JN0-636 Security, Professional (JNCIP-SEC) Questions and Answers

Proxy ARP is a technique used by routers to answer ARP requests on one network segment on behalf of hosts on another network segment. This is useful in situations where a host on one network segment needs to communicate with a host on another network segment, but the two hosts are not directly connected. In this case, the router acts as a proxy, answering ARP requests on behalf of the other host. In the exhibit, the vSRX device is configured to use a pool of addresses that are in the same subnet as the external interface ge-0/0/0 for source NAT. This means that the vSRX device will translate the source IP address of the internal hosts to one of the addresses in the pool before sending the packets to the external network. However, the external hosts will not know how to reach the NATed addresses, since they are not directly connected to the vSRX device. They will send ARP requests for the NATed addresses, expecting to receive a MAC address from the vSRX device. If proxy ARP is not enabled on the vSRX device, it will not respond to these ARP requests, since it does not have the NATed addresses configured on its interface. The ARP requests will time out and the packets will be dropped by the external hosts or the service provider router. To solve this problem, proxy ARP must be enabled on the vSRX device for the NATed addresses. This will allow the vSRX device to respond to the ARP requests from the external hosts, providing its own MAC address as the destination. The external hosts will then send the packets to the vSRX device, which will reverse the NAT and forward the packets to the internal hosts. References:

• Configuring Proxy ARP (CLI Procedure)
• [SRX] When and how to configure Proxy ARP (https://supportportal.juniper.net/s/article/SRX-Dynamic-VPN-scenario-for-configuring-Proxy-ARP-on-SRX?language=en_US)

 You are connecting two remote sites to your corporate headquarters site. You must ensure that traffic passes through the corporate headquarters. In this scenario, the VPN that should be used is:

• D. Hub-and-spoke IPsec VPN with the corporate firewall acting as the hub device. A hub-and-spoke IPsec VPN is a type of VPN that connects multiple remote sites to a central site, or hub, over a public network. The hub site acts as a gateway for the remote sites and provides security and routing services. The remote sites, or spokes, communicate with each other through the hub site. The hub site and the spoke sites use IPsec tunnels to encrypt and authenticate the traffic between them. A hub-and-spoke IPsec VPN is suitable for connecting two remote sites to your corporate headquarters site, because it allows you to control the traffic flow and enforce security policies at the hub site. The corporate firewall can act as the hub device and provide IPsec VPN services to the remote sites1.

The other options are incorrect because:

• A. Full mesh IPsec VPNs with tunnels between all sites. A full mesh IPsec VPN is a type of VPN that connects every site to every other site over a public network. Each site has an IPsec tunnel with every other site, forming a mesh topology. A full mesh IPsec VPN provides direct and secure communication between any pair of sites, but it also requires a large number of IPsec tunnels and complex configuration. A full mesh IPsec VPN is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate headquarters site, and it may introduce unnecessary overhead and complexity2.
• B. A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device. A full mesh Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider’s network. Each site has a BGP session with every other site, forming a full mesh topology. A BGP route reflector is a device that reduces the number of BGP sessions required in a full mesh topology by reflecting routes between its clients. A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate firewall device, and it may require additional configuration and coordination with the service provider3.
• C. A Layer 3 VPN with the corporate firewall acting as the hub device. A Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider’s network. A Layer 3 VPN can have different topologies, such as full mesh, hub-and-spoke, or partial mesh. A Layer 3 VPN with the corporate firewall acting as the hub device is not suitable for connecting two remote sites to your corporate headquarters site, because the corporate firewall may not support MPLS and BGP, and it may require additional configuration and coordination with the service provider3.

References:

• Hub-and-Spoke VPNs Overview
• Full Mesh VPNs Overview
• Layer 3 VPNs Overview

The exhibit shows the output of the show security mka sessions summary command on an SRX Series device. This command displays the status of the MACsec Key Agreement (MKA) sessions on the device. In the output, we can see that there are two CAKs configured for the interface ge-0/0/1 - FFFF and EEEE. The CAK named FFFF has the type preceding and the status live. The CAK named EEEE has the type fallback and the status active.

The two statements that are true about the CAK status for the CAK named FFFF are:

• CAK is not used for encryption and decryption of the MACsec session. This is because the CAK is only used for authentication and key exchange between the MACsec peers. The CAK is not used for encrypting or decrypting the MACsec traffic. The encryption and decryption of the MACsec session is done by the Secure Association Key (SAK), which is derived from the CAK using the MKA protocol.
• SAK is not generated using this key. This is because the CAK named FFFF has the type preceding, which means that it is a legacy key that is used for backward compatibility with older MACsec devices. The preceding key is not used for generating the SAK, but only for authenticating the MACsec peers. The SAK is generated using the active key, which is the CAK named EEEE in this case.

