JN0-335 Juniper Security, Specialist (JNCIS-SEC) Free Practice Exam Questions (2025 Updated)

SRX chassis clustering is a high availability feature that allows two SRX Series devices to operate as a single logical device. The two devices are connected by a control link and a fabric link, which are used to synchronize the configuration, state, and traffic between the nodes. The control plane is responsible for managing the cluster configuration, monitoring the health and status of the nodes, and performing failover operations. The data plane is responsible for processing and forwarding the traffic through the cluster. SRX chassis clustering supports two modes for the data plane: active/passive and active/active. In active/passive mode, only one node is active for each redundancy group, which is a logical grouping of interfaces and services. The active node handles all the traffic for the redundancy group, while the passive node acts as a backup. In active/active mode, both nodes are active for different redundancy groups, and they can share the traffic load for the cluster. SRX chassis clustering supports only one mode for the control plane: active/passive. In this mode, only one node is the primary node, which is the master of the cluster configuration and the source of truth for the cluster state. The primary node also initiates the failover process in case of a node or interface failure. The other node is the secondary node, which is the slave of the cluster configuration and the backup of the cluster state. The secondary node takes over the primary role if the primary node fails or is manually disabled. References: Chassis Cluster Overview, SRX Series Chassis Cluster Configuration Overview, Chassis Cluster Overview

 Juniper Secure Analytics (JSA) is a security information and event management (SIEM) system that consolidates, analyzes, and manages surveillance data from network devices, endpoints, and applications1

JSA uses two features to configure alerts based on certain criteria: building blocks and events2

Building blocks are reusable components that define common characteristics of network activity, such as IP addresses, ports, protocols, usernames, or threat categories. Building blocks can be used to create custom rules, searches, reports, and filters that can trigger alerts when certain conditions are met2

Events are records of network activity that are collected and normalized by JSA. Events can be classified into different categories, such as offenses, flows, logs, or anomalies. Events can also be correlated with other data sources, such as vulnerability scanners, threat intelligence feeds, or asset databases, to provide more context and insight. Events can trigger alerts when they match predefined or custom rules that specify the severity, frequency, or duration of the activity2

References: 1: JSA Series Secure Analytics - Juniper Networks 2: Juniper Secure Analytics Users Guide

SSL proxy uses application identification services to dynamically detect if a particular session is SSL encrypted.https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy-unified-policies.html

Chassis clustering is a high availability feature that allows two SRX Series devices to operate as a single logical device. The two devices are connected by a control link and a fabric link, which are used to synchronize the configuration, state, and traffic between the nodes. The cluster nodes are identified in the following ways:

A cluster is identified by a cluster ID (cluster-id) specified as a number 1 through 151.

A cluster node is identified by a node ID (node) specified as a number from 0 to 11.

Therefore, the node ID is used to identify each device in the chassis cluster (option B), and the cluster ID is used to identify each device in the chassis cluster (option D). The node ID value does not range from 1 to 255 (option A), and a system reboot is notrequired to activate changes to the cluster (option C)2. References: Chassis Cluster Overview, Configuring Chassis Clustering on SRX Series Devices

The vSRX is a virtual firewall that offers the same features as the physical SRX Series firewalls, but in a virtualized form factor. It supports next-generation firewall (NGFW) capabilities, networking, and automated lifecycle management. It also integrates with cloud orchestration tools and software-defined networking (SDN) solutions1

The vSRX supports VMXNET3 vNICs, which are optimized for performance in virtualized environments. VMXNET3 vNICs offer enhanced networking features such as jumbo frames, hardware offloads, and multicast filtering2

The vSRX runs on Linux as the base OS, which provides a stable and secure platform for the Junos OS and the firewall functionality. Linux also enables the vSRX to leverage the native hypervisor drivers and APIs for better performance and compatibility3

References: 1: vSRX Virtual Firewall | Juniper Networks US 2: vSRX Virtual Firewall for VMware - TechLibrary - Juniper Networks 3: vSRX Overview - TechLibrary - Juniper Networks

