JN0-336 Juniper Security, Specialist (JNCIS-SEC) Free Practice Exam Questions (2026 Updated)

The correct answer is A. fab. In SRX Series chassis clustering, the fabric interface, shown as fab0/fab1, is the data-plane HA link used between cluster nodes. Juniper states that SRX chassis clusters use the fabric interface for session synchronization and traffic forwarding, and that the fabric link synchronizes dynamic runtime state, including session-state objects created by NAT, ALG, authentication, and IPsec processing. This is what enables stateful failover and session continuity when traffic processing moves between nodes.

Option B, fxp0, is wrong because fxp0 is the out-of-band management interface, not the chassis-cluster synchronization path. Option C, fxp1, is tempting but wrong for this question: fxp1 is the control-link interface used for control-plane cluster functions such as heartbeats and cluster control communication, not the main session-state synchronization path. Option D, swfab, is not the standard SRX chassis-cluster fabric interface name used for this function. Juniper’s clustering configuration examples specifically define fab0 and fab1 as the interfaces used for the fabric connection and data-plane RTO/session synchronization.

The correct answers are B and D. In VPN cryptography, hashing is used for authentication and integrity checking, not confidentiality. Juniper’s IPsec documentation describes MD5 as producing a 128-bit hash, also called a digital signature or message digest, from a message of arbitrary length. It also describes SHA as producing a 160-bit hash from a message of arbitrary length. That directly supports option B because a hash function takes variable-length input and produces a fixed-size digest.

Option D is also correct because Juniper states that the resulting hash is used like a fingerprint of the input to verify content and source authenticity and integrity. Juniper’s IPsec overview further explains that Junos compares the calculated message digest against the expected digest to verify that the message has not been tampered with.

Option A is wrong because hashing is not compression; it is one-way digest generation. Option C is wrong because encryption protects confidentiality, while hashing validates integrity and authenticity. In IPsec, algorithms such as AES, DES, and 3DES provide encryption, while MD5, SHA-1, and SHA-2 provide hashing/HMAC-based authentication. Reference topics: IPsec VPN, hashing, HMAC, MD5, SHA, message digest, data integrity.

The correct answers are A and D. Juniper provides predefined IDP policy templates to simplify IDP deployment. These templates are supplied by Juniper Networks and include common templates such as client protection, server protection, DMZ services, DNS server, file server, web server, IDP default, and recommended policies. Juniper’s IDP documentation states that predefined templates are available from a secured Juniper Networks website, and the listed templates are explicitly described as being provided by Juniper Networks.

Option D is correct because these templates are not automatically present as usable policies in a factory-default SRX configuration. Juniper’s procedure says that to use predefined IDP policy templates, you download the policy templates and then install them. The CLI process includes request security idp security-package download policy-templates followed by request security idp security-package install policy-templates; committing then makes them available under the IDP policy hierarchy.

Option B is wrong because Juniper specifically says you should customize these templates for your network and recommends using a copied template so you can safely make changes. Option C is wrong because they must be downloaded and installed, so they are not simply available in the factory-default configuration. Reference topics: IDP, predefined IDP policy templates, security-package download, security-package install, active IDP policy.

The correct answer is C. Enable connectivity between the SRX Series device and Juniper ATP Cloud. Juniper ATP Cloud cannot inspect files, receive verdicts, or apply cloud-based malware intelligence until the SRX is enrolled and has a working secure connection to the ATP Cloud service. Juniper states that SRX enrollment establishes a secure connection between the SRX Series Firewall and the Juniper ATP Cloud server, downloads and installs certificate authorities, creates local certificates, enrolls them with the cloud server, and establishes the secure cloud connection.

Option A is not the first required configuration setting because the anti-malware service depends on successful cloud onboarding and connectivity. Option B is premature because firewall/security policies can reference malware inspection only after the device is properly connected and enrolled. Option D is also later in the workflow; anti-malware policies define how files are inspected and what action is taken, but those policies are useless if the SRX cannot communicate with ATP Cloud. Juniper also notes that ATP Cloud requires both the Routing Engine and Packet Forwarding Engine to reach the Internet, and DNS must resolve the cloud URL. Reference topics: ATP Cloud onboarding, SRX enrollment, advanced anti-malware connection, secure cloud connectivity, anti-malware policy deployment.

The correct answer is B. LDAP. In Juniper identity-aware firewall deployments, the SRX Series Firewall integrates with Microsoft Active Directory so that user and group information can be used in security policy decisions. Juniper’s Active Directory identity-source documentation states that the LDAP protocol helps identify the groups to which users belong, and that username and group information are queried from the LDAP service running on the Active Directory domain controller. It also explains that the device uses Lightweight Directory Access Protocol to obtain user and group information required for Active Directory identity-source operation.

Option A, SSH, is wrong because SSH is a device management protocol, not the protocol SRX uses to query Active Directory user/group membership. Option C, DNS, is wrong because DNS can resolve names but does not provide Active Directory group mapping to the firewall. Option D, NETCONF, is wrong because NETCONF is used for network device configuration and automation, not Windows domain-controller identity queries. In a complete identity-aware firewall workflow, SRX may also use WMI/DCOM-related mechanisms to read Windows event-log data, but among the available protocol choices, LDAP is the correct answer because it is the directory protocol used to query user and group information. Reference topics: Active Directory identity source, LDAP, domain controller communication, user and group mapping.

The correct answers are C and D. The cSRX is Juniper’s containerized SRX firewall, intended for lightweight virtual and container environments where rapid deployment and high density matter. Juniper’s cSRX documentation lists supported security capabilities including basic firewall policy, NAT, Intrusion Detection and Prevention, content security/UTM functions, ATP Cloud, SSL Proxy, AppID, AppFW, and AppTrack. That supports option C, because cSRX provides SRX security services in a containerized footprint rather than requiring a full VM-based firewall appliance.

Option D is also correct because Juniper identifies the cSRX’s small footprint and minimum resource reservation requirements as key benefits; it is designed to scale more densely than VM-based firewall options. Juniper’s Day One cSRX guide specifically identifies faster deployment, a small footprint, and reduced resource consumption as major benefits. Option A is not the best answer for this exam item because the question asks for cSRX deployment benefits, not merely forwarding-mode support. Option B is wrong because the tested cSRX advantage is not a default three-zone configuration. Reference topics: cSRX container firewall, virtual SRX deployment, firewall/NAT/IPS/UTM services, lightweight resource footprint.

The correct answers are B and C. Juniper IDP uses attack objects as match conditions inside IDP policy rules. Juniper states that IDP attack objects represent known and unknown attacks and that the predefined attack object database is periodically updated by Juniper Networks. The main IDP attack object types include signature attack objects, protocol anomaly attack objects, and compound attack objects.

Option C is correct because signature attack objects detect known attacks using stateful attack signatures. Juniper defines a signature as a pattern that exists within a specific section of an attack and includes protocol, service, direction, flow, and context information to reduce false positives.

Option B is correct because protocol anomaly attack objects detect abnormal protocol behavior. Juniper explains that protocol anomaly objects identify unusual or ambiguous traffic that violates protocol specifications, RFCs, or common RFC extensions.

Option A is wrong because “statistic-based” is not one of the IDP attack object database types being tested here. Option D is wrong because “vector-based” is not a Juniper IDP attack object type. Reference topics: IDP, attack object database, signature-based attack objects, protocol anomaly attack objects, predefined attack objects.

The correct answer is C. device policy rules. In Junos Space Security Director, a firewall rule that must apply uniquely to one SRX Series device belongs in the device-specific policy layer, not in global or group-level policy. Juniper’s Security Director documentation states that a device can have a device-specific policy and can also be part of multiple group policies; the rule processing order places policies applied before device-specific policies first, then device-specific policies, then policies applied after device-specific policies. Juniper also explains that rules applied before device-specific policies take priority and cannot be overridden, while rules applied after device-specific policies can be overridden by adding a rule in the device-specific policy.

Option A is wrong because all-devices prerules are global mandatory rules applied before device-specific policy, not unique device exceptions. Option B is wrong because group policy prerules apply to a group of devices, not one specific SRX. Option D is wrong because all-devices postrules are still global policy rules, although they can be overridden. For a unique policy requirement on one SRX device, device policy rules are the precise Security Director construct. Reference topics: Security Director, firewall policies, device-specific policies, policy rule precedence, global/group/device rule hierarchy.

The correct answers are A, B, and D. In Security Director, the Shared Objects workspace is used for reusable objects that can be referenced by policies across managed devices. Juniper documentation shows that address objects are created from Configure > Shared Objects > Addresses, and those address objects can be used across devices in firewall, NAT, IPS, and VPN services. This supports option B, because IP address/address objects are classic shared objects.

Option A is correct because Geo IP policies are created from Configure > Shared Objects > Geo IP. Juniper’s procedure explicitly places Geo IP under the Shared Objects path. Option D is also correct because policy enforcement groups are created from Configure > Shared Objects > Policy Enforcement Groups and are used to group endpoints such as IP addresses, subnets, or locations for policy-enforcement workflows.

Option C is wrong because audit logs are monitoring records, not reusable shared objects; Juniper places them under Monitor > Audit Logs, where they track login history and user-initiated tasks. Option E is wrong because policy rules are created and managed inside firewall, NAT, IPS, or threat policies, not as independent Shared Objects. Reference topics: Security Director, Shared Objects, address objects, Geo IP, policy enforcement groups.

The correct answers are A and C. In SSL forward proxy, the SRX sits between internal clients and external SSL/TLS servers. Juniper’s SSL proxy configuration documentation shows that a forward proxy profile is created when root-ca is configured and server-certificate is not configured. This root CA is used by the SRX to generate substitute certificates for intercepted SSL sessions, so internal clients must trust the CA used by the firewall. Juniper’s procedure specifically includes generating or loading a local certificate and applying it as the root-ca in the SSL proxy profile.

Option C is also correct because forward proxy terminates the client-side SSL session and establishes a separate SSL session toward the destination server. Juniper states that the SSL proxy acts as an SSL server to the client and establishes a new SSL session to the server; from the server’s perspective, the SRX is the SSL client. Option B is wrong because forward proxy intercepts the server certificate and creates a substitute certificate; forwarding the actual server certificate unchanged is associated with reverse proxy behavior. Option D is wrong because Encrypted Traffic Insights is not the required forward-proxy mechanism here. Reference topics: SSL Proxy, SSL forward proxy, root CA, client protection, certificate interception.

The correct answer is A. It uses AppID services. Juniper SSL proxy does not rely only on TCP/443 or a static destination-port assumption. It uses Application Identification services to dynamically determine whether the session is SSL/TLS encrypted. Juniper states directly that SSL proxy uses application identification services to detect whether a session is SSL encrypted, and SSL proxy is allowed only when the session is identified as encrypted. If the application system cache marks the session as Encrypted=Yes, SSL proxy can transition into proxy processing; if the session is marked Encrypted=No, SSL proxy ignores it.

Option B is wrong because packet length does not reliably identify SSL/TLS encryption. Option C is a common trap: many SSL/TLS sessions use port 443, but SSL/TLS can run on nonstandard ports, and non-SSL applications can also use port 443. Junos uses AppID to avoid that weak assumption. Option D is wrong because a CA is used to sign or validate certificates during SSL forward or reverse proxy operations; it is not the mechanism used to detect whether a session is encrypted. Reference topics: SSL Proxy, AppID, encrypted session detection, application system cache, SSL/TLS inspection.

The correct answer is C. fxp0 or fxp1 on either device has an existing configuration. The exhibit shows each node reporting itself in hold state and the peer as lost under redundancy group 0. Juniper’s chassis cluster troubleshooting documentation shows this same hold/lost symptom and states that when a node is in hold, it is not ready to operate in a chassis cluster. For branch SRX devices, when cluster mode is enabled, specific physical interfaces are automatically converted into fxp0 for out-of-band management and fxp1 for the HA control link. These interfaces cannot retain normal transit or standalone interface configuration. If the ports that become fxp0 or fxp1 already have configuration, the cluster can enter the hold/lost condition shown in the exhibit.

Option A is wrong because the output does not indicate a Junos version mismatch. Option B is wrong because hardware mismatch is not the symptom being shown. Option D is too specific: a factory-default configuration can cause this problem because it may include configuration on interfaces that become fxp0/fxp1, but the exhibit does not prove specifically that node1 alone is running factory-default configuration. The tested issue is the existing configuration on the interfaces reserved for chassis-cluster management/control. Reference topics: HA Clustering, chassis cluster hold/lost state, fxp0, fxp1, branch SRX cluster initialization.

The correct answers are A and D. In IKEv1-based IPsec VPNs, there are two distinct negotiation phases. IKEv1 Phase 1 establishes the secure and authenticated IKE channel between peers. That means the IKE SA is built during Phase 1. Juniper describes Phase 1 as the negotiation of proposals for how to authenticate and secure the channel, including encryption algorithms, authentication algorithms, Diffie-Hellman group, and authentication method.

IKEv1 Phase 2 then uses that secure channel to negotiate the IPsec SAs that protect actual user traffic through the VPN. Juniper states that Phase 2 negotiates security associations to secure the data traversing the IPsec tunnel, and that the Phase 2 proposal includes the security protocol, such as ESP or AH, plus the selected encryption and authentication algorithms. Option B is wrong because IKEv1 SAs are not established in Phase 2; Phase 2 creates IPsec SAs. Option C is wrong because Phase 1 does not create the data-plane IPsec SA; it creates the secure IKE control channel used for Phase 2 negotiation. Reference topics: IPsec VPN, IKEv1 Phase 1, IKE SA, IKEv1 Phase 2, IPsec SA, ESP/AH proposals.

The correct answers are A and C. In an SRX chassis cluster, redundant Ethernet interfaces are configured as reth interfaces. Juniper defines a reth interface as a pseudointerface that includes at least one physical interface from each node in the cluster. Therefore, assigning a physical interface from node0 and a physical interface from node1 to the same reth interface is mandatory for redundant Ethernet operation. Juniper also states that before configuring chassis cluster redundant Ethernet interfaces, you must set the number of redundant Ethernet interfaces.

Option C maps to the required reth-count configuration under the chassis cluster hierarchy. Without defining the number of reth interfaces, Junos does not know how many redundant Ethernet pseudointerfaces are available for the cluster configuration. Option B is wrong because setting a retry interval is not a required step for creating a reth interface or redundancy group. Option D is wrong because heartbeat behavior belongs to cluster control-link monitoring and chassis-cluster node health, not to the required configuration steps for Ethernet reth membership. The required design steps are: define reth capacity, create/configure the reth interface, assign child physical links from both nodes, and associate the reth with the proper redundancy group. Reference topics: HA Clustering, redundant Ethernet interfaces, reth-count, reth child interfaces, redundancy groups.

The correct answer is D. drop packet. In IDP terminology, a silent discard means the offending packet is discarded without sending reset packets or other connection-closing signals back to the endpoints. Juniper defines the Drop Packet IDP action as dropping a matching packet before it reaches its destination while not closing the connection. That is the closest and correct IDP action for “silent discard” in the listed choices.

Option A, no action, is wrong because it does not discard anything; Juniper describes No Action as taking no enforcement action, typically used when the administrator only wants logging. Option B, close client and server, is wrong because that action actively closes the session by sending TCP RST packets to both sides, which is explicitly not silent. Option C, ignore connection, is wrong because it stops further IDP scanning for the rest of the connection; it does not discard the packet. Juniper distinguishes these actions clearly: drop packet discards the offending packet, drop connection blocks the whole connection, and close actions send reset packets. Reference topics: IDP actions, drop packet, close client and server, ignore connection, silent discard behavior.

The correct answers are B and C. Juniper Secure Connect uses route-based VPN connectivity, not policy-based VPN connectivity. Juniper’s Secure Connect user guide contrasts Dynamic VPN and Juniper Secure Connect and identifies Juniper Secure Connect as using route-based VPN connectivity, with a tunnel interface selected or created to bind the VPN. This is why SRX configurations for Juniper Secure Connect use an st0 tunnel interface and routing/security policy logic, rather than policy-based encryption tied directly to individual firewall policies.

Option B is also correct because Juniper Secure Connect can use a self-signed certificate. Juniper’s certificate deployment guidance states that before deploying Juniper Secure Connect, the SRX should use an appropriate certificate, which can be a signed certificate, a self-signed certificate, or a Let’s Encrypt-signed certificate. The documentation also shows generating a self-signed certificate and binding it to the SRX for Secure Connect use.

Option A is wrong because policy-based VPN describes older Dynamic VPN behavior, not Juniper Secure Connect. Option D is directly contradicted by Juniper’s certificate guidance. Reference topics: Juniper Secure Connect, route-based VPN, st0 tunnel interface, certificate deployment, self-signed certificate support.

The correct answers are A and C. To log denied traffic on an SRX Series Firewall, the security policy must deny the traffic and must generate a log at session initiation. Juniper’s security policy monitoring documentation states that to view logs from denied connections, you enable logging on session-init. Juniper’s traffic-logging guidance also states that for a security policy with a deny action, traffic logs must be generated when a session starts.

Option C is required because the policy action must be deny; otherwise the traffic is not denied by that policy. Option A is required because denied traffic does not complete a normal permitted session lifecycle, so session-init is the correct logging stage for denied connection attempts. Option B, session-close, is used to log permitted sessions after teardown or conclusion; it is not the required parameter for denied traffic. Option D, count, increments policy counters but does not create traffic logs. The correct configuration concept is: match the unwanted traffic, apply then deny, and enable then log session-init. Reference topics: SRX security policies, deny action, session-init logging, traffic log generation, policy counters.

The correct answer is B. Add custom-attack Custom-FTP-Attack to the attacks section and change the action to drop-packet. In the exhibit, the IDP rule is built under rulebase-ips with a match block and a then block. Attack objects belong inside the match attacks hierarchy because they define what malicious pattern the IDP rule is trying to detect. Juniper’s IDP documentation states that attack objects are specified in rules to identify malicious activity and that the rule’s attack objects/groups are the attacks the device matches in monitored traffic.

The enforcement behavior belongs in the then action hierarchy. The current rule uses close-client; to meet the requirement, it must be changed to drop-packet. Juniper defines Drop Packet as an IDP action that drops a matching packet before it reaches its destination without closing the connection. Option A keeps the wrong action. Option C is structurally wrong because a custom attack object is not configured under the action section. Option D is also wrong because the notification section controls logging/alert behavior, not attack matching. Reference topics: IDP rulebase, custom attack objects, match attacks hierarchy, IDP actions, drop-packet behavior.