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-mka-sessions-summary.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-macsec-overview.html

https://ww w.juniper.net/documentation/en_US/junos-space18.1/policy-enforcer/topics/task/configuration/junos-space-policyenforcer-custom-feeds-infected-host-configure.html

According to the Juniper documentation, the local identity for an IPsec VPN tunnel must match the remote identity of the peer device. The local identity can be configured as an IP address, a hostname, a distinguished name, or an advpn identifier. The advpn identifier is used for dynamic VPNs that support multiple remote endpoints. In the exhibit, the corporate device has the local identity configured as inet advpn, which means it expects the branch1 device to have the same remote identity. However, the branch1 device has the local identity configured as inet, which does not match the corporate device’s remote identity. Therefore, the IKE negotiation fails and the IPsec tunnel is not established. To solve this problem, the local identity on the branch1 device should be changed to inet advpn, so that it matches the corporate device’s remote identity. References: [Configuring an IKE Gateway] 1, [Configuring Local and Remote Identities] 2

1: https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/task/configuration/security-ike-gateway-configuring.html  2: https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-ipsec-vpn-identities.html

Juniper MX and SRX series devices support the integration of Seclntel feeds, which provide information about known command and control servers, for the purpose of blocking access to them. These devices can be configured to use the Seclntel feeds without the need for Security Director to manage the feeds.

EX series and QFX series devices are not capable of working in this situation, as they do not support the integration of Seclntel feeds.

According to the Juniper documentation, the two Juniper devices that work in this situation are MX Series devices and SRX Series devices. These devices can use the Juniper SecIntel feeds to block access to known command and control servers without using Security Director to manage the feeds. The Juniper SecIntel feeds are curated and verified threat intelligence data that are continuously collected from Juniper ATP Cloud, Juniper Threat Labs, and other sources. The SecIntel feeds include command and control IPs, URLs, certificate hashes, and domains that are used by attackers to control malware or maintain their connection to the network1.

The MX Series devices and the SRX Series devices can subscribe to the SecIntel feeds by using the following steps:

• Configure the SecIntel service on the device by specifying the SecIntel URL, the SecIntel policy, and the SecIntel license2.
• Configure the SecIntel policy on the device by specifying the SecIntel feeds, the SecIntel actions, and the SecIntel logging3.
• Apply the SecIntel policy to the security zones or the firewall policies on the device by using the secintel-policy option4.

Once the SecIntel service is configured and applied, the MX Series devices and the SRX Series devices will receive the SecIntel feeds from Juniper ATP Cloud and use them to block the traffic from or to the command and control servers. The SecIntel service will also send the SecIntel logs to Juniper ATP Cloud or a third-party SIEM solution for further analysis and reporting.

The following devices are not suitable or incorrect for this situation:

• EX Series devices: EX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.
• QFX Series devices: QFX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.

References: 1: SecIntel Threat Intelligence 2: Configuring SecIntel Service 3: Configuring SecIntel Policy 4: Applying SecIntel Policy : [SecIntel Logging] : [SecIntel Integration with EX Series Switches] : [SecIntel Integration with QFX Series Switches]

https://www.juniper.net/us/en/products-services/security/advanced-threat-prevention/

The command "show security dynamic-address category-name DS hield" will show the IP addresses that are part of the DS hield category. By filtering the output of this command with the "match 203.0.113.5" command, you can determine if the IP address 203.0.113.5 is part of the DS hield feed. This command will check the feeds that are configured on SRX Series device and are associated to juniper ATP Cloud.

The appropriate mitigation actions for the selected incident are to block malware IP addresses (download server or CnC server) and to deploy IVP integration (if configured) to confirm if the endpoint has executed the malware and is infected. This is because the incident shows a progression level of “Download” in the kill chain, which means that the malware has been downloaded and is likely to be executed. Blocking the malware IP addresses can prevent further communication with the malicious server and stop the malware from receiving commands or exfiltrating data. Deploying IVP integration can help verify the infection status of the endpoint and provide additional information about the malware behavior and impact. IVP integration is an optional feature that allows the ATP Appliance to interact with third-party endpoint security solutions such as Carbon Black, Cylance, and CrowdStrike. References:

