• Home
• Juniper Exams
• JN0-335 - Security, Specialist (JNCIS-SEC)

JN0-335 Juniper Practice Test Questions and Exam Dumps

Question No 1:

Regarding static attack object groups, which two statements are true? (Choose two.)

A. Matching attack objects are automatically added to a custom group.
B. Group membership automatically changes when Juniper updates the IPS signature database.
C. Group membership does not automatically change when Juniper updates the IPS signature database.
D. You must manually add matching attack objects to a custom group.

Answer: C, D

Explanation:

Static attack object groups in IPS (Intrusion Prevention Systems) provide the capability to organize attack objects for more efficient policy configuration and response. Let's go through each of the provided statements:

• A. Matching attack objects are automatically added to a custom group.: This is incorrect. In static attack object groups, you must manually assign attack objects to the group. The grouping is not dynamic and does not automatically change when matching attack objects are detected. This allows the administrator to have precise control over the attack objects that belong to each custom group.

• B. Group membership automatically changes when Juniper updates the IPS signature database.: This is incorrect. In static attack object groups, group membership does not automatically change when the IPS signature database is updated. The membership is manually managed by the administrator, and the system does not automatically modify group membership based on updates to the IPS signature database.

• C. Group membership does not automatically change when Juniper updates the IPS signature database.: This is correct. As stated earlier, static attack object groups do not automatically adjust based on updates to the signature database. The group membership must be manually modified to reflect any changes in attack object classification or new attack objects.

• D. You must manually add matching attack objects to a custom group.: This is correct. In static attack object groups, administrators must manually assign specific attack objects to custom groups. This is done to ensure that the correct set of attack objects is categorized based on the organization’s needs and threat landscape.

In conclusion, the correct statements are C and D. Static attack object groups require manual management, and group membership does not automatically update based on signature database updates.

Question No 2:

You are asked to reduce the load that the JIMS server places on your corporate domain controller. Which action should you take in this situation?

A. Connect JIMS to the RADIUS server.
B. Connect JIMS to the domain Exchange server.
C. Connect JIMS to the domain SQL server.
D. Connect JIMS to another SRX Series device.

Correct Answer: A

Explanation:

In this scenario, the goal is to reduce the load placed on the corporate domain controller by the JIMS server. Let's explore each option to identify the best solution:

A. Connect JIMS to the RADIUS server.
This is the correct answer. The RADIUS server (Remote Authentication Dial-In User Service) is typically used for authentication and can offload some of the authentication duties from the domain controller. By connecting the JIMS server to the RADIUS server, you can reduce the load on the domain controller because the RADIUS server can handle authentication requests instead of the domain controller directly handling them. This is a common practice to improve performance and reduce resource consumption on the domain controller.

B. Connect JIMS to the domain Exchange server.
Connecting JIMS to the Exchange server would not reduce the load on the domain controller. The Exchange server primarily handles email services and would not have a direct impact on offloading authentication or other domain controller tasks. Therefore, this option is not relevant to the situation.

C. Connect JIMS to the domain SQL server.
Connecting JIMS to the domain SQL server would only help if JIMS is querying a database, but it would not address the issue of reducing the load on the domain controller. The SQL server is primarily responsible for database management, and it does not provide authentication or other domain services. Therefore, this is not the best solution for offloading load from the domain controller.

D. Connect JIMS to another SRX Series device.
The SRX Series devices are typically network security devices that provide firewall, VPN, and other security functions. Connecting JIMS to another SRX device would not reduce the load on the domain controller. This option does not address the core issue of load reduction related to domain services.

In conclusion, A (Connect JIMS to the RADIUS server) is the most appropriate action because it will offload authentication duties from the domain controller, thus reducing its load.

Question No 3:

Which two statements about unified security policies are correct? (Choose two.)

A. Unified security policies require an advanced feature license.
B. Unified security policies are evaluated after global security policies.
C. Traffic can initially match multiple unified security policies.
D. APPID results are used to determine the final security policy match.

Answer: B, D

Explanation:

Unified security policies are a feature in Junos OS that allow for the use of dynamic applications as match conditions in security policies. This enables more granular control over traffic based on Layer 7 application identification. Let's examine each statement:

• A. Unified security policies require an advanced feature license.
  This statement is incorrect. Unified security policies are a standard feature in Junos OS and do not require an advanced feature license. They are available for use on supported devices without the need for additional licensing.