= SSL proxy server protection is a type of reverse proxy that enables the SRX Series device to act as an intermediary between external clients and internal servers that use SSL encryption. SSL proxy server protection provides benefits such as load balancing, caching, compression, encryption, authentication, and application firewalling. To enable SSL proxy server protection, you do not need to configure the servers to use the SSL proxy function on the SRX Series device. The SRX Series device will terminate the SSL connection from the client and initiate a new SSL connection to the server, without requiring any changes on the server side. However, you must load the server certificates on the SRX Series device, so that the SRX Series device can present the server certificate to the client and establish a secure connection. You must also import the root CA on the servers, so that the servers can trust the SRX Series device as a valid intermediary and accept the connection from the SRX Series device. References: SSL Proxy, Configuring SSL Proxy, JNCIP-SEC Certification

AppTrack: Tracks and reports applications passing through

the device.

• Intrusion Detection and Prevention (IDP): Applies

appropriate attack objects to applications running on

nonstandard ports. Application identification improves IDP

performance by narrowing the scope of attack signatures

for applications without decoders.

• AppFW: Implements an application firewall using

application-based rules.

• AppQoS: Provides quality-of-service (QoS) prioritization

based on application awareness

The AppSecure AppTrack service module is a logging and reporting tool used to share information about application visibility. Once AppID identifies an application, AppTrack notonly monitors and records its usage, it also sends regular application activity update messages. Since these messages are sent by syslog, they can be read by any compatible third-party device, including Juniper Networks JSA Series Secure Analytics Appliances and Contrail Service Orchestration.https://www.juniper.net/content/dam/www/assets/solution-briefs/us/en/appsecure-application-visibility-and-control.pdf

Referring to the exhibit, we can see that the output of the show chassis cluster status command on both nodes shows that they have the same cluster ID, node ID, priority, and status. The status for both nodes is primary, which means that they are both active and ready to process traffic for all redundancy groups1.

This situation can occur when the control link between the two nodes is down or not configured properly, and the heartbeat messages cannot be exchanged. Without the heartbeat messages, each node assumes that the other node is down and takes over the primary role for all redundancy groups12.

This is not a desirable state for the cluster, as it can cause traffic disruption, configuration inconsistency, and split-brain scenarios. To resolve this issue, the control link should be checked and fixed, and the cluster should be synchronized12.

References:

1: Troubleshooting an SRX Chassis Cluster with One Node in the Primary State and the Other Node in the Disabled State

2: SRX Series Chassis Cluster Configuration Overview

References:

[SRX] Behavior of active sessions when modifying a security policy1

 https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-predefined-signatures.html

 vSRX is a virtual firewall that runs on various cloud platforms, including AWS and OpenStack. AWS is a cloud service provider that offers infrastructure as a service (IaaS) solutions, such as compute, storage, and networking resources. OpenStack is an open source software platform that enables cloud orchestration, which is the automated management of cloud resources and services. vSRX supports both AWS and OpenStack as deployment options, and integrates with their features and tools. For example, vSRX can use cloud-init to automate the initialization of vSRX instances in AWS and OpenStack environments. vSRX can also leverage the security groups and elastic IP addresses of AWS, and the network and security services of OpenStack. References:

vSRX Deployment Guide for AWS

vSRX Virtual Firewall

Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Instances

 Logging for a security policy can be configured to generate log entries at session initialization, at session close, or both. Logging at session initialization records the initial packet that matches the policy and triggers the session creation. Logging at session close records the summary statistics of the session, such as bytes and packets transmitted and received, and the reason for session termination. Logging at session initialization and close provides the most complete information about the traffic that matches the policy. Logging at fixed intervals, such as every 10 minutes or every 60 seconds, is not supported by Junos OS security policies. References:

Security, Professional (JNCIP-SEC) Exam Objectives, Firewall Filters section

Junos OS Security Configuration Guide, Understanding Security Policy Logging section

Advanced Juniper Security (AJSEC) Course, Chapter 4: Advanced Logging and Reporting

 Juniper ATP Cloud profiles let you define which files to send to the cloud for inspection. You can group types of files to be scanned together (such as.tar,.exe, and.java) under a common name and create multiple profiles based on the content you want scanned. Then enter the profile names on eligible SRX Series devices to apply them1. To update a custom profile, you can use the ATP Cloud Ul and navigate to Configure > File Inspection Management > Profiles. There you can edit the existing profile and change the scan limit for executable files to 30 MB, while keeping the scan limit for other files at 10 MB. This way, you can scan larger executable files without increasing the scan time for other file types. References: File Inspection Profiles Overview

References: IDP Policy Rules and IDP Rule Bases, rulebase-ips, Exam Name: Security, Specialist (JNCIS-SEC) Version: DEMO - Lead2Pass

Juniper ATP Cloud is the threat intelligence hub for Juniper customers, identifying indicators of compromise for users and devices across the network. It provides security intelligence feeds, such as command and control (C&C) and infected hosts, that can be used to block or log malicious traffic. When you configure the C&C category with Juniper ATP Cloud, you need to specify the authentication token, the URL, and the update interval for the feeds. After you commit the configuration, the feeds are downloaded automatically from the Juniper ATP Cloud server. This may take a few minutes, depending on the network latency and the size of the feeds. Therefore, no action is required from the user, and the feeds will have non-zero objects once the download is complete. You can verify the status of the feeds by using the show services security intelligence category summary command, as shown in the exhibit. References:

Introduction to Juniper ATP Cloud

security-intelligence (services)

Juniper ATP Cloud CLI Reference Guide

References:

[Juniper Security, Professional (JNCIP-SEC) Reference Materials] 1

[Juniper Security, Specialist (JNCIS-SEC) Reference Materials] 2

[How to configure a custom signature to block specific URLs using application firewall (AppFW)] 3

The SRX Series device will drop packets from the infected hosts with a threat level of 8 and no log message will be generated. This is because the security intelligence profile “ATP_Infected-Hosts” has a rule “Rule-1” that matches packets with a threat level of 8 and the action is to block and drop them. There is no log option specified in the action, so no log message will be generated. Options A and B are not correct because the rule only matches packets with a threat level of 8, not 8 or above. Option C is not correct because the action is to drop, not permit, the packets. References: The answer can be verified from Juniper’s official documentation on security intelligence available on their website. Here are some relevant links:

Security Intelligence Feature Guide for Security Devices

security-intelligence | Junos OS

Configure the Security Intelligence Policy on the SRX Series Device

The infected host cloud feed is a list of IP addresses that have been identified as compromised or infected by malware. The feed is updated by Juniper ATP Cloud based on the detection of malicious activity from the hosts, such as contacting known command-and-control servers. When a host on the network reaches the configured threat level threshold, its IP address is automatically added to the infected host cloud feed and blocked from communicating with any other hosts on the Internet. The other feeds are not relevant for this situation. The command-and-control cloud feed is a list of IP addresses that are known to be used by malware for remote control and communication. The allowlist and blocklist feed is a user-defined list of IP addresses that are either allowed or denied by the SRX Series device. The custom cloud feed is a user-defined list of IP addresses that are associated with a specific category or threat level. References:

Infected Hosts: More Information

Juniper’s Attacker IP feed bolsters threat protection with SecIntel

ATP Appliance and SRX Series Threat Level Comparison Chart

= The vSRX is a virtual firewall that offers the same features as the physical SRX Series firewalls, but in a virtualized form factor for delivering security services that scale to match network demand. The vSRX supports Juniper Contrail Networking and third-party software-defined networking (SDN) solutions, which enable dynamic and automated network provisioning and management. The vSRX also integrates with cloud orchestration tools such as OpenStack, which allow for flexible deployment and configuration of virtual machines and networks. The vSRX provides granular security for the workloads that run within the virtual network on the public or private cloud. It supports next-generation firewall capabilities, such as application security, intrusion prevention, user identity, and role-based access control. It also supports advanced threat prevention features, such as malware sandboxing, threat intelligence feeds, and encrypted traffic inspection. The vSRX can protect the network from both internal and external threats, and enforce consistent security policies across the entire network. References:

vSRX Virtual Firewall | Juniper Networks US

vSRX Documentation | Juniper Networks

Understand vSRX Virtual Firewall with Microsoft Azure Cloud