Juniper JN0-336 Security, Specialist (JNCIS-SEC) Exam Practice Test

The correct answer is D. drop packet. In IDP terminology, a silent discard means the offending packet is discarded without sending reset packets or other connection-closing signals back to the endpoints. Juniper defines the Drop Packet IDP action as dropping a matching packet before it reaches its destination while not closing the connection. That is the closest and correct IDP action for “silent discard” in the listed choices.

Option A, no action, is wrong because it does not discard anything; Juniper describes No Action as taking no enforcement action, typically used when the administrator only wants logging. Option B, close client and server, is wrong because that action actively closes the session by sending TCP RST packets to both sides, which is explicitly not silent. Option C, ignore connection, is wrong because it stops further IDP scanning for the rest of the connection; it does not discard the packet. Juniper distinguishes these actions clearly: drop packet discards the offending packet, drop connection blocks the whole connection, and close actions send reset packets. Reference topics: IDP actions, drop packet, close client and server, ignore connection, silent discard behavior.

The correct answers are C and D. Once the SSL proxy profile already exists, the SRX still needs a security policy that matches the SSL/TLS traffic and applies the SSL proxy profile as an application service. Juniper’s SSL proxy configuration procedure explicitly shows creating the security policy match criteria and then applying the SSL proxy profile with then permit application-services ssl-proxy profile-name. It also states that SSL forward and reverse proxy require the profile to be configured at the firewall rule level.

Option D is correct because SSL proxy is not an end goal by itself; it decrypts SSL/TLS traffic so Layer 7 security services can inspect it. Juniper states that decrypted SSL traffic is available for security services and provides examples where the SSL proxy profile and a Content Security/UTM policy are both attached to the same security policy. Option A is wrong because host-inbound-traffic HTTPS controls HTTPS access to the SRX itself, not transit SSL proxy inspection. Option B is wrong because SSL proxy profiles are not referenced under a security zone for this function; they are applied under the matching security policy. Reference topics: SSL Proxy, SSL proxy profile, security policy application-services, Layer 7 inspection, UTM/IDP/ATP integration.

The correct answers are A and B. In Security Director-managed environments, Security Director can download the signature database and then install the active signature database update on selected managed devices. Juniper’s Security Director workflow states that after the signature database is downloaded, you install the active database, select the target devices, and Security Director sends the full or incremental signature database update to those devices. That confirms that Security Director stores and manages the signature database package centrally for deployment.

Option B is also correct because the SRX Series device must have the application signature database installed locally for AppID/AppSecure features such as AppFW, AppTrack, AppQoS, and IDP application matching. Juniper’s AppID documentation states that the application package is installed in the application signature database on the device, and that AppID signature updates enable AppSecure features on the SRX.

Option C is wrong because Juniper provides and maintains the predefined AppID database through Juniper’s security download infrastructure, not a third-party host. Juniper explicitly describes the predefined application identification database as provided by Juniper Networks and updated through a subscription service. Option D is wrong because a local storage server can be used only as part of an offline/manual update workflow; it is not where the AppID database normally resides. Reference topics: Security Director, AppID database, application signatures, SRX AppSecure services, signature database installation.

The correct answers are B and C. The exhibit shows the command request security idp security-package install failing with: “Security package installation disabled temporarily due to invalid license.” In the IDP update workflow, the SRX must have a valid IDP/AppSecure-related license to install updated security packages. Juniper’s support guidance for an expired IDP license states that if the IDP license expires, attacks continue to be inspected, but IDP update installation is not allowed. That maps directly to this exhibit: the existing IDP engine and currently installed attack database can continue to inspect traffic, but the device cannot install the newer downloaded package until licensing is corrected.

Option A is wrong because expiration does not immediately stop all IDP inspection; it prevents installing new updates. Option D is not the best answer because the specific operational behavior shown is consistent with an invalid/expired license condition after attempting a package install, not proof that no license was ever installed. The practical remediation is to validate the installed license, renew or reinstall the correct IDP license, then retry the security-package installation. Reference topics: IDP licensing, security-package download/install, attack database updates, installed signature inspection behavior.

