JN0-636 Exam Dumps - Security Professional (JNCIP-SEC)

Certificate RenewalThe renewal of certificates is much the same as initial certificate enrollment except you are just replacing an old certificate(about to expire) on the VPN device with a new certificate. As with the initial certificate request, only manual renewal issupported. SCEP can be used to re-enroll local certificates automatically before they expire. Refer to Appendix D for moredetails.

To create a secure fabric in your company’s network, you need to know the following facts:

• A secure fabric is a collection of sites that contain network devices (switches, routers, firewalls, and other security devices) that are used in policy enforcement groups. A site is a grouping of network devices that contribute to threat prevention. When threat prevention policies are applied to policy enforcement groups, the system automatically discovers to which sites those groups belong. This is how threat prevention is aggregated across your secure fabric1.
• MX Series devices associated with tenants can belong to multiple sites. Tenants are logical partitions of the network that can have their own security policies and enforcement points. Sites that are associated with tenants do not need switches as enforcement points, because MX Series devices can perform tenant-based policy enforcement1.
• SRX Series devices can belong to only one site. SRX Series devices are firewalls that can act as perimeter enforcement points for the secure fabric. They can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic. SRX Series devices cannot belong to multiple sites, because they do not support tenant-based policy enforcement1.
• A switch must be assigned to the site to enforce an infected host policy within the network. An infected host policy is a policy that blocks or quarantines hosts that are identified as infected by the Juniper ATP Cloud. A switch can act as an internal enforcement point for the secure fabric by applying the infected host policy to the hosts that are connected to it. A switch must be assigned to the site where the infected hosts are located, because SRX Series devices cannot enforce infected host policies1.
• Switches and connectors cannot be added to the same site. Connectors are software agents that can be installed on Windows or Linux servers to enable them to act as enforcement points for the secure fabric. Connectors can apply infected host policies to the hosts that are connected to them. However, connectors cannot coexist with switches in the same site, because they use different methods of policy enforcement. Switches use VLANs and ACLs, while connectors use IPtables and WFP1.

Therefore, the correct answer is B, D, and E. The other options are incorrect because:

• A. MX Series devices associated with tenants can belong to multiple sites, not only one site1.
• C. SRX Series devices can belong to only one site, not multiple sites1.

References:

• Secure Fabric Overview

The two security intelligence feed types that are supported are:

• A. Infected host feed. An infected host feed is a security intelligence feed that contains the IP addresses of hosts that are infected by malware or compromised by attackers. The SRX Series device can download the infected host feed from the Juniper ATP Cloud or generate its own infected host feed based on the detection events from IDP. The SRX Series device can use the infected host feed to block or quarantine the traffic to or from the infected hosts based on the security policies1.
• B. Command and Control feed. A command and control feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The SRX Series device can download the command and control feed from the Juniper ATP Cloud or generate its own command and control feed based on the detection events from IDP. The SRX Series device can use the command and control feed to block or log the traffic to or from the command and control servers based on the security policies2.

The other options are incorrect because:

• C. Custom feeds. Custom feeds are not a security intelligence feed type, but a feature that allows you to create your own security intelligence feeds based on your own criteria and sources. You can configure custom feeds by using the Junos Space Security Director or the CLI. Custom feeds are not supported by the Juniper ATP Cloud or the IDP3.
• D. Malicious URL feed. Malicious URL feed is not a security intelligence feed type, but a feature that allows you to block or log the traffic to or from malicious URLs based on the security policies. The SRX Series device can download the malicious URL feed from the Juniper ATP Cloud or the Juniper Threat Labs. Malicious URL feed is not supported by the IDP4.

References:

• Infected Host Feed Overview
• Command and Control Feed Overview
• Custom Feed Overview
• Malicious URL Feed Overview

https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/task/configuration/jatp-traffic-collectorsetting-ssh-honeypot-detection.html

The exhibit shows the output of the show security mka sessions summary command on an SRX Series device. This command displays the status of the MACsec Key Agreement (MKA) sessions on the device. In the output, we can see that there are two CAKs configured for the interface ge-0/0/1 - FFFF and EEEE. The CAK named FFFF has the type preceding and the status live. The CAK named EEEE has the type fallback and the status active.