• B. Unified security policies are evaluated after global security policies.
  This statement is correct. In Junos OS, security policies are evaluated in a specific order. Global security policies are evaluated first, and if a match is found, the corresponding action is taken. If no global policy matches, the system proceeds to evaluate the unified security policies. This layered approach allows for broad security controls to be applied first, with more specific controls provided by the unified policies.

• C. Traffic can initially match multiple unified security policies.
  This statement is incorrect. When evaluating unified security policies, traffic is matched against the policies in a top-down manner. Once a match is found, the corresponding action is applied, and no further policies are evaluated. Therefore, traffic cannot match multiple unified security policies; only the first matching policy is applied.

• D. APPID results are used to determine the final security policy match.
  This statement is correct. Application identification (APPID) is a key component in unified security policies. The APPID results are used to determine the final match in the security policy evaluation process. By identifying the application layer protocols, unified policies can provide more precise control over traffic, allowing for actions based on the specific applications being used.

In summary, the correct answers are B and D, as they accurately describe the evaluation order of security policies and the role of APPID in determining policy matches.

Question No 4:

You have deployed an SRX300 Series device and determined that files have stopped being scanned. In this scenario, what is a reason for this problem? (Choose one.)

A. The software license is a free model and only scans executable type files.
B. The infected host communicated with a command-and-control server, but it did not download malware.
C. The file is too small to have a virus.
D. You have exceeded the maximum files submission for your SRX platform size.

Correct answer: D

Explanation:

When using an SRX300 Series device for security scanning, particularly for file scanning, various factors can lead to the system ceasing to scan files. Each of the options suggests different possible causes for this behavior.

Option A: "The software license is a free model and only scans executable type files."

This option is incorrect because even in free models or limited licensing scenarios, the SRX300 Series can scan a wide range of file types, not just executable files. The license type may limit certain features, but it does not typically restrict scanning to only executable files.

Option B: "The infected host communicated with a command-and-control server, but it did not download malware."

This option is incorrect. If a host communicates with a command-and-control server but does not download malware, this does not directly impact the scanning functionality of the SRX300 Series device. The device would still be capable of scanning files unless there is an issue with file submission or platform capacity, which this option does not address.

Option C: "The file is too small to have a virus."

This option is incorrect. Files that are too small to have a virus are generally rare and unlikely to be the cause of scanning failures. The SRX300 Series would still attempt to scan such files, but file size alone is not typically a reason for files to stop being scanned altogether.

Option D: "You have exceeded the maximum files submission for your SRX platform size."

This option is correct. The SRX300 Series has a limit to how many files it can process and scan at a given time, depending on the platform’s configuration and licensing. If this limit is exceeded, the system may stop scanning additional files, leading to the situation described. The system would be unable to process more files beyond its capacity, thus halting scanning until the issue is resolved, either by reducing the number of files being submitted or upgrading the device to handle a larger volume of traffic.

The correct reason for files stopping being scanned in this scenario is D, as exceeding the maximum file submission capacity of the SRX platform can cause scanning to halt.

Question No 5:

Which three statements about SRX Series device chassis clusters are true? (Choose three.)

A. Chassis cluster control links must be configured using RFC 1918 IP addresses.
B. Chassis cluster member devices synchronize configuration using the control link.
C. A control link failure causes the secondary cluster node to be disabled.
D. Recovery from a control link failure requires that the secondary member device be rebooted.
E. Heartbeat messages verify that the chassis cluster control link is working.

Answer: B, C, E

Explanation:

SRX Series device chassis clusters provide high availability by using two physical devices in a clustered configuration to provide failover capabilities. The cluster architecture involves specific control and heartbeat links that ensure the two devices are synchronized and can maintain operational continuity. Let's break down each of the options:

• A. Chassis cluster control links must be configured using RFC 1918 IP addresses.: This is incorrect. The control links in a chassis cluster do not specifically require RFC 1918 (private) IP addresses. While private IP addresses can be used, it is not a strict requirement for the control link configuration. The primary requirement is that the control link should be reliable and have low latency for proper synchronization.

• B. Chassis cluster member devices synchronize configuration using the control link.: This is correct. The control link between the chassis cluster member devices facilitates the synchronization of configuration data. This ensures that both devices in the cluster maintain consistent configurations, which is crucial for high availability and seamless failover.

• C. A control link failure causes the secondary cluster node to be disabled.: This is correct. In a chassis cluster, if the control link fails, the secondary node is disabled because it can no longer communicate with the primary node to synchronize state and configuration. The secondary node needs to rely on the control link for critical updates and communication to maintain consistency and failover readiness.