• Advanced Threat Prevention Appliance Solution Brief
• Advanced Threat Prevention Appliance Datasheet
• [Advanced Threat Prevention Appliance Mitigation Actions]
• [Advanced Threat Prevention Appliance IVP Integration]

The security feature that bypasses routing or switching lookup is transparent mode. The other options are incorrect because:

• B. Secure wire is a feature that allows you to connect two interfaces on the same device and forward traffic between them without any processing. Secure wire does not bypass routing or switching lookup, but rather eliminates them altogether1.
• C. Mixed mode is a mode of operation for SRX Series devices that allows you to configure both transparent mode and switching mode on the same device. Mixed mode does not bypass routing or switching lookup, but rather uses them depending on the interface type2.
• D. MACsec (Media Access Control Security) is a feature that provides encryption and authentication for Layer 2 traffic. MACsec does not bypass routing or switching lookup, but rather operates at a lower layer3.

Therefore, the correct answer is A. Transparent mode is a mode of operation for SRX Series devices that provides Layer 2 bridging capabilities with full security services. In transparent mode, the SRX Series device acts as a bridge between two network segments and inspects the packets without modifying the source or destination information in the IP packet header. The SRX Series device does not have an IP address in transparent mode, except for the management interface. Transparent mode bypasses routing or switching lookup, because the SRX Series device does not perform any routing or switching functions, but rather forwards the packets based on the MAC addresses4.

References:

• Secure Wire Overview
• Mixed Mode Overview
• MACsec Overview
• Transparent Mode Overview

The output shown in the exhibit is from the command “show security flow session family inet6”. This command displays the IPv6 flow sessions on the SRX Series device. The output shows that there are two total sessions, both of which are valid. This means that the SRX Series device is configured with flow-based IPv6 forwarding options. Flow-based IPv6 forwarding options enable the device to process IPv6 packets using the security policies, NAT, and other security features. To configure flow-based IPv6 forwarding options, use the command set security forwarding-options family inet6 mode flow-based and reboot the device. References:

• show security flow session family inet6
• Configuring Flow-Based IPv6 Forwarding Options
• SRX Getting Started - Configure IPv6

DNS doctoring is a feature that allows the SRX Series firewall to modify the IP address in a DNS response based on a static NAT rule. This can be useful when the DNS server returns an IP address that is not reachable by the client, such as a private IP address or an IP address from a different network. To use DNS doctoring, the following requirements must be met:

• The DNS ALG must be enabled. The DNS ALG is responsible for parsing the DNS messages and performing the IP address translation. The DNS ALG can be enabled globally or per security policy. To enable the DNS ALG globally, use the command set security alg dns enable. To enable the DNS ALG per security policy, use the command set security policies from-zone zone1 to-zone zone2 policy policy1 then permit application-services application-firewall rule-set rule-set-name application junos-dns.
• Static NAT must be configured for the IP address that needs to be translated. Static NAT is a type of NAT that maps a fixed IP address to another fixed IP address. Static NAT can be configured using the command set security nat static rule-set rule-set-name rule rule-name match destination-address address and set security nat static rule-set rule-set-name rule rule-name then static-nat prefix prefix. References:
• DNS ALG and Doctoring Support
• Understanding DNS ALG and NAT Doctoring
• Disabling DNS ALG and NAT Doctoring
• SRX Getting Started - Configure DNS

Referring to the exhibit, the following statements are correct:

• B. All of the entries are command and control entries. Command and control entries are dynamic addresses that represent the IP addresses of servers that are used by malware to communicate with infected hosts. The SRX Series device can block or log the traffic to or from these IP addresses based on the security policies. The exhibit shows that all of the entries have the category DC/1, which stands for command and control1.
• C. All of the entries are Dshield entries. Dshield is a feed source that provides a list of IP addresses that are associated with malicious activities, such as scanning, spamming, or attacking. The SRX Series device can download the Dshield feed and use it to populate the dynamic address entries. The exhibit shows that all of the entries have the feed dshield, which indicates that they are from the Dshield feed source2.

The other statements are incorrect because:

• A. All of the entries are not a threat level 8, but a threat level 10. The threat level is a numeric value that indicates the severity of the threat associated with a dynamic address entry. The higher the threat level, the more dangerous the threat. The SRX Series device can use the threat level to prioritize the actions for the dynamic address entries. The exhibit shows that all of the entries have the cc CN, which stands for country code China. According to the Juniper documentation, the country code China has a threat level of 10, which is the highest.
• D. All of the entries are not a threat level 10, but they are. See the explanation for option A.