The two statements that are true about the CAK status for the CAK named FFFF are:

• CAK is not used for encryption and decryption of the MACsec session. This is because the CAK is only used for authentication and key exchange between the MACsec peers. The CAK is not used for encrypting or decrypting the MACsec traffic. The encryption and decryption of the MACsec session is done by the Secure Association Key (SAK), which is derived from the CAK using the MKA protocol.
• SAK is not generated using this key. This is because the CAK named FFFF has the type preceding, which means that it is a legacy key that is used for backward compatibility with older MACsec devices. The preceding key is not used for generating the SAK, but only for authenticating the MACsec peers. The SAK is generated using the active key, which is the CAK named EEEE in this case.

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-mka-sessions-summary.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-macsec-overview.html

In IPsec CoS-based VPNs, the number of IPsec Security Associations (SAs) associated with a peer is based on the number of forwarding classes configured for the VPN. The forwarding classes are used to classify and prioritize different types of traffic, such as voice and data traffic. Each forwarding class requires a separate IPsec SA to be established between the peers, in order to provide the appropriate level of security and quality of service for each type of traffic.

To find an infected host and where the attack came from using the Juniper ATP Cloud, you need to use the Hosts and Threat Sources monitor workspaces. The other options are incorrect because:

• B. The File Scanning monitor workspace shows the files that have been scanned by the Juniper ATP Cloud and their verdicts (clean, malicious, or unknown). It does not show the infected hosts or the attack sources1.
• D. The Encrypted Traffic monitor workspace shows the encrypted traffic that has been decrypted by the Juniper ATP Cloud and the certificates that have been used. It does not show the infected hosts or the attack sources2.

Therefore, the correct answer is A and C. You need to use the Hosts and Threat Sources monitor workspaces to find an infected host and where the attack came from using the Juniper ATP Cloud. To do so, you need to perform the following steps:

• For Hosts, you need to access the Hosts monitor workspace in the Juniper ATP Cloud WebUI by selecting Monitor > Hosts. You can see the list of hosts that have been detected by the Juniper ATP Cloud and their risk scores, infection levels, and threat categories. You can filter the hosts by various criteria, such as IP address, hostname, domain, or threat category. You can also drill down into each host to see the details of the files, applications, and incidents associated with the host. You can identify the infected host by looking for the host with the highest risk score, infection level, or threat category3.
• For Threat Sources, you need to access the Threat Sources monitor workspace in the Juniper ATP Cloud WebUI by selecting Monitor > Threat Sources. You can see the list of threat sources that have been detected by the Juniper ATP Cloud and their risk scores, threat categories, and geolocations. You can filter the threat sources by various criteria, such as IP address, domain, or threat category. You can also drill down into each threat source to see the details of the files, applications, and incidents associated with the threat source. You can identify the attack source by looking for the threat source with the highest risk score, threat category, or geolocation that matches the infected host.

References:

• File Scanning
• Encrypted Traffic
• Hosts
• [Threat Sources]

According to the output of the traceoptions file called radius, the source of the problem is that the RADIUS server IP address is unreachable. This is indicated by the line FAILURE: sendto: No route to host, which shows that the SRX device cannot send the authentication request to the RADIUS server. This could be due to a network issue, such as a misconfigured route, a firewall blocking the traffic, or a physical link failure.

To troubleshoot this issue, the user should check the following:

• The RADIUS server IP address and port are correctly configured on the SRX device. The user can verify this by using the command show configuration access radius-server1.
• The SRX device can ping the RADIUS server IP address. The user can use the command ping  to test the connectivity2.
• The SRX device has a valid route to the RADIUS server IP address. The user can use the command show route  to check the routing table3.
• The SRX device and the RADIUS server are using the same shared secret key. The user can verify this by using the command show configuration access radius-server secret1.
• The SRX device and the RADIUS server are using the same authentication protocol. The user can verify this by using the command show configuration access profile 4.
• The firewall policies on the SRX device and any intermediate devices are allowing the RADIUS traffic. The user can use the command show security policies from-zone to-zone  to check the firewall policies5.

References: 1: Configuring RADIUS Server Parameters 2: ping - Technical Documentation - Support - Juniper Networks 3: show route - Technical Documentation - Support - Juniper Networks 4: Configuring Authentication Profiles 5: show security policies - Technical Documentation - Support - Juniper Networks

The exhibit shows the configuration of filter-based forwarding on an SRX Series device. Filter-based forwarding is a feature that allows the device to use firewall filters to direct traffic to different routing instances based on the match criteria. In this scenario, the device has two routing instances - ISP-1 and ISP-2 - and two firewall filters - FBF and FBF-ISP-1. The FBF filter is applied to the ge-0/0/1 interface as an input filter. The FBF filter has one term that matches the traffic from the 172.25.0.0/24 network and directs it to the ISP-1 routing instance. The ISP-1 routing instance has a static route to the next hop 172.20.0.2. The FBF-ISP-1 filter is applied to the ge-0/0/0 interface as an output filter. The FBF-ISP-1 filter has one term that matches the traffic to the 172.20.0.2 next hop and sets the forwarding class to expedited-forwarding.

The problem in this scenario is that the traffic from the other network (172.25.1.0/24) is not being forwarded to the upstream 172.21.0.2 neighbor. This is because the FBF filter does not have a term that accepts the traffic from the 172.25.1.0/24 network. The FBF filter only has one term that matches the traffic from the 172.25.0.0/24 network and directs it to the ISP-1 routing instance. The traffic from the 172.25.1.0/24 network does not match this term and is therefore discarded by the implicit deny action at the end of the filter. The traffic from the 172.25.1.0/24 network should be forwarded to the ISP-2 routing instance, which has a static default route to the next hop 172.21.0.2.

To solve this problem, you must add another term to the FBF filter to accept the traffic from the 172.25.1.0/24 network. This term should have the action accept, which means that the traffic will be forwarded according to the routing table of the master routing instance. The master routing instance has a static default route to the ISP-2 routing instance, which in turn has a static default route to the next hop 172.21.0.2. By adding this term, the traffic from the 172.25.1.0/24 network will be forwarded to the upstream 172.21.0.2 neighbor as expected.

The configuration of the new term in the FBF filter could look something like this:

[edit firewall family inet filter FBF] term 2 { from { source-address { 172.25.1.0/24; } } then { accept; } }

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html https://www.juniper.net/documentation/en_US/junos/topics/example/filter-based-forwarding-example.html

According to the output of the command show configuration services security-intelligence url, the SRX Series device is directly enrolled with Juniper ATP Cloud. This is indicated by the URL https://cloudfeeds.argon.junipersecurity.net/api/manifest.xml , which is the default URL for Juniper ATP Cloud1. This means that the device is not enrolled with Policy Enforcer, which would use a different URL that includes the IP address of the Policy Enforcer server2. Therefore, the problem in this scenario is that the device is directly enrolled with Juniper ATP Cloud, which prevents it from being enrolled with Policy Enforcer.

To enroll the device with Policy Enforcer, the user needs to disenroll the device from Juniper ATP Cloud first. This can be done by using the following command:

delete services security-intelligence url

This command will remove the Juniper ATP Cloud URL from the device configuration and stop the device from receiving threat feeds from Juniper ATP Cloud1. After that, the user can enroll the device with Policy Enforcer by using the Security Director GUI or the SLAX script2.

References: 1: Configuring Juniper ATP Cloud on SRX Series Devices 2: Enrolling SRX Series Devices with Policy Enforcer

According to the security flow trace shown in the exhibit, which is a snippet of a packet capture on an SRX Series device, the two statements that are correct are:

• This packet arrived on interface ge-0/0/4.0. This is indicated by the line In: 10.0.1.129/22 -> 10.0.1.129/3382;1,0x0, which shows that the ingress interface of the packet is ge-0/0/4.0, as the interface name is prefixed to the source and destination IP addresses and ports of the packet1.
• An existing session is found in the table. This is indicated by the line Found: session id 0x12. sess tok 28685, which shows that the packet matches an existing session in the session table with the session ID 0x12 and the session token 286852.

The following statements are incorrect or not supported by the output:

• Destination NAT occurs. This is not supported by the output, as there is no indication of destination NAT being applied to the packet. The destination IP address of the packet is 10.0.1.129, which is the same as the destination IP address of the original packet. If destination NAT was applied, the destination IP address of the packet would be different from the destination IP address of the original packet.
• The capture is a packet from the source address 172.20.101.10 destined to 10.0.1.129. This is false, as the output shows that the source address of the packet is 10.0.1.129, not 172.20.101.10. The source IP address of the packet is prefixed to the ingress interface name ge-0/0/4.0.

References: 1: Understanding Security Flow Trace 2: show security flow session - Technical Documentation - Support - Juniper Networks

According to the Juniper documentation, a tenant system is a logical system that supports routing, services, and security features. A tenant system can be configured to log binary security events to a remote server using the pi security profile. The pi security profile specifies the tenant name, the server address, the server port, and the protocol for logging binary security events. In the exhibit, the pi security profile is configured with the server address 10.0.0.1, the server port 514, and the protocol UDP. However, the tenant name is missing from the configuration. To complete the configuration, the tenant name must be configured as local for the pi security profile. This is because the local tenant name is used to identify the tenant system that is sending the binary security events to the remote server. Therefore, the correct statement to complete the configuration is D. Configure the tenant as local for the pi security profile. References: [Tenant Systems Overview] 1, [Configuring Binary Security Event Logging for Tenant Systems] 2

1: https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/topic-map/tenant-systems-overview.html  2: https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/task/security-tenant-systems-binary-logging-configuring.html

To enable inter-tenant communication with tenant system, you need to use an external router or a logical tunnel interface. The other options are incorrect because:

• A. Interconnecting EVPN switch is not a valid solution for inter-tenant communication with tenant system. EVPN (Ethernet VPN) is a technology that provides layer 2 connectivity over an IP network. It can be used to connect different logical systems on the same device, but not tenant systems. Tenant systems are isolated from each other and do not share the same layer 2 domain1.
• B. Interconnecting VPLS switch is also not a valid solution for inter-tenant communication with tenant system. VPLS (Virtual Private LAN Service) is another technology that provides layer 2 connectivity over an IP network. It can also be used to connect different logical systems on the same device, but not tenant systems. Tenant systems are isolated from each other and do not share the same layer 2 domain1.

Therefore, the correct answer is C and D. You need to use an external router or a logical tunnel interface to enable inter-tenant communication with tenant system. To do so, you need to perform the following steps:

• For external router, you need to connect the external router to the interfaces of the tenant systems that you want to communicate with. You also need to configure the routing protocols and policies on the external router and the tenant systems to exchange routes and traffic. The external router acts as a gateway between the tenant systems and provides layer 3 connectivity2.
• For logical tunnel interface, you need to create a logical tunnel interface on the device and assign it to a tenant system. You also need to configure the IP address and routing protocols on the logical tunnel interface and the tenant systems that you want to communicate with. The logical tunnel interface acts as a virtual link between the tenant systems and provides layer 3 connectivity3.

References:

• Tenant Systems Overview
• Example: Configuring Inter-Tenant Communication Using External Router
• Example: Configuring Inter-Tenant Communication Using Logical Tunnel Interface

The suspicious_Endpoints feed is a dynamic address group that is created by Juniper ATP Cloud based on the IoT device discovery and policy enforcement feature. This feature allows the SRX Series device to send IoT traffic to Juniper ATP Cloud for analysis and classification. Juniper ATP Cloud then creates a threat feed that contains the IP addresses of the suspicious IoT devices and sends it back to the SRX Series device. The SRX Series device can then use this feed to create and enforce security policies for the IoT traffic. The suspicious_Endpoints feed is usable by any SRX Series device that is a part of the same realm as SRX-1, because the feed is shared among the devices that belong to the same Juniper ATP Cloud realm. Juniper ATP Cloud automatically creates the suspicious_Endpoints feed after you commit the security policy that references the feed, because the feed is dynamically generated based on the IoT traffic analysis. You do not need to manually create the feed in the Juniper ATP Cloud interface. References:

• Example- Configure IoT Device Discovery and Policy Enforcement
• Juniper Advanced Threat Prevention Cloud Policy Overview

The SRX Series device in transparent mode uses packet flooding to learn about unknown devices in a network. Packet flooding is a process wherein the device sends out packets to every device it knows about or suspects in the network. When the packets are returned, the device can identify and classify the unknown devices in the network.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html

https://www.juniper.net/us/en/local/pdf/app-notes/3500202-en.pdf

The two statements about the configuration shown in the exhibit are correct are:

• A. The remote IKE gateway IP address is 203.0.113.100. The exhibit shows that the address option under the gateway statement is set to 203.0.113.100, which specifies the IP address of the primary IKE gateway. The address option is used to configure the IP address or the hostname of the remote peer that has a static IP address1.
• D. The remote peer is assigned a dynamic IP address. The exhibit shows that the dynamic option under the gateway statement is configured with various attributes, such as general-ikeid, ike-user-type, and user-at-hostname. The dynamic option is used to configure the identifier for the remote gateway with a dynamic IP address. The dynamic option also enables the SRX Series device to accept multiple connections from remote peers that have the same identifier2.

The other statements are incorrect because:

• B. The local peer is not assigned a dynamic IP address, but a static IP address. The exhibit shows that the local-address option under the gateway statement is set to 192.0.2.100, which specifies the IP address of the local IKE gateway. The local-address option is used to configure the IP address of the local peer that has a static IP address1.
• C. The local IKE gateway IP address is not 203.0.113.100, but 192.0.2.100, as explained above.

References:

• gateway (Security IKE)
• dynamic (Security IKE)

An IKE security association (SA) is a set of parameters that define how the Internet Key Exchange (IKE) protocol will authenticate and establish the secure channel between the IPsec VPN peers. When you configure an IPsec VPN, one IKE SA is created between the peers, regardless of how many CoS forwarding classes are used to separate the traffic. The SA will be used to negotiate the IPsec SA parameters, such as encryption algorithms and keys.

In this scenario, only 1 IKE security association is required between the IPsec peers, no matter how many CoS forwarding classes are used to separate the voice and data traffic.

https://forums.juniper.net/t5/Ethernet-Switching/monitor-traffic- interface/td-p/462528

The SRX Series device will continue to send requests to authentication servers 192.168.30.190 and 192.168.30.191. This is because the exhibit shows the output of the show network-access aaa radius-servers command. This command displays the status of the RADIUS servers configured on the device. In the output, we can see that there are three RADIUS servers configured - 192.168.30.190, 192.168.30.191, and 2001:DB8:0:f101::2. However, the status of the third server is shown as “DOWN”. This means that the device is not able to communicate with this server. Therefore, the device will continue to send requests to the other two servers - 192.168.30.190 and 192.168.30.191. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-network-access-aaa-radius-servers.html

The appropriate mitigation actions for the selected incident are to block malware IP addresses (download server or CnC server) and to deploy IVP integration (if configured) to confirm if the endpoint has executed the malware and is infected. This is because the incident shows a progression level of “Download” in the kill chain, which means that the malware has been downloaded and is likely to be executed. Blocking the malware IP addresses can prevent further communication with the malicious server and stop the malware from receiving commands or exfiltrating data. Deploying IVP integration can help verify the infection status of the endpoint and provide additional information about the malware behavior and impact. IVP integration is an optional feature that allows the ATP Appliance to interact with third-party endpoint security solutions such as Carbon Black, Cylance, and CrowdStrike. References:

• Advanced Threat Prevention Appliance Solution Brief
• Advanced Threat Prevention Appliance Datasheet
• [Advanced Threat Prevention Appliance Mitigation Actions]
• [Advanced Threat Prevention Appliance IVP Integration]

https://kb.juniper.net/InfoCenter/index?page=content &id=TN326&cat=&actp=LIST&showDraft=false