The correct answers are A and D. Juniper provides predefined IDP policy templates to simplify IDP deployment. These templates are supplied by Juniper Networks and include common templates such as client protection, server protection, DMZ services, DNS server, file server, web server, IDP default, and recommended policies. Juniper’s IDP documentation states that predefined templates are available from a secured Juniper Networks website, and the listed templates are explicitly described as being provided by Juniper Networks.

Option D is correct because these templates are not automatically present as usable policies in a factory-default SRX configuration. Juniper’s procedure says that to use predefined IDP policy templates, you download the policy templates and then install them. The CLI process includes request security idp security-package download policy-templates followed by request security idp security-package install policy-templates; committing then makes them available under the IDP policy hierarchy.

Option B is wrong because Juniper specifically says you should customize these templates for your network and recommends using a copied template so you can safely make changes. Option C is wrong because they must be downloaded and installed, so they are not simply available in the factory-default configuration. Reference topics: IDP, predefined IDP policy templates, security-package download, security-package install, active IDP policy.

The correct answer is D. maintaining a centralized authentication table. Juniper Identity Management Service, or JIMS, is used with SRX Series Firewalls to collect user-identity information from identity sources such as Microsoft Active Directory, domain controllers, and Exchange servers, then provide that identity data to SRX enforcement points. Juniper describes JIMS as storing IP address, username, and group-relationship information in its cache and generating authentication entries used for user-based or group-based access control on SRX firewalls. Juniper’s Identity-Aware Firewall documentation also states that the authentication table contains the IP address, username, and group mapping information used as the authentication source.

Option A is wrong because JIMS is not an email-encryption service. Option B is wrong because malicious-code logging belongs to security inspection features such as antivirus, IDP, or ATP workflows, not JIMS. Option C is wrong because network data encryption is handled by technologies such as IPsec VPN or SSL/TLS, not identity management. JIMS exists to centralize identity-to-IP mapping so identity-aware security policies can match users and groups instead of relying only on source IP addresses. Reference topics: Identity-Aware Security Policies, JIMS, authentication table, user-to-IP mapping, group-based policy enforcement.

The correct answers are A and D. Juniper documentation describes domain PC probing as a supplement to event-log reading. When a user logs in to the domain, the domain controller event log normally provides the user-to-IP mapping. If that IP address-to-username mapping is not available from the event log, JIMS initiates a domain PC probe to the endpoint to obtain the active username and domain. JIMS can also use probes to determine a device’s status after the logged-in state expires, so the operational idea is not blind periodic probing; it is used to resolve or validate identity state when normal event-log information is missing or stale.

Option D is correct because the result of identity collection is reported back to SRX Series devices. JIMS generates reports containing IP address, username, and group relationship information, keeps a list of reports communicated to SRX devices, and sends those reports so SRX devices can create authentication-table entries for identity-aware policy enforcement. Options B and C are wrong because the tested PC-probe behavior is not “every 30 seconds” or “every 60 seconds.” Those values confuse PC probing with other timers or query intervals. Reference topics: JIMS, domain PC probing, event-log identity mapping, SRX authentication table, identity-aware security policies.

The correct answers are B and C. In Junos route-based IPsec VPNs, the default proxy ID is broad: local 0.0.0.0/0, remote 0.0.0.0/0, and service any. This default behavior allows routed traffic entering the secure tunnel interface to determine what is protected by the VPN rather than requiring a narrow policy-based encryption domain. Juniper’s IPsec VPN configuration guidance also states that proxy IDs are used in Phase 2 negotiations, and that a proxy ID mismatch is one of the common causes of Phase 2 failure. For interoperability with some third-party VPN peers, Juniper notes that proxy IDs may need to be manually configured to match the peer.