References:

• Understanding Dynamic Address Categories
• Understanding Dynamic Address Feed Sources
• [Understanding Dynamic Address Threat Levels]

The Juniper ATP Appliance platform collects, inspects and analyzes advanced and stealthy web, file, and email-based threats that exploit and infiltrate client browsers, operating systems, emails and applications. Juniper ATP Appliance’s detection of malicious attacks generates incident and event details that can be sent to connected SIEM platforms in CEF, LEEF or Syslog formats1. CEF (Common Event Format) is an open log management standard that improves the interoperability of security-related information from different vendors2. Juniper ATP Appliance supports CEF format for sending events and system audit notifications to SIEM servers. You can configure the CEF format in the Juniper ATP Appliance Central Manager WebUI Config > Notifications > SIEM Settings1. Therefore, the correct answer is C. CEF is a supported logging output format for Juniper ATP Appliance. The other options are incorrect because:

• A. WELF (WebTrends Enhanced Log Format) is a proprietary log format developed by WebTrends Corporation for web analytics3. Juniper ATP Appliance does not support WELF format for SIEM integration.
• B. JSON (JavaScript Object Notation) is a lightweight data-interchange format that is easy for humans and machines to read and write4. Juniper ATP Appliance supports JSON format for HTTP API results, but not for SIEM notifications1.
• D. Binary is a numeric system that uses only two digits: 0 and 1. Binary is not a logging output format for Juniper ATP Appliance or any SIEM platform.

References:

• SIEM Syslog, LEEF and CEF Logging
• Common Event Format Configuration Guide
• WebTrends Enhanced Log Format
• JSON

To modify the configuration to fulfill the requirements, you need to modify the log-all term to add the next term action. The other options are incorrect because:

• B. Deleting the log-all term would prevent logging all traffic, which is one of the requirements. The log-all term matches all traffic from any source address and logs it to the system log file1.
• C. Adding a term before the log-all term that blocks Telnet would also prevent logging all traffic, because the log-all term would never be reached. The firewall filter evaluates the terms in sequential order and applies the first matching term. If a term before the log-all term blocks Telnet, then the log-all term would not match any traffic and no logging would occur2.
• D. Applying a firewall filter to the loopback interface that blocks Telnet traffic would not block inbound Telnet traffic on interface ge-0/0/3, which is another requirement. The loopback interface is a logical interface that is always up and reachable. It is used for routing and management purposes, not for filtering traffic on physical interfaces3.

Therefore, the correct answer is A. You need to modify the log-all term to add the next term action. The next term action instructs the firewall filter to continue evaluating the subsequent terms after matching the current term. This way, the log-all term would log all traffic and then proceed to the block-telnet term, which would block only inbound Telnet traffic on interface ge-0/0/34. To modify the log-all term to add the next term action, you need to perform the following steps:

• Enter the configuration mode: user@host> configure
• Navigate to the firewall filter hierarchy: user@host# edit firewall family inet filter block-telnet
• Add the next term action to the log-all term: user@host# set term log-all then next term
• Commit the changes: user@host# commit

References:

• log (Firewall Filter Action)
• Firewall Filter Configuration Overview
• loopback (Interfaces)
• next term (Firewall Filter Action)

https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/topic-map/jatp-custom-log-ingestion.html

According to the Juniper documentation, reflexive NAT is a type of source NAT that allows an internal host to communicate with an external host using a single public IP address and port. The reflexive NAT session is created when the internal host initiates the traffic to the external host, and the session is deleted when the traffic stops. The reflexive NAT session is bidirectional, meaning that the external host can send traffic back to the internal host using the same public IP address and port that the internal host used to reach the external host. However, the external host cannot initiate a new session to the internal host using the same public IP address and port, unless the internal host has already established a session with the external host. Therefore, only the Internet host that the internal host originally communicated with can initiate traffic to reach the internal host using the 203.0.113.1 address, a random source port, and destination port 54311. References: [Configuring Reflexive NAT]

• The source address is translated because the traceoptions output shows that the source IP address 192.168.5.2 is translated to 192.168.100.1 and the source port 0 is translated to 14777. The traceoptions output also shows the flag flow_first_src_xlate, which indicates that this is the first time that source NAT is applied to this session.
• The packet is an SSH packet because the traceoptions output shows that the application protocol is tcp/22, which is the default port for SSH. The traceoptions output also shows the flag flow_tcp_syn, which indicates that this is the first packet of a TCP connection.

References:

• traceoptions (Security NAT) | Junos OS | Juniper Networks
• [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting

Juniper ATP Cloud is a cloud-based service that provides advanced threat prevention and detection for SRX Series devices. To enroll an SRX Series device with Juniper ATP Cloud, you need to have a valid license and authorization code, and you need to run a Junos OS op script on the device. The op script performs the following tasks:

• Downloads and installs certificate authority (CA) licenses onto your SRX Series device.
• Creates local certificates and enrolls them with the cloud server.
• Performs basic Juniper ATP Cloud configuration on the SRX Series device.
• Establishes a secure connection to the cloud server.

You can run the op script either by copying the CLI command from the Juniper ATP Cloud Web Portal and running it on the device, or by using the enroll command on the device. The op script is the only way to enroll an SRX Series device with Juniper ATP Cloud. You cannot enroll the device manually or by using other methods.

The other statements in the question are incorrect for the following reasons:

• If a device is already enrolled in a realm and you enroll it in a new realm, none of the device data or configuration information is propagated to the new realm. This includes history, infected hosts feeds, logging, API tokens, and administrator accounts. You can view and change the realm association of a device from the Realm Management page in the Juniper ATP Cloud Web Portal.
• The only way to enroll an SRX Series device is not to interact with the Juniper ATP Cloud Web Portal. You can also use the enroll command on the device, which performs all the necessary enrollment steps without requiring you to access the Web Portal.
• When the license expires, the SRX Series device is not disenrolled from Juniper ATP Cloud without a grace period. The device enters a grace period of 30 days, during which it can still send files to the cloud for inspection and receive threat intelligence feeds. After the grace period, the device is disenrolled and stops communicating with the cloud.

References:

• How to Enroll Your SRX Series Firewalls in Juniper Advanced Threat Prevention (ATP) Cloud Using Policy Enforcer
• Enroll an SRX Series Firewall using Juniper ATP Cloud Web Portal
• ATP Cloud | Step 2: Up and Running
• Enroll an SRX Series Firewall Using the CLI

https://forums.juniper.net/t5/Ethernet-Switching/monitor-traffic- interface/td-p/462528

According to the exhibit, which is a configuration snippet of the SRX Series device, the global mode for the device is set to switching mode. This means that the device is operating as a Layer 2 switch and does not apply any security policies to the traffic between hosts in the same broadcast domain1. Therefore, the traffic between two hosts in the same broadcast domain are not matching any security policies.

To solve this problem, the user should change the global mode to transparent bridge mode. This means that the device will operate as a Layer 2 transparent bridge and apply security policies to the traffic between hosts in the same broadcast domain2. This will allow the user to enforce security policies based on the source and destination IP addresses, ports, and protocols of the traffic.

To change the global mode to transparent bridge mode, the user should use the following command:

set protocols l2-learning global-mode transparent-bridge

This command will set the global mode for the SRX Series device as Layer 2 transparent bridge mode. After changing the mode, the user must reboot the device for the configuration to take effect2.

References: 1: global-mode (Protocols) 2: Configuring Layer 2 Transparent Mode

The two security intelligence feed types that are supported are:

• A. Infected host feed. An infected host feed is a security intelligence feed that contains the IP addresses of hosts that are infected by malware or compromised by attackers. The SRX Series device can download the infected host feed from the Juniper ATP Cloud or generate its own infected host feed based on the detection events from IDP. The SRX Series device can use the infected host feed to block or quarantine the traffic to or from the infected hosts based on the security policies1.
• B. Command and Control feed. A command and control feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The SRX Series device can download the command and control feed from the Juniper ATP Cloud or generate its own command and control feed based on the detection events from IDP. The SRX Series device can use the command and control feed to block or log the traffic to or from the command and control servers based on the security policies2.

The other options are incorrect because:

• C. Custom feeds. Custom feeds are not a security intelligence feed type, but a feature that allows you to create your own security intelligence feeds based on your own criteria and sources. You can configure custom feeds by using the Junos Space Security Director or the CLI. Custom feeds are not supported by the Juniper ATP Cloud or the IDP3.
• D. Malicious URL feed. Malicious URL feed is not a security intelligence feed type, but a feature that allows you to block or log the traffic to or from malicious URLs based on the security policies. The SRX Series device can download the malicious URL feed from the Juniper ATP Cloud or the Juniper Threat Labs. Malicious URL feed is not supported by the IDP4.

References:

• Infected Host Feed Overview
• Command and Control Feed Overview
• Custom Feed Overview
• Malicious URL Feed Overview