According to the Juniper documentation, a custom block list feed is a user-defined list of IP addresses or URLs that are considered malicious or unwanted. A custom block list feed can be configured to override the default Juniper Seclntel block list feed, which is a cloud-based service that provides a list of known malicious IP addresses and URLs. To override the Juniper Seclntel block list feed, the custom block list feed must have a higher priority value than the Juniper Seclntel block list feed. In the exhibit, the custom block list feed has a priority value of 10, which is higher than the default priority value of 5 for the Juniper Seclntel block list feed. Therefore, this custom block list feed will be used instead of the Juniper Seclntel block list feed. References: : [Configuring Custom Block List Feeds]

Referring to the exhibit, the following statements are correct:

• B. All of the entries are command and control entries. Command and control entries are dynamic addresses that represent the IP addresses of servers that are used by malware to communicate with infected hosts. The SRX Series device can block or log the traffic to or from these IP addresses based on the security policies. The exhibit shows that all of the entries have the category DC/1, which stands for command and control1.
• C. All of the entries are Dshield entries. Dshield is a feed source that provides a list of IP addresses that are associated with malicious activities, such as scanning, spamming, or attacking. The SRX Series device can download the Dshield feed and use it to populate the dynamic address entries. The exhibit shows that all of the entries have the feed dshield, which indicates that they are from the Dshield feed source2.

The other statements are incorrect because:

• A. All of the entries are not a threat level 8, but a threat level 10. The threat level is a numeric value that indicates the severity of the threat associated with a dynamic address entry. The higher the threat level, the more dangerous the threat. The SRX Series device can use the threat level to prioritize the actions for the dynamic address entries. The exhibit shows that all of the entries have the cc CN, which stands for country code China. According to the Juniper documentation, the country code China has a threat level of 10, which is the highest.
• D. All of the entries are not a threat level 10, but they are. See the explanation for option A.

References:

• Understanding Dynamic Address Categories
• Understanding Dynamic Address Feed Sources
• [Understanding Dynamic Address Threat Levels]

According to the security flow trace in the exhibit, the packets are dropped for self but not interested. This means that the SRX device is receiving packets destined to itself, but it does not have the corresponding service configured in the host-inbound-traffic stanza for the interface1. In this case, the service is BGP, which uses TCP port 179. Therefore, the correct action to solve the problem on the SRX device is to add BGP to the allowed host-inbound-traffic for the interface. This can be done by using the following command:

set security zones security-zone interfaces host-inbound-traffic system-services bgp

This command will allow the SRX device to accept BGP packets on the specified interface and zone. Alternatively, the command can be applied to all interfaces in a zone by using the all-interfaces option2.

References: 1: SRX Getting Started - Troubleshoot Security Policy 2: Configuring System Services Allowed for Host Inbound Traffic

According to the Juniper documentation, the infected host score is a global setting that determines the minimum threat level required for a host to be considered infected and blocked by Juniper ATP Cloud. The infected host score can be configured from 1 to 10, where 1 is the lowest and 10 is the highest. The default infected host score is 5, which means that any host with a threat level of 5 or higher will be automatically blocked by Juniper ATP Cloud. However, the infected host score can be changed to a higher value, such as 6 or 7, to reduce the number of false positives and allow more traffic to pass through. In the exhibit, the host has a threat level of 5, which indicates that it is infected with malware and has attempted to contact command-and-control servers. However, some of the events have not been automatically mitigated, which means that the host has not been blocked by Juniper ATP Cloud. A possible reason for this behavior is that the infected host score is globally set above a threat level of 5, such as 6 or 7, which means that the host does not meet the minimum threshold for blocking. Therefore, the correct answer is C. The infected host score is globally set above a threat level of 5. References: [Configuring the Infected Host Score] 1, [Compromised Hosts: More Information] 2

1: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/task/sky-atp-infected-host-score.html  2: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/concept/sky-atp-infected-host-overview.html