Juniper JN0-335 - Security, Specialist (JNCIS-SEC)

A stateful firewall in SRX Series devices keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets that match a known active connection. Sessions are created when a TCP SYN packet is received and permitted by the security policy1.

A security policy is a set of rules that defines how traffic is processed by the SRX Series device. A security policy applies the security rules to the transit traffic within a context (from-zone to to-zone) and each policy is uniquely identified by its name. The traffic is classified by matching the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane2.

A Layer 3 route is a path that a packet takes to reach its destination based on the destination IP address. The SRX Series device performs a longest-match Layer 3 route table lookup to determine the next hop for the packet3.

An Application Layer Gateway (ALG) is a software component that provides application-level awareness, security, and control for specific protocols. An ALG inspects the application-layer payload of a packet and modifies it if necessary to allow the application to traverse the SRX Series device. For example, an ALG can rewrite IP addresses and port numbers in the payload of FTP or SIP packets4.

The sequence that an SRX Series device uses when implementing stateful session security policies using Layer 3 routes is as follows3:

The SRX Series device receives a packet and conducts a longest-match Layer 3 route table lookup to determine the next hop for the packet.

The SRX Series device performs a security policy search to find a matching policy for the packet based on the source and destination zones, addresses, and application.

If a matching policy is found, the SRX Series device checks the action of the policy, which can be permit, deny, reject, or tunnel. If the action is permit, the SRX Series device allows the packet to pass through and creates a session for the packet. If the action is deny or reject, the SRX Series device drops the packet and sends an ICMP message to the sender. If the action is tunnel, the SRX Series device encapsulates the packet and forwards it to the tunnel destination.

If the packet requires an ALG, the SRX Series device applies the ALG to the packet and modifies the payload if necessary. The ALG also creates additional sessions for the packet if needed.

The SRX Series device forwards the packet to the next hop based on the routing information.

References:

1: Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks

2: Best Practices for Defining Policies on High-End SRX Series Devices - TechLibrary - Juniper Networks

3: [SRX] Example: Configuring TCP SYN Check options on a per-policy basis

4: Application Layer Gateways Overview | Junos OS | Juniper Networks

A vSRX is a virtualized security platform that runs on various hypervisors and cloud environments. It provides firewall and NAT services, as well as other security features, such as IPS, VPN, UTM, and AppSecure. A single vSRX can fulfill the minimum requirements for providing firewall and NAT services in a private cloud, as it can be deployed as a gateway or an edge device, and can scale up or down as needed. A vSRX can also interoperate with other Juniper and third-party products, such as Contrail Networking, Junos Space Security Director, and Sky ATP. A single vSRX is more cost-effective and simpler to manage than having separate vSRX instances for firewall and NAT services. A cSRX is a containerized version of vSRX that runs on Linux-based platforms. It provides similar security features as vSRX, but with a smaller footprint and faster deployment. However, a cSRX is not yet supported on all cloud environments, and it may have some limitations compared to vSRX, such as lower throughput and fewer interfaces. Therefore, a single cSRX may not be able to fulfill the minimum requirements for providing firewall and NAT services in a private cloud, depending on the specific cloud platform and the performance and scalability needs. A cSRX for firewall services and a separate cSRX for NAT services would also introduce more complexity and overhead than a single vSRX. References: vSRX Overview, cSRX Overview, JNCIP-SEC Certification

The fab interface is the data link between the nodes of a chassis cluster and is used to forward traffic between the chassis and to synchronize the data plane software’s dynamic runtime state. Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization for operations such as authentication, NAT, ALGs, and IPsec. In an active/active configuration, inter-chassis transit traffic is sent over the fab interface, as traffic arriving on a node that needs to be processed on the other or traffic processed on a node that needs to exit through an interface on the other is forwarded over the fabric. The fab interface does not enable configuration synchronization, as this is done by the control link. Heartbeat signals sent on the fab interface monitor the health of the data plane link, not the control plane link. References: Chassis Cluster Fabric Interfaces, HA Chassis cluster, difference between Swfab and Fab

The fab interface is a physical connection between two nodes of a chassis cluster that is used to forward traffic and synchronize session state between the nodes. The fab interface can be any pair of Ethernet interfaces on the same LAN, but they must be the same media type. You need to specify the physical interfaces to be used for the fab link in the configuration, as the system does not determine them automatically. The Junos OS supports only one fab link per node, and it does not support traditional interface features such as IP addressing, routing protocols, or firewall filters. The fab interface is assigned an internally derived IP address by the system for packet transmission. Thefab link also does not support fragmentation, so the MTU size of the fab interface must be equal to or greater than the MTU size of the largest interface in the cluster. References:

