What are two reasons for this problem?
You want to bypass IDP for traffic destined to social media sites using APBR, but it is not working and IDP is dropping the session.
What are two reasons for this problem? (Choose two.)
A . The session did not properly reclassify midstream to the correct APBR rule.
B . IDP disable is not configured on the APBR rule.
C . The application services bypass is not configured on the APBR rule.
D . The APBR rule does a match on the first packet.
Answer: AC
Explanation:
Explanation of Answer A (Session Reclassification):
APBR (Advanced Policy-Based Routing) requires the session to be classified based on the specified rule, which can change midstream as additional packets are processed. If the session was already established before the APBR rule took effect, the traffic may not be correctly reclassified to match the new APBR rule, leading to IDP (Intrusion Detection and Prevention) processing instead of being bypassed. This can occur especially when the session was already established before the rule change. Explanation of Answer C (Application Services Bypass):
For APBR to work and bypass the IDP service, the application services bypass must be explicitly configured. Without this configuration, the APBR rule may redirect the traffic, but the IDP service will still inspect and potentially drop the traffic. This is especially important for traffic destined for specific sites like social media platforms where bypassing IDP is desired. Example configuration for bypassing IDP services:
bash
set security forwarding-options advanced-policy-based-routing profile <profile-name> application-services-bypass
Step-by-Step Resolution:
Reclassify the Session Midstream:
If the traffic was already being processed before the APBR rule was applied, ensure that the session is
reclassified by terminating the current session or ensuring the APBR rule is applied from the start.
Command to clear the session:
bash
clear security flow session destination-prefix <ip-address>
Configure Application Services Bypass:
Ensure that the APBR rule includes the application services bypass configuration to properly bypass
IDP or any other security services for traffic that should not be inspected.
Example configuration:
bash
set security forwarding-options advanced-policy-based-routing profile <profile-name> application-services-bypass
Juniper Security
Reference: Session Reclassification in APBR: APBR requires reclassification of sessions in real-time to ensure midstream packets are processed by the correct rule. This is crucial when policies change dynamically or new rules are added.
Application Services Bypass in APBR: This feature ensures that security services such as IDP are bypassed for traffic that matches specific APBR rules. This is essential for applications where performance is a priority and security inspection is not necessary.
Latest JN0-637 Dumps Valid Version with 115 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund