Juniper JN0-336 Security, Specialist (JNCIS-SEC) Exam Practice Test

The correct answer is B. The node with the highest priority will become a primary node. In an SRX chassis cluster, redundancy groups determine which node is primary and which node is secondary. Juniper states that when priorities are assigned to nodes in a redundancy group, the node with the higher configured priority is initially designated as the primary, while the other node becomes secondary. This is the direct mechanism an administrator uses to influence primary-node selection for a redundancy group.

Option A is wrong because the burnt-in address is not the administrative method used to designate the primary node. BIA can be part of deterministic hardware identity behavior, but primary election is controlled through redundancy-group priority, preemption behavior, and failover state. Option C is the opposite of Juniper behavior; the lower-priority node does not win the election. Option D is also wrong because a priority of one is still a valid low priority. The ineligible value is 0, and Juniper specifically warns about failover behavior involving nodes with priority 0 because such nodes are not ready to accept traffic.

Reference topics: HA Clustering, redundancy groups, node priority, primary/secondary election, preemption, chassis cluster failover.

The correct answers are B and D. On SRX Series Firewalls, SSL proxy is configured by creating an SSL proxy profile and then applying that profile to the relevant security policy as an application service. Juniper’s SSL proxy configuration overview lists the required workflow: configure certificates and CA profile material, configure the SSL proxy profile, create a security policy matching the traffic to be inspected, and apply the SSL proxy profile to that security policy. Juniper further states that SSL proxy is enabled as an application service within a security policy, where the policy match criteria identify the traffic and the SSL proxy profile is applied to that traffic.

Option A is wrong because enabling the SSL ALG is not the required control point for SSL proxy. SSL proxy is a decryption/inspection service applied through policy, not simply an ALG toggle. Option C is wrong because creating a separate SSL application object is not the mandatory SSL proxy configuration action. The policy can match the desired traffic and then invoke SSL proxy through then permit application-services ssl-proxy profile-name. Juniper’s example explicitly shows applying the SSL proxy profile under the security policy action.

Reference topics: SSL Proxy, SSL forward proxy, SSL proxy profiles, security policy application-services, encrypted traffic inspection.

The correct answer is C. device policy rules. In Junos Space Security Director, policy scope matters. A rule intended for one specific SRX Series device must be placed in a device policy, because Juniper defines a device policy as a firewall policy created per device and used when you want to push a unique firewall policy configuration per device. Security Director also distinguishes this from group policies, which are shared with multiple devices, and from all-devices policy rules, which are global in scope rather than device-specific.

Option A is wrong because all-devices prerules are global rules evaluated before device-specific rules; they are not intended for a unique single-device exception. Option B is wrong because group policy prerules apply to devices within a group, not to one individually targeted SRX firewall. Option D is wrong because all-devices postrules are still globally scoped, even though they occur later in policy order. The clean Security Director design is to use device policy rules when the policy must apply only to one SRX device. Reference topics: Security Director, firewall policy hierarchy, device policy, group policy, all-devices prerules/postrules.

The correct answers are A and C. In an SRX chassis cluster, redundant Ethernet interfaces are configured as reth interfaces. Juniper defines a reth interface as a pseudointerface that includes at least one physical interface from each node in the cluster. Therefore, assigning a physical interface from node0 and a physical interface from node1 to the same reth interface is mandatory for redundant Ethernet operation. Juniper also states that before configuring chassis cluster redundant Ethernet interfaces, you must set the number of redundant Ethernet interfaces.

Option C maps to the required reth-count configuration under the chassis cluster hierarchy. Without defining the number of reth interfaces, Junos does not know how many redundant Ethernet pseudointerfaces are available for the cluster configuration. Option B is wrong because setting a retry interval is not a required step for creating a reth interface or redundancy group. Option D is wrong because heartbeat behavior belongs to cluster control-link monitoring and chassis-cluster node health, not to the required configuration steps for Ethernet reth membership. The required design steps are: define reth capacity, create/configure the reth interface, assign child physical links from both nodes, and associate the reth with the proper redundancy group. Reference topics: HA Clustering, redundant Ethernet interfaces, reth-count, reth child interfaces, redundancy groups.

