JN0-336 Exam Dumps - Security, Specialist (JNCIS-SEC)

The correct answer is A. by granting access based on user roles or identities. Juniper identity-aware firewall moves enforcement beyond simple IP-address-based policy by associating traffic with authenticated users, groups, devices, and roles. Juniper states that identity parameters can be used to configure security policies so that policies provide the appropriate level of access to authenticated users. It further explains that identity helps secure access to resources based on username, roles, and groups, and that firewalls can create and enforce rules based on user identity rather than only an IP address.

This directly supports compliance because regulated environments usually require least-privilege access, auditable user-based control, and role-based authorization. Option B is wrong because identity-aware security might simplify policy operations in some cases, but network architecture simplification is not its compliance function. Option C is wrong because capacity expansion has no direct relationship to identity-based regulatory enforcement. Option D is too vague and not the mechanism being tested; confidentiality is a security goal, but identity-aware firewall enforces access decisions by mapping traffic to users and groups. Reference topics: Identity-Aware Security Policies, user identity, role-based access control, group-based policy enforcement, authentication table.

The correct answers are B and C. In an SRX chassis cluster, the fabric connection is represented by two logical fabric interfaces: fab0 and fab1. Juniper configuration examples show fab0 assigned to the node0-side fabric member interface and fab1 assigned to the node1-side fabric member interface; for example, Juniper shows fab0 using a node0 interface such as ge-0/0/1 and fab1 using a node1 interface such as ge-7/0/1. That eliminates option A, because fab0 and fab1 are not both independently located on both nodes; they represent the two node sides of the cluster fabric link.

Option C is also correct. Juniper states that only the same type of interfaces can be configured as fabric children, and for dual fabric links both child interface types should match, such as Gigabit Ethernet with Gigabit Ethernet or 10-Gigabit Ethernet with 10-Gigabit Ethernet. Option D is therefore wrong because mixed media types are not supported for the redundant fabric child interfaces. Reference topics: HA Clustering, chassis cluster fabric interfaces, fab0/fab1, redundant fabric links, fabric child interface requirements.

The correct answers are A and D. A mobile command center using a 5G ISP behind CGNAT is operating behind dynamic address translation. For IPsec to work reliably through NAT, the SRX must support NAT Traversal, which encapsulates IKE and ESP traffic in UDP/4500 after NAT is detected. Juniper states that NAT-T is used when NAT devices exist in the datapath and that NAT keepalives are required because NAT devices age out UDP translations. Juniper’s Security Director VPN workflow also specifically says to enable NAT-T when the dynamic endpoint is behind a NAT device.

DPD is also required because mobile and carrier-grade NAT connections can disappear, roam, or become stale without a clean tunnel teardown. Juniper defines Dead Peer Detection as the method used by IPsec peers to verify whether the remote peer is still present and responsive by sending encrypted IKE notification payloads and waiting for acknowledgements. Option B is not the best answer because IKEv1 aggressive mode is weaker and does not provide identity protection; Juniper also notes that aggressive mode applies only to IKEv1. Option C is invalid because IKEv2 aggressive mode does not exist. Reference topics: IPsec VPN, NAT-T, CGNAT, dynamic endpoints, DPD, IKE peer availability.

The correct answer is B. Add custom-attack Custom-FTP-Attack to the attacks section and change the action to drop-packet. In the exhibit, the IDP rule is built under rulebase-ips with a match block and a then block. Attack objects belong inside the match attacks hierarchy because they define what malicious pattern the IDP rule is trying to detect. Juniper’s IDP documentation states that attack objects are specified in rules to identify malicious activity and that the rule’s attack objects/groups are the attacks the device matches in monitored traffic.

The enforcement behavior belongs in the then action hierarchy. The current rule uses close-client; to meet the requirement, it must be changed to drop-packet. Juniper defines Drop Packet as an IDP action that drops a matching packet before it reaches its destination without closing the connection. Option A keeps the wrong action. Option C is structurally wrong because a custom attack object is not configured under the action section. Option D is also wrong because the notification section controls logging/alert behavior, not attack matching. Reference topics: IDP rulebase, custom attack objects, match attacks hierarchy, IDP actions, drop-packet behavior.

The correct answer is D. AppQoS. The requirement is not to block, permit, translate, or inspect SIP signaling; it is to prioritize VoIP traffic on a low-bandwidth branch link. Juniper Application QoS, or AppQoS, is designed exactly for this purpose. Juniper states that AppQoS provides the ability to prioritize and meter application traffic so business-critical or high-priority application traffic receives better service. It can classify traffic by application, assign forwarding classes, rewrite DSCP values, set loss priority, and apply rate limiters.

Option A, AppFW, is wrong because AppFW controls application access; it is used to permit, deny, reject, or log application traffic, not primarily to prioritize voice traffic. Option B, SIP ALG, is wrong because the SIP ALG helps inspect and handle SIP control traffic and related media pinholes, but it is not a QoS prioritization service. Option C, AppQoE, is not the correct SRX edge service being tested here. For cloud-based VoIP under a broad outbound permit rule, AppQoS is the correct service because it can identify the VoIP application and give it better treatment during congestion. Reference topics: AppQoS, application traffic control, VoIP prioritization, DSCP rewrite, forwarding class, rate limiting.

The correct answers are A and D. Preparing Active Directory for JIMS requires creating limited-permission service accounts and assigning those accounts to the required Active Directory groups. Juniper’s JIMS deployment guidance states that you must create service accounts so JIMS can read from the defined directory services and identity producers; if PC probing is used, a service account is also required for that function. The same JIMS documentation includes a section named Configure Limited-Permission User Accounts, followed by Add Limited Permission User Accounts to Active Directory Groups.

Option A is correct because the JIMS preparation workflow commonly uses limited-permission accounts for event log access and PC probe access. Juniper identifies accounts such as JIMS-EventLogRemoteAccess and JIMS-PC-Probe in the Active Directory group-membership procedure. Option D is correct because those limited accounts must be added to the proper AD groups, including Event Log Readers and the groups required for remote management or PC probe operation.

Option B is wrong because the tested preparation requirement is not three limited-access accounts. Option C is wrong because JIMS should not be prepared by adding a broad full-access account; the course objective is least-privilege identity collection. Reference topics: JIMS, Active Directory preparation, limited-permission service accounts, Event Log Readers, PC probe account.

The correct answers are A and B. In SRX chassis clustering, the fabric link, represented by fab interfaces, is the data-plane connection between the two cluster nodes. Juniper describes the fabric as the back-to-back data connection used when traffic on one node must be processed on the other node or must exit through an interface on the other node; session-state information also passes over the fabric. This is especially visible in active/active clustering, where ingress and egress interfaces can reside on different nodes and transit traffic must cross the fabric link.

Option B is also correct because the fabric link still exists in active/passive clustering for cluster data-plane synchronization and inter-node state handling, even though active/passive designs minimize fabric transit traffic because only one node normally forwards traffic at a time. Juniper specifically states that active/passive mode minimizes traffic over the fabric link, not that the fabric link is unused.

Options C and D are not the intended answers. The cluster is identified by a configured cluster ID, and each chassis is identified by a node ID, but the fabric interface names themselves are not where the cluster ID is reflected. Reference topics: HA Clustering, fabric link, active/active clustering, active/passive clustering, session synchronization, inter-node traffic.

The correct answer is C. device policy rules. In Junos Space Security Director, policy scope matters. A rule intended for one specific SRX Series device must be placed in a device policy, because Juniper defines a device policy as a firewall policy created per device and used when you want to push a unique firewall policy configuration per device. Security Director also distinguishes this from group policies, which are shared with multiple devices, and from all-devices policy rules, which are global in scope rather than device-specific.

Option A is wrong because all-devices prerules are global rules evaluated before device-specific rules; they are not intended for a unique single-device exception. Option B is wrong because group policy prerules apply to devices within a group, not to one individually targeted SRX firewall. Option D is wrong because all-devices postrules are still globally scoped, even though they occur later in policy order. The clean Security Director design is to use device policy rules when the policy must apply only to one SRX device. Reference topics: Security Director, firewall policy hierarchy, device policy, group policy, all-devices prerules/postrules.