses a combination of behavioral analytics, sandboxing, and threat intelligence to detect and respond to advanced threats in real time. Juniper ATP provides robust protection against targeted attacks, malicious insiders, and zero-day malware. For more information, please refer to the Juniper ATP product page on Juniper’s website.
You want to block executable files ("exe) from being downloaded onto your network.
Which UTM feature would you use in this scenario?
- A . IPS
- B . Web filtering
- C . content filtering
- D . antivirus
B
Explanation:
According to the Juniper Networks official JNCIA-SEC Exam Guide, web filtering is a feature used to control access to web content, including the ability to block specific types of files.
In the scenario mentioned, you want to block executable files from being downloaded, which can be accomplished by using web filtering. The feature allows administrators to configure policies that block specific file types, including "exe" files, from being downloaded.
Reference:
Juniper Networks JNCIA-SEC Exam Guide: https://www.juniper.net/training/certification/certification-exam-guides/jncia-sec-exam-guide/
Which statement about service objects is correct?
- A . All applications are predefined by Junos.
- B . All applications are custom defined by the administrator.
- C . All applications are either custom or Junos defined.
- D . All applications in service objects are not available on the vSRX Series device.
C
Explanation:
"Service objects represent applications and services that can be assigned to a security policy rule. Applications and services can either be predefined by Junos software or custom defined by the administrator."
Reference:
Juniper Networks JNCIA-SEC Exam Guide: https://www.juniper.net/training/certification/certification-exam-guides/jncia-sec-exam-guide/
You need to collect the serial number of an SRX Series device to replace it.
Which command will accomplish this task?
- A . show chassis hardware
- B . show system information
- C . show chassis firmware
- D . show chassis environment
A
Explanation:
The correct command to collect the serial number of an SRX Series device is the show chassis hardware command [1]. This command will return the serial number of the device, along with other information about the device such as the model number, part number, and version.
This command is available in Junos OS. More information about the show chassis hardware command can be found in the Juniper Networks technical documentation here [1]: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-chassis-hardware.html.
In J-Web. the management and loopback address configuration option allows you to configure which area?
- A . the IP address of the primary Gigabit Ethernet port
- B . the IP address of the Network Time Protocol server
- C . the CIDR address
- D . the IP address of the device management port
D
Explanation:
J-Web is a web-based interface for configuring and managing Juniper devices. The management and loopback address configuration option in J-Web allows you to configure the IP address of the device management port, which is used to remotely access and manage the device.
Your company is adding IP cameras to your facility to increase physical security. You are asked to help protect these loT devices from becoming zombies in a DDoS attack.
Which Juniper ATP feature should you configure to accomplish this task?
- A . IPsec
- B . static NAT
- C . allowlists
- D . C&C feeds
D
Explanation:
Juniper ATP should be configured with C&C feeds that contain lists of malicious domains and IP addresses in order to prevent IP cameras from becoming zombies in a DDoS attack.
This is an important step to ensure that the IP cameras are protected from malicious requests – and thus, they will not be able to be used in any DDoS attacks against the facility.
You want to provide remote access to an internal development environment for 10 remote developers.
Which two components are required to implement Juniper Secure Connect to satisfy this requirement? (Choose two.)
- A . an additional license for an SRX Series device
- B . Juniper Secure Connect client software
- C . an SRX Series device with an SPC3 services card
- D . Marvis virtual network assistant
What are two functions of Juniper ATP Cloud? (Choose two.)
- A . malware inspection
- B . Web content filtering
- C . DDoS protection
- D . Geo IP feeds
A,D
Explanation:
Juniper Advanced Threat Prevention (ATP) Cloud is a security service that helps organizations protect against advanced threats by providing real-time threat intelligence and automated response capabilities. It combines a cloud-based threat intelligence platform with the security capabilities of Juniper Networks security devices to provide comprehensive protection against advanced threats. The two functions of Juniper ATP Cloud include malware inspection and Geo IP feeds. The malware inspection component provides real-time protection against known and unknown threats by analyzing suspicious files and determining if they are malicious. The Geo IP feeds provide a global view of IP addresses and their associated countries, allowing organizations to identify and block traffic from known malicious countries.
You must monitor security policies on SRX Series devices dispersed throughout locations in your organization using a ‘single pane of glass’ cloud-based solution.
Which solution satisfies the requirement?
- A . Juniper Sky Enterprise
- B . J-Web
- C . Junos Secure Connect
- D . Junos Space
D
Explanation:
Junos Space is a management platform that provides a single pane of glass view of SRX Series devices dispersed throughout locations in your organization. It provides visibility into the security policies of the devices, allowing you to quickly identify and respond to security threats. Additionally, it provides the ability to manage multiple devices remotely and in real-time, enabling you to quickly deploy and update security policies on all devices. For more information, please refer to the Juniper Networks Junos Space Network Director User Guide, which can be found on Juniper’s website.
You are asked to configure your SRX Series device to block all traffic from certain countries. The solution must be automatically updated as IP prefixes become allocated to those certain countries.
Which Juniper ATP solution will accomplish this task?
- A . Geo IP
- B . unified security policies
- C . IDP
- D . C&C feed
What is the order of the first path packet processing when a packet enters a device?
- A . security policies C> screens C> zones
- B . screens C> security policies C> zones
- C . screens C> zones C> security policies
- D . security policies C> zones C> screens
You are asked to verify that a license for AppSecure is installed on an SRX Series device.
In this scenario, which command will provide you with the required information?
- A . user@srx> show system license
- B . user@srx> show services accounting
- C . user@srx> show configuration system
- D . user@srx> show chassis firmware