The correct answers are A and B. In SRX chassis clustering, the fabric link, represented by fab interfaces, is the data-plane connection between the two cluster nodes. Juniper describes the fabric as the back-to-back data connection used when traffic on one node must be processed on the other node or must exit through an interface on the other node; session-state information also passes over the fabric. This is especially visible in active/active clustering, where ingress and egress interfaces can reside on different nodes and transit traffic must cross the fabric link.

Option B is also correct because the fabric link still exists in active/passive clustering for cluster data-plane synchronization and inter-node state handling, even though active/passive designs minimize fabric transit traffic because only one node normally forwards traffic at a time. Juniper specifically states that active/passive mode minimizes traffic over the fabric link, not that the fabric link is unused.

Options C and D are not the intended answers. The cluster is identified by a configured cluster ID, and each chassis is identified by a node ID, but the fabric interface names themselves are not where the cluster ID is reflected. Reference topics: HA Clustering, fabric link, active/active clustering, active/passive clustering, session synchronization, inter-node traffic.

The correct answers are A and D. Preparing Active Directory for JIMS requires creating limited-permission service accounts and assigning those accounts to the required Active Directory groups. Juniper’s JIMS deployment guidance states that you must create service accounts so JIMS can read from the defined directory services and identity producers; if PC probing is used, a service account is also required for that function. The same JIMS documentation includes a section named Configure Limited-Permission User Accounts, followed by Add Limited Permission User Accounts to Active Directory Groups.

Option A is correct because the JIMS preparation workflow commonly uses limited-permission accounts for event log access and PC probe access. Juniper identifies accounts such as JIMS-EventLogRemoteAccess and JIMS-PC-Probe in the Active Directory group-membership procedure. Option D is correct because those limited accounts must be added to the proper AD groups, including Event Log Readers and the groups required for remote management or PC probe operation.

Option B is wrong because the tested preparation requirement is not three limited-access accounts. Option C is wrong because JIMS should not be prepared by adding a broad full-access account; the course objective is least-privilege identity collection. Reference topics: JIMS, Active Directory preparation, limited-permission service accounts, Event Log Readers, PC probe account.

The correct answers are A and B. In SRX chassis clustering, the fab interface is the fabric data-plane link between cluster nodes. Juniper explains that data-plane software synchronizes session state using runtime objects, or RTOs, across the fabric data link, and this fabric link also supports forwarding traffic between nodes when ingress and egress processing occur on different chassis members.

swfab is also a chassis-cluster data-plane-related interface used for Layer 2 switching fabric functionality. Juniper’s Ethernet switching on chassis cluster documentation describes swfab0 and swfab1 as pseudointerfaces created for Layer 2 fabric functionality, enabling switching across the nodes. Option C, fxp1, is wrong because fxp1 is the control link interface used for cluster control-plane communication, heartbeats, and synchronization signaling, not a data-plane fabric interface. Option D, fxp0, is wrong because fxp0 is the out-of-band management interface. The clean separation is: fxp0 = management, fxp1 = control link, fab = routed/data fabric, and swfab = Layer 2 switching fabric. Reference topics: HA Clustering, fab interfaces, swfab interfaces, control link, management interface, data-plane synchronization.

The correct answers are B and C. To form an SRX chassis cluster, both devices must be assigned the same cluster ID and different node IDs. Juniper states that the cluster ID identifies the cluster, while the node ID identifies the individual node within that cluster. A valid two-node SRX chassis cluster uses node 0 on one chassis and node 1 on the other chassis. Juniper’s example shows the operational-mode commands as set chassis cluster cluster-id 1 node 0 reboot on the first device and set chassis cluster cluster-id 1 node 1 reboot on the second device.

Option A is wrong because cluster-id 0 disables clustering rather than forming a cluster. It also shows configuration-mode prompt #, while this chassis cluster node assignment is performed from operational mode. Option D is doubly wrong: cluster-id 0 disables clustering, and node 2 is invalid because SRX chassis cluster node IDs are limited to 0 and 1. The exam options omit the reboot keyword, but the only logically valid pair is still SRX1 as node 0 and SRX2 as node 1 under the same nonzero cluster ID. Reference topics: HA Clustering, chassis cluster ID, node ID, operational-mode cluster enablement.