• D. Recovery from a control link failure requires that the secondary member device be rebooted.: This is incorrect. Recovery from a control link failure does not require a reboot of the secondary member device. Typically, when the control link is restored, the secondary node will re-establish synchronization with the primary node without needing to be rebooted. The failover mechanisms should allow for recovery without full device reboots in most cases.

• E. Heartbeat messages verify that the chassis cluster control link is working.: This is correct. Heartbeat messages are exchanged between the chassis cluster nodes over the control link. These messages are crucial for verifying that the control link is functioning properly and that both nodes can communicate with each other. If these heartbeat messages stop, it indicates a failure in communication or the control link itself.

In conclusion, the correct statements are B, C, and E. These describe how chassis cluster synchronization works, the role of the control link, and how heartbeat messages ensure the system's reliability.

Question No 6:

Which two statements are correct about security policy changes when using the policy rematch feature?

A. When a policy change includes changing the policy's action from permit to deny, all existing sessions are maintained.
B. When a policy change includes changing the policy's source or destination address match condition, all existing sessions are dropped.
C. When a policy change includes changing the policy's action from permit to deny, all existing sessions are dropped.
D. When a policy change includes changing the policy's source or destination address match condition, all existing sessions are reevaluated.

Answer: C, D

Explanation:

The policy rematch feature in Juniper SRX Series devices allows for the reevaluation of active sessions when associated security policies are modified. This feature is particularly useful for ensuring that changes in security policies are applied to existing sessions without requiring a complete session teardown and re-establishment.

Policy Rematch Behavior:

1. Changing Policy Action (Permit to Deny):
   When the action of a policy is changed from permit to deny, the policy rematch feature ensures that all active sessions associated with that policy are dropped. This is because the traffic that was previously permitted is now denied, and continuing the session would violate the new policy. Therefore, all existing sessions are dropped to enforce the new policy action.

2. Changing Match Conditions (Source or Destination Address):
   Modifying the source or destination address match conditions of a policy triggers the policy rematch feature to reevaluate all active sessions. This reevaluation ensures that sessions are still valid under the new match conditions. If a session no longer matches the modified policy, it will be dropped. Conversely, if a session now matches the modified policy, it will be allowed to continue. This dynamic adjustment helps maintain security and session integrity without manual intervention.

Default Behavior Without Policy Rematch:

By default, Juniper SRX devices do not reevaluate active sessions when policies are modified. This means that changes to policy actions or match conditions do not affect existing sessions unless they are explicitly dropped and re-established. The policy rematch feature overrides this default behavior, providing more granular control over session management in response to policy changes.

The correct statements are:

• C: When a policy change includes changing the policy's action from permit to deny, all existing sessions are dropped.

• D: When a policy change includes changing the policy's source or destination address match condition, all existing sessions are reevaluated.

These behaviors ensure that security policies are consistently enforced across all sessions, enhancing the overall security posture of the network.

Question No 7:

You are asked to block malicious applications regardless of the port number being used. In this scenario, which two application security features should be used? (Choose two.)

A. AppFW
B. AppQoE
C. APPID
D. AppTrack

Correct Answer: A, C

Explanation:

In this scenario, the objective is to block malicious applications regardless of the port number they are using. Let's go over each of the options to determine which features are best suited for this purpose:

A. AppFW
AppFW (Application Firewall) is a security feature designed to protect applications by filtering and blocking malicious traffic based on application layer data. It operates independently of the port numbers used, focusing on identifying and blocking malicious traffic based on the specific characteristics and behavior of the application itself. This makes it an essential feature for blocking malicious applications regardless of the port they use. Therefore, AppFW is a correct choice.

B. AppQoE
AppQoE (Application Quality of Experience) is primarily used to monitor and manage the quality of application traffic, ensuring that applications run efficiently and with high performance. It is not specifically focused on blocking malicious applications or traffic. Instead, it ensures the optimal functioning of applications. Thus, AppQoE is not the correct choice for blocking malicious applications.

C. APPID
APPID (Application Identification) is a feature used in firewalls and security devices to identify and classify network traffic based on the applications that generate it, irrespective of the port numbers being used. APPID enables the system to recognize and block specific applications (including malicious ones) by analyzing their signatures and behaviors. Since it can identify applications even if they are using non-standard ports, APPID is a vital tool for blocking malicious applications in this scenario.