Option A is wrong because proxy IDs can override default route-based behavior when manually configured, especially when a peer requires specific local and remote protected subnets. Option D is wrong because proxy IDs are not created during IKE Phase 1. Phase 1 builds the secure IKE channel; proxy IDs belong to Phase 2/IPsec SA negotiation, where the peers agree on traffic selectors for encrypted traffic. Reference topics: IPsec VPN, route-based VPNs, proxy IDs, Phase 2 negotiation, traffic selectors, third-party VPN interoperability.

The correct answer is D. AppQoS. The requirement is not to block, permit, translate, or inspect SIP signaling; it is to prioritize VoIP traffic on a low-bandwidth branch link. Juniper Application QoS, or AppQoS, is designed exactly for this purpose. Juniper states that AppQoS provides the ability to prioritize and meter application traffic so business-critical or high-priority application traffic receives better service. It can classify traffic by application, assign forwarding classes, rewrite DSCP values, set loss priority, and apply rate limiters.

Option A, AppFW, is wrong because AppFW controls application access; it is used to permit, deny, reject, or log application traffic, not primarily to prioritize voice traffic. Option B, SIP ALG, is wrong because the SIP ALG helps inspect and handle SIP control traffic and related media pinholes, but it is not a QoS prioritization service. Option C, AppQoE, is not the correct SRX edge service being tested here. For cloud-based VoIP under a broad outbound permit rule, AppQoS is the correct service because it can identify the VoIP application and give it better treatment during congestion. Reference topics: AppQoS, application traffic control, VoIP prioritization, DSCP rewrite, forwarding class, rate limiting.

The correct answer is B. LDAP. In Juniper identity-aware firewall deployments, the SRX Series Firewall integrates with Microsoft Active Directory so that user and group information can be used in security policy decisions. Juniper’s Active Directory identity-source documentation states that the LDAP protocol helps identify the groups to which users belong, and that username and group information are queried from the LDAP service running on the Active Directory domain controller. It also explains that the device uses Lightweight Directory Access Protocol to obtain user and group information required for Active Directory identity-source operation.

Option A, SSH, is wrong because SSH is a device management protocol, not the protocol SRX uses to query Active Directory user/group membership. Option C, DNS, is wrong because DNS can resolve names but does not provide Active Directory group mapping to the firewall. Option D, NETCONF, is wrong because NETCONF is used for network device configuration and automation, not Windows domain-controller identity queries. In a complete identity-aware firewall workflow, SRX may also use WMI/DCOM-related mechanisms to read Windows event-log data, but among the available protocol choices, LDAP is the correct answer because it is the directory protocol used to query user and group information. Reference topics: Active Directory identity source, LDAP, domain controller communication, user and group mapping.

The correct answer is A. the action taken is defined in the IDP policy that includes this attack object. The exhibit defines a custom attack object named BGP-DEFEND under the security idp custom-attack hierarchy. The custom object includes metadata such as recommended-action drop, severity critical, and signature match conditions such as BGP update AS-path context and pattern 65501. However, an attack object by itself does not determine the final enforcement behavior. The attack object defines what to match; the IDP policy rule that references the object defines what action to take when that match occurs. Juniper describes attack objects as objects used inside IDP rules to identify malicious activity, while IDP rules include rule actions such as drop-packet, drop-connection, close-client, close-server, recommended, and others.

Option B is wrong because the firewall security policy enables IDP inspection by applying an IDP policy, but the IDP action is not selected directly by the normal security policy. Options C and D are too absolute. Even though the custom object shows recommended-action drop, that is only used if the IDP rule action invokes recommended behavior. Without seeing the IDP policy rule action, you cannot conclude reject or drop. Reference topics: IDP custom attack objects, IDP policy rule actions, recommended action, signature-based attack matching.

The correct answers are A, B, and D. In Security Director, the Shared Objects workspace is used for reusable objects that can be referenced by policies across managed devices. Juniper documentation shows that address objects are created from Configure > Shared Objects > Addresses, and those address objects can be used across devices in firewall, NAT, IPS, and VPN services. This supports option B, because IP address/address objects are classic shared objects.