The correct answers are C and D. The exhibit shows ESP encrypted bytes = 0, ESP decrypted bytes = 0, encrypted packets = 0, and decrypted packets = 0. That means no traffic is successfully passing through the IPsec tunnel. Juniper’s show security ipsec statistics command displays ESP encrypted/decrypted packet and byte counters, so zero values on these counters indicate that the tunnel is not successfully carrying protected ESP traffic.

Option C is also correct because the output shows ESP authentication failures and ESP decryption failures. Since ESP is the IPsec protocol responsible for encrypted payload handling, failures in ESP authentication/decryption point to an ESP/IPsec Phase 2 mismatch or incorrect configuration, such as mismatched authentication algorithm, encryption algorithm, keys, proposal parameters, or incompatible negotiated SA settings. Juniper’s IPsec overview explains that Phase 2 negotiates the IPsec SA used to authenticate traffic flowing through the tunnel, so ESP-related failures belong to the IPsec/ESP configuration path rather than AH.

Option A is wrong because the AH counters and AH authentication failures are zero; the evidence is not pointing to AH. Option B is unsupported because the output does not show peer reboot behavior. Reference topics: IPsec VPN, ESP statistics, Phase 2/IPsec SA negotiation, ESP authentication failures, ESP decryption failures.

The correct answers are B, D, and E. Security Director device onboarding depends on management reachability and valid administrative access. Juniper’s device discovery documentation states that Junos Space discovers network devices using SSH, with optional ping and SNMP, and connects to the physical device to retrieve running configuration and status information. It also explains that device authentication uses administrator login credentials, SSH credentials, SNMP settings, or keys depending on the discovery method.

Option E is required because Security Director must target a reachable management IP address or hostname. Juniper’s discovery-profile workflow explicitly uses the target IP address, hostname, IP range, or subnet to locate devices. Option D is required because invalid username/password or insufficient privileges prevent discovery and management; Juniper’s device-management guidance identifies credentials as required input for discovering devices. Option B is required because onboarding uses SSH, so the correct SSH service and port must be reachable. Juniper’s device access procedure explicitly includes a Port field for the SSH connection.

Option A is wrong because chassis serial number is not the normal troubleshooting field for Security Director discovery. Option C is wrong because active security policies do not determine whether Security Director can initially discover and onboard the device. Reference topics: Security Director, device discovery, SSH access, management IP reachability, authentication credentials.

The correct answer is C. Enable connectivity between the SRX Series device and Juniper ATP Cloud. Juniper ATP Cloud cannot inspect files, receive verdicts, or apply cloud-based malware intelligence until the SRX is enrolled and has a working secure connection to the ATP Cloud service. Juniper states that SRX enrollment establishes a secure connection between the SRX Series Firewall and the Juniper ATP Cloud server, downloads and installs certificate authorities, creates local certificates, enrolls them with the cloud server, and establishes the secure cloud connection.

Option A is not the first required configuration setting because the anti-malware service depends on successful cloud onboarding and connectivity. Option B is premature because firewall/security policies can reference malware inspection only after the device is properly connected and enrolled. Option D is also later in the workflow; anti-malware policies define how files are inspected and what action is taken, but those policies are useless if the SRX cannot communicate with ATP Cloud. Juniper also notes that ATP Cloud requires both the Routing Engine and Packet Forwarding Engine to reach the Internet, and DNS must resolve the cloud URL. Reference topics: ATP Cloud onboarding, SRX enrollment, advanced anti-malware connection, secure cloud connectivity, anti-malware policy deployment.

The correct answers are C and D. The cSRX is Juniper’s containerized SRX firewall, intended for lightweight virtual and container environments where rapid deployment and high density matter. Juniper’s cSRX documentation lists supported security capabilities including basic firewall policy, NAT, Intrusion Detection and Prevention, content security/UTM functions, ATP Cloud, SSL Proxy, AppID, AppFW, and AppTrack. That supports option C, because cSRX provides SRX security services in a containerized footprint rather than requiring a full VM-based firewall appliance.