Chassis Cluster Fabric Interfaces

HA Chassis cluster, difference between Swfab and Fab

AppQoS is a service that allows you to prioritize and manage the quality of service (QoS) for different types of applications on SRX Series devices. AppQoS uses application signatures to identify and classify the traffic, and then applies QoS policies to assign bandwidth, priority, and scheduling parameters to the traffic. AppQoS can help you optimize the performance of critical applications, such as VoIP, and ensure that they get the required bandwidth and latency in a congested network12. In this scenario, you can use AppQoS to prioritize the VoIP traffic over other traffic and guarantee its QoS on the SRX Series device at the branch office. References:

Understanding Application Quality of Service

Configuring Application Quality of Service

 Juniper ATP Cloud profiles let you define which files to send to the cloud for inspection. You can group types of files to be scanned together (such as.tar,.exe, and.java) under a common name and create multiple profiles based on the content you want scanned. Then enter the profile names on eligible SRX Series devices to apply them1. To update a custom profile, you can use the ATP Cloud Ul and navigate to Configure > File Inspection Management > Profiles. There you can edit the existing profile and change the scan limit for executable files to 30 MB, while keeping the scan limit for other files at 10 MB. This way, you can scan larger executable files without increasing the scan time for other file types. References: File Inspection Profiles Overview

Based on the information from the exhibit, node0 is the primary node for both redundancy group 0 (RG0) and redundancy group 1 (RG1). RG0 is responsible for the control plane, which includes the Routing Engine and the management interface. RG1 is responsible for the data plane, which includes the interfaces and services. Therefore, node0 is the active node for the data plane, and node1 is the active node for the control plane34 References:

Chassis Cluster Redundancy Groups | Junos OS | Juniper Networks

Troubleshooting a Redundancy Group that Does Not Fail Over in an SRX Chassis Cluster | Junos OS | Juniper Networks

Understanding Chassis Cluster Redundancy Group 0: Routing Engines | Junos OS | Juniper Networks

Understanding Chassis Cluster Redundancy Groups 1 Through 128 | Junos OS | Juniper Networks

The DNS ALG is an application layer gateway that handles data associated with locating and translating domain names into IP addresses. The DNS ALG supports the following features:

DDNS: The DNS ALG supports dynamic DNS (DDNS), which allows hosts to update their DNS records dynamically when their IP addresses change. The DNS ALG monitors the DDNS update messages and performs the necessary address transformations2

DNS doctoring: The DNS ALG performs DNS doctoring, which is a process of modifying the DNS responses to match the NAT address translation. This is done to resolve the problems introduced by NAT, such as the mismatch between the internal and external IP addresses of a host. The DNS ALG performs the IPv4 and IPv6 address transformations for both DNS and DDNS responses2

The DNS ALG does not support VPN tunnels or NAT itself. The DNS ALG works with NAT, but does not perform NAT. The DNS ALG only supports UDP traffic, not TCP traffic2 References:

1: Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide 3

2: Junos OS Security Configuration Guide | DNS ALG 1

Cluster failovers occur when one node in a chassis cluster becomes inactive or unreachable, and the other node takes over the processing of traffic and services. To control when cluster failovers occur, you can configure two specific parameters on an SRX Series device: heartbeat-interval and heartbeat-threshold12.

Heartbeat-interval is the time interval, in milliseconds, between heartbeat messages sent by each node to the other node. The default value is 1000 ms. You can configure the heartbeat-interval value from 100 through 3000 ms1.

Heartbeat-threshold is the number of consecutive heartbeat messages that can be missed before a node is considered to be down. The default value is 3. You can configure the heartbeat-threshold value from 2 through 2551.

The combination of heartbeat-interval and heartbeat-threshold determines the failover time, which is the maximum time it takes for a node to detect the failure of the other node and initiate a failover. The failover time is calculated as follows: failover time = heartbeat-interval x heartbeat-threshold1.

For example, if the heartbeat-interval is 1000 ms and the heartbeat-threshold is 3, the failover time is 3000 ms. This means that if a node does not receive three consecutive heartbeat messages from the other node within 3000 ms, it will assume that the other node is down and initiate a failover1.

You can configure the heartbeat-interval and heartbeat-threshold parameters using the set chassis cluster redundancy-group group-id node node-id priority priority heartbeat-interval interval heartbeat-threshold threshold command1.

References:

1: Configuring Chassis Cluster Redundancy Group Properties | Junos OS | Juniper Networks

2: Example: Configuring an Active/Passive Cluster Deployment | Junos OS | Juniper Networks

References: SSL Proxy Overview Configuring Certificate Authority Profiles Configuring a Root CA Certificate