Option A is correct because Geo IP policies are created from Configure > Shared Objects > Geo IP. Juniper’s procedure explicitly places Geo IP under the Shared Objects path. Option D is also correct because policy enforcement groups are created from Configure > Shared Objects > Policy Enforcement Groups and are used to group endpoints such as IP addresses, subnets, or locations for policy-enforcement workflows.

Option C is wrong because audit logs are monitoring records, not reusable shared objects; Juniper places them under Monitor > Audit Logs, where they track login history and user-initiated tasks. Option E is wrong because policy rules are created and managed inside firewall, NAT, IPS, or threat policies, not as independent Shared Objects. Reference topics: Security Director, Shared Objects, address objects, Geo IP, policy enforcement groups.

The correct answer is B. ip-notify. When administrators want visibility without enforcement impact, ip-notify is the correct IP action. Juniper Security Director documentation defines IP Notify as an IP action that does not take any action against future traffic but logs the event. That is exactly the requirement in the question: traffic matching the IDP condition must not be blocked, closed, or rate-limited until administrators have reviewed the events and decided whether enforcement is appropriate.

Option A, ip-block, is wrong because it blocks future packets matching the IP action rule. That would immediately impact traffic. Option C, ip-connection-rate-limit, is wrong because it limits the connection rate and therefore changes traffic behavior before administrators complete evaluation. Option D, ip-close, is also wrong because it closes matching future sessions by sending reset packets to the client and server, which is disruptive. In a safe evaluation or tuning phase, the proper approach is to log and observe first, then move to stronger actions such as block, close, or rate-limit only after the detected condition has been validated. Reference topics: IDP IP actions, ip-notify, event logging, non-disruptive evaluation mode, IDP policy tuning.

The correct answers are B and C. To form an SRX chassis cluster, both devices must be assigned the same cluster ID and different node IDs. Juniper states that the cluster ID identifies the cluster, while the node ID identifies the individual node within that cluster. A valid two-node SRX chassis cluster uses node 0 on one chassis and node 1 on the other chassis. Juniper’s example shows the operational-mode commands as set chassis cluster cluster-id 1 node 0 reboot on the first device and set chassis cluster cluster-id 1 node 1 reboot on the second device.

Option A is wrong because cluster-id 0 disables clustering rather than forming a cluster. It also shows configuration-mode prompt #, while this chassis cluster node assignment is performed from operational mode. Option D is doubly wrong: cluster-id 0 disables clustering, and node 2 is invalid because SRX chassis cluster node IDs are limited to 0 and 1. The exam options omit the reboot keyword, but the only logically valid pair is still SRX1 as node 0 and SRX2 as node 1 under the same nonzero cluster ID. Reference topics: HA Clustering, chassis cluster ID, node ID, operational-mode cluster enablement.

The correct answers are A and D. A mobile command center using a 5G ISP behind CGNAT is operating behind dynamic address translation. For IPsec to work reliably through NAT, the SRX must support NAT Traversal, which encapsulates IKE and ESP traffic in UDP/4500 after NAT is detected. Juniper states that NAT-T is used when NAT devices exist in the datapath and that NAT keepalives are required because NAT devices age out UDP translations. Juniper’s Security Director VPN workflow also specifically says to enable NAT-T when the dynamic endpoint is behind a NAT device.

DPD is also required because mobile and carrier-grade NAT connections can disappear, roam, or become stale without a clean tunnel teardown. Juniper defines Dead Peer Detection as the method used by IPsec peers to verify whether the remote peer is still present and responsive by sending encrypted IKE notification payloads and waiting for acknowledgements. Option B is not the best answer because IKEv1 aggressive mode is weaker and does not provide identity protection; Juniper also notes that aggressive mode applies only to IKEv1. Option C is invalid because IKEv2 aggressive mode does not exist. Reference topics: IPsec VPN, NAT-T, CGNAT, dynamic endpoints, DPD, IKE peer availability.

The correct answers are A and B. In SRX chassis clustering, the fabric link, represented by fab interfaces, is the data-plane connection between the two cluster nodes. Juniper describes the fabric as the back-to-back data connection used when traffic on one node must be processed on the other node or must exit through an interface on the other node; session-state information also passes over the fabric. This is especially visible in active/active clustering, where ingress and egress interfaces can reside on different nodes and transit traffic must cross the fabric link.