Option D is also correct because Juniper identifies the cSRX’s small footprint and minimum resource reservation requirements as key benefits; it is designed to scale more densely than VM-based firewall options. Juniper’s Day One cSRX guide specifically identifies faster deployment, a small footprint, and reduced resource consumption as major benefits. Option A is not the best answer for this exam item because the question asks for cSRX deployment benefits, not merely forwarding-mode support. Option B is wrong because the tested cSRX advantage is not a default three-zone configuration. Reference topics: cSRX container firewall, virtual SRX deployment, firewall/NAT/IPS/UTM services, lightweight resource footprint.

The correct answer is A. fab. In SRX Series chassis clustering, the fabric interface, shown as fab0/fab1, is the data-plane HA link used between cluster nodes. Juniper states that SRX chassis clusters use the fabric interface for session synchronization and traffic forwarding, and that the fabric link synchronizes dynamic runtime state, including session-state objects created by NAT, ALG, authentication, and IPsec processing. This is what enables stateful failover and session continuity when traffic processing moves between nodes.

Option B, fxp0, is wrong because fxp0 is the out-of-band management interface, not the chassis-cluster synchronization path. Option C, fxp1, is tempting but wrong for this question: fxp1 is the control-link interface used for control-plane cluster functions such as heartbeats and cluster control communication, not the main session-state synchronization path. Option D, swfab, is not the standard SRX chassis-cluster fabric interface name used for this function. Juniper’s clustering configuration examples specifically define fab0 and fab1 as the interfaces used for the fabric connection and data-plane RTO/session synchronization.

The correct answer is B. LDAP. In Juniper identity-aware firewall deployments, the SRX Series Firewall integrates with Microsoft Active Directory so that user and group information can be used in security policy decisions. Juniper’s Active Directory identity-source documentation states that the LDAP protocol helps identify the groups to which users belong, and that username and group information are queried from the LDAP service running on the Active Directory domain controller. It also explains that the device uses Lightweight Directory Access Protocol to obtain user and group information required for Active Directory identity-source operation.

Option A, SSH, is wrong because SSH is a device management protocol, not the protocol SRX uses to query Active Directory user/group membership. Option C, DNS, is wrong because DNS can resolve names but does not provide Active Directory group mapping to the firewall. Option D, NETCONF, is wrong because NETCONF is used for network device configuration and automation, not Windows domain-controller identity queries. In a complete identity-aware firewall workflow, SRX may also use WMI/DCOM-related mechanisms to read Windows event-log data, but among the available protocol choices, LDAP is the correct answer because it is the directory protocol used to query user and group information. Reference topics: Active Directory identity source, LDAP, domain controller communication, user and group mapping.

The correct answer is A. It uses AppID services. Juniper SSL proxy does not rely only on TCP/443 or a static destination-port assumption. It uses Application Identification services to dynamically determine whether the session is SSL/TLS encrypted. Juniper states directly that SSL proxy uses application identification services to detect whether a session is SSL encrypted, and SSL proxy is allowed only when the session is identified as encrypted. If the application system cache marks the session as Encrypted=Yes, SSL proxy can transition into proxy processing; if the session is marked Encrypted=No, SSL proxy ignores it.

Option B is wrong because packet length does not reliably identify SSL/TLS encryption. Option C is a common trap: many SSL/TLS sessions use port 443, but SSL/TLS can run on nonstandard ports, and non-SSL applications can also use port 443. Junos uses AppID to avoid that weak assumption. Option D is wrong because a CA is used to sign or validate certificates during SSL forward or reverse proxy operations; it is not the mechanism used to detect whether a session is encrypted. Reference topics: SSL Proxy, AppID, encrypted session detection, application system cache, SSL/TLS inspection.

The correct answers are B and C. IDP false positives occur when legitimate traffic matches an attack signature or attack object incorrectly. One valid way to reduce false positives is to remove the problematic attack object from the IDP rule, especially when that object is not relevant to the protected application, server role, or traffic direction. Juniper defines attack objects as the items specified in IDP rules to identify malicious activity, so removing an irrelevant or noisy attack object directly reduces unwanted matches.