D. AppTrack
AppTrack is a feature used to monitor and track the usage of specific applications within a network, providing visibility into application traffic. However, AppTrack is more about monitoring and reporting rather than actively blocking malicious applications. It does not offer the same level of protection as AppFW or APPID when it comes to blocking malicious traffic. Therefore, AppTrack is not the correct choice.

Conclusion: To block malicious applications regardless of the port number, the most effective features are A (AppFW) and C (APPID), as both are designed to identify and block traffic based on the application itself, not the port.

Question No 8:

Which feed will the client's IP address be automatically added to when it attempts communication with a known command-and-control server and reaches the configured threat level threshold?

A. the command-and-control cloud feed
B. the allowlist and blocklist feed
C. the custom cloud feed
D. the infected host cloud feed

Answer: D

Explanation:

When a client attempts communication with a known command-and-control (C&C) server and the interaction meets or exceeds the configured threat level threshold, the client's IP address is automatically added to the infected host cloud feed. This action is part of Juniper's Advanced Threat Prevention (ATP) Cloud service, which integrates with SRX Series Firewalls to enhance security measures.

How It Works:

1. Threat Detection: The SRX Series Firewall detects the client's attempt to communicate with a known C&C server.​

2. Threat Level Evaluation: The interaction is evaluated against predefined threat levels. If the threat level threshold is reached, indicating a significant risk, the client's IP address is flagged.​

3. Automatic Addition to Infected Hosts Feed: Upon reaching the threshold, the client's IP address is automatically added to the infected host cloud feed. This feed is used to identify and block compromised hosts within the network.​

Other Options Explained:

• A. the command-and-control cloud feed: This feed contains information about known C&C servers. While it is crucial for identifying malicious destinations, the client's IP address would not be added here based on the described scenario.​

• B. the allowlist and blocklist feed: This feed is used to manage trusted and untrusted IP addresses. Automatic addition to this feed is not the default behavior for clients interacting with known C&C servers.​

• C. the custom cloud feed: This feed allows for the inclusion of custom threat intelligence. The automatic addition of a client's IP address would typically not occur here unless specifically configured.​

In summary, the correct feed for automatically adding a client's IP address after it communicates with a known C&C server and meets the threat level threshold is the infected host cloud feed

Question No 9:

A client has attempted communication with a known command-and-control server and it has reached the configured threat level threshold. 

Which feed will the client's IP address be automatically added in this situation? (Choose one.)

A. the command-and-control cloud feed
B. the allowlist and blocklist feed
C. the custom cloud feed
D. the infected host cloud feed

Correct answer: A

Explanation:

In the scenario where a client has communicated with a known command-and-control server and reached the configured threat level threshold, the system needs to respond by marking the client’s IP address as a potential threat to prevent further malicious activity. The feeds involved in this process are specifically designed to handle different types of threats and address how different types of communications are managed.

Option A: "the command-and-control cloud feed"

This option is correct. When a client attempts communication with a known command-and-control server, the system automatically adds the client’s IP address to the command-and-control cloud feed. This feed is specifically designed to track IP addresses that are communicating with command-and-control servers, which are used to remotely control malware or other malicious software. Once an IP address exceeds the configured threat level threshold, it is flagged and automatically added to this feed to prevent further malicious activities associated with command-and-control communication.

Option B: "the allowlist and blocklist feed"

This option is incorrect. The allowlist and blocklist feed is used for managing IP addresses or domains that are either trusted (allowlist) or blocked (blocklist). While this feed could be relevant for handling threats, it does not specifically address the scenario involving communication with a command-and-control server. IPs involved in such activities are generally added to more specialized feeds like the command-and-control cloud feed.

Option C: "the custom cloud feed"

This option is incorrect. The custom cloud feed allows users to create their own customized threat feeds based on specific needs or criteria. However, it is not automatically triggered by actions such as the communication with a command-and-control server. The system does not automatically place IP addresses in this feed based on the scenario described.

Option D: "the infected host cloud feed"

This option is incorrect. The infected host cloud feed typically tracks IP addresses of machines that have been identified as infected with malware or other threats. While this is relevant for identifying compromised hosts, it is not the correct feed for tracking interactions with command-and-control servers. The specific feed for that purpose is the command-and-control cloud feed, which targets those connections directly.

In this scenario, the client's IP address will be automatically added to the command-and-control cloud feed (Option A) due to the communication with a known command-and-control server that has triggered the configured threat level threshold. This helps in preventing future communication with the malicious server.