Option B is also correct because the fabric link still exists in active/passive clustering for cluster data-plane synchronization and inter-node state handling, even though active/passive designs minimize fabric transit traffic because only one node normally forwards traffic at a time. Juniper specifically states that active/passive mode minimizes traffic over the fabric link, not that the fabric link is unused.

Options C and D are not the intended answers. The cluster is identified by a configured cluster ID, and each chassis is identified by a node ID, but the fabric interface names themselves are not where the cluster ID is reflected. Reference topics: HA Clustering, fabric link, active/active clustering, active/passive clustering, session synchronization, inter-node traffic.

The correct answers are A and C. In SSL forward proxy, the SRX sits between internal clients and external SSL/TLS servers. Juniper’s SSL proxy configuration documentation shows that a forward proxy profile is created when root-ca is configured and server-certificate is not configured. This root CA is used by the SRX to generate substitute certificates for intercepted SSL sessions, so internal clients must trust the CA used by the firewall. Juniper’s procedure specifically includes generating or loading a local certificate and applying it as the root-ca in the SSL proxy profile.

Option C is also correct because forward proxy terminates the client-side SSL session and establishes a separate SSL session toward the destination server. Juniper states that the SSL proxy acts as an SSL server to the client and establishes a new SSL session to the server; from the server’s perspective, the SRX is the SSL client. Option B is wrong because forward proxy intercepts the server certificate and creates a substitute certificate; forwarding the actual server certificate unchanged is associated with reverse proxy behavior. Option D is wrong because Encrypted Traffic Insights is not the required forward-proxy mechanism here. Reference topics: SSL Proxy, SSL forward proxy, root CA, client protection, certificate interception.

The correct answer is A. It uses AppID services. Juniper SSL proxy does not rely only on TCP/443 or a static destination-port assumption. It uses Application Identification services to dynamically determine whether the session is SSL/TLS encrypted. Juniper states directly that SSL proxy uses application identification services to detect whether a session is SSL encrypted, and SSL proxy is allowed only when the session is identified as encrypted. If the application system cache marks the session as Encrypted=Yes, SSL proxy can transition into proxy processing; if the session is marked Encrypted=No, SSL proxy ignores it.

Option B is wrong because packet length does not reliably identify SSL/TLS encryption. Option C is a common trap: many SSL/TLS sessions use port 443, but SSL/TLS can run on nonstandard ports, and non-SSL applications can also use port 443. Junos uses AppID to avoid that weak assumption. Option D is wrong because a CA is used to sign or validate certificates during SSL forward or reverse proxy operations; it is not the mechanism used to detect whether a session is encrypted. Reference topics: SSL Proxy, AppID, encrypted session detection, application system cache, SSL/TLS inspection.

The correct answers are B, D, and E. Security Director device onboarding depends on management reachability and valid administrative access. Juniper’s device discovery documentation states that Junos Space discovers network devices using SSH, with optional ping and SNMP, and connects to the physical device to retrieve running configuration and status information. It also explains that device authentication uses administrator login credentials, SSH credentials, SNMP settings, or keys depending on the discovery method.

Option E is required because Security Director must target a reachable management IP address or hostname. Juniper’s discovery-profile workflow explicitly uses the target IP address, hostname, IP range, or subnet to locate devices. Option D is required because invalid username/password or insufficient privileges prevent discovery and management; Juniper’s device-management guidance identifies credentials as required input for discovering devices. Option B is required because onboarding uses SSH, so the correct SSH service and port must be reachable. Juniper’s device access procedure explicitly includes a Port field for the SSH connection.

Option A is wrong because chassis serial number is not the normal troubleshooting field for Security Director discovery. Option C is wrong because active security policies do not determine whether Security Director can initially discover and onboard the device. Reference topics: Security Director, device discovery, SSH access, management IP reachability, authentication credentials.