Option C is also correct because Juniper specifically recommends using an exempt rulebase when an IDP rule uses an attack object group containing attack objects that produce false positives or irrelevant log records. Exempt rules can exclude a specific source, destination, or source/destination pair from matching an IDP rule, preventing unnecessary alarms.

Option A is wrong because changing the action to a lower severity response does not reduce the false positive; it only changes what happens after the false match occurs. Option D is wrong because a terminal rule at the end of the rule base does not prevent earlier false-positive matches. Reference topics: IDP, attack objects, exempt rulebase, false-positive tuning, IDP rule matching.

The correct answers are B and D. The command output is from the SRX Series device: show services user-identification identity-management status. Under Primary server, the exhibit shows Address: 192.168.1.10, Port: 443, Connection method: HTTPS, and Connection status: Online. In Juniper Identity Management Service integration, the SRX is the client that connects to the configured primary JIMS server. Juniper’s configuration workflow specifically describes configuring “the IP address of the primary JIMS server” under services user-identification identity-management connection primary address, and the verification output shows that primary server address with its connection status.

Option A is wrong because 192.168.1.10 is listed under Primary server, not as the local SRX address. Option C is also wrong because this SRX command verifies the SRX-to-JIMS identity-management connection, not the backend JIMS-to-domain-controller connection. Domain controller reachability would be validated from JIMS or through JIMS-specific status/monitoring, not by this SRX-side output. The displayed Online state and OK (200) status confirm that the SRX successfully reached the JIMS HTTPS service and received a valid response. Juniper examples use the same status command to validate that the SRX identity-management connection to JIMS is online.

Reference topics: Identity-Aware Security Policies, Juniper Identity Management Service, SRX-to-JIMS connectivity, identity-management status verification.

The correct answer is A. It supports a maximum of two domains. Juniper’s Active Directory identity-source configuration guidance states that an SRX Series Firewall using the integrated user firewall/Active Directory identity source can be configured for a maximum of two domains. That is the exact limit relevant to this question. The same Juniper configuration page separately states that a maximum of 10 domain controllers can be configured, which directly eliminates option C because the supported figure is not 20 Active Directory servers per domain.

Option B is wrong because Active Directory identity source is not presented as a logical-systems feature in the JNCIS-SEC identity-aware firewall context. Option D is wrong because the primary Active Directory mechanism reads Windows domain controller event logs and uses WMI/DCOM plus LDAP to build IP-to-user and group mappings. Juniper describes the SRX as reading and monitoring the Windows event log on the domain controller, then using LDAP to obtain user/group information. Non-domain or non-Windows cases typically require alternate authentication behavior such as captive portal, not native Active Directory event-log tracking.

Reference topics: Identity-Aware Security Policies, Active Directory identity source, integrated user firewall, domain limits, domain controllers, WMIC, LDAP mapping.

The correct answers are B and C. Adaptive Threat Profiling allows SRX Series Firewalls to act either as inline enforcement devices or as tap-based sensors. In an inline deployment, the SRX is directly in the traffic path and can enforce policy actions such as blocking, denying, or adding threat indicators to Security Intelligence feeds for real-time mitigation. In a tap deployment, the SRX observes copied traffic from a TAP/SPAN-style feed and contributes intelligence without being the active forwarding device. Juniper’s ATP Cloud documentation states that Adaptive Threat Profiling enables SRX devices to be deployed as sensors on Tap ports, identifying and sharing intelligence to inline devices for real-time enforcement. It also describes a “Tap-based SRX Series Firewall sensor” and contrasts it with an inline device.

Option A, bridge, is not the deployment mode being tested here. Bridge/transparent forwarding is a firewall deployment style, not the named Adaptive Threat Profiling mode. Option D, promiscuous, is also wrong; promiscuous mode is an interface behavior, not the ATP Adaptive Threat Profiling deployment model. Reference topics: ATP Cloud, Adaptive Threat Profiling, tap sensors, inline enforcement, Security Intelligence feeds.