Juniper JN0-335 - Security, Specialist (JNCIS-SEC)

The cSRX is a containerized version of the SRX Series firewall that provides advanced security services, including content security, AppSecure, and unified threat management (UTM) in the form of a container1. The cSRX supports easy, flexible, and highly scalable deployment options covering various customer use cases, including application protection, microsegmentation, or as an edge gateway for secure IoT deployments through a Docker container management solution2. The cSRX also supports SDN via Contrail Enterprise Multicloud, OpenContrail, and other third-party solutions2. The cSRX also integrates with other next-generation cloud orchestration tools such as Kubernetes3.

The cSRX supports firewall, NAT, IPS, and UTM services, so option A is incorrect1. The cSRX does not only support Layer 2 “bump-in-the-wire” deployments, but also Layer 3 deployments with routing protocols such as BGP, OSPF, and IS-IS, so option B is correct4. The cSRX supports BGP, OSPF, and IS-IS routing services, so option C is correct4. The cSRX does not have three default zones, but instead inherits the zones from the host SRX Series device, so option D is incorrect5. References:

1: cSRX Container Firewall | Juniper Networks US

2: cSRX Container Firewall Datasheet | Juniper Networks US

3: Understanding cSRX with Kubernetes - Juniper Networks

4: Extending Security to All Points of Connection: Containerized Security …

5: cSRX Container Firewall | Juniper Networks UK&I

= The vSRX is a virtual firewall that offers the same features as the physical SRX Series firewalls, but in a virtualized form factor for delivering security services that scale to match network demand. The vSRX supports Juniper Contrail Networking and third-party software-defined networking (SDN) solutions, which enable dynamic and automated network provisioning and management. The vSRX also integrates with cloud orchestration tools such as OpenStack, which allow for flexible deployment and configuration of virtual machines and networks. The vSRX provides granular security for the workloads that run within the virtual network on the public or private cloud. It supports next-generation firewall capabilities, such as application security, intrusion prevention, user identity, and role-based access control. It also supports advanced threat prevention features, such as malware sandboxing, threat intelligence feeds, and encrypted traffic inspection. The vSRX can protect the network from both internal and external threats, and enforce consistent security policies across the entire network. References:

vSRX Virtual Firewall | Juniper Networks US

vSRX Documentation | Juniper Networks

Understand vSRX Virtual Firewall with Microsoft Azure Cloud

AppTrack is a logging and reporting tool that provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. AppTrack sends log messages through syslog, providing application activity update messages. AppTrack can be used to share information for application visibility with devices such as Security Threat Response Manager (STRM)12 References:

1: Application Tracking | Junos OS | Juniper Networks

2: application-tracking | Junos OS | Juniper Networks

References:

[SRX] Behavior of active sessions when modifying a security policy1

 A chassis cluster is a pair of SRX Series devices that are connected and configured to operate as a single node, providing high availability and load balancing for traffic flows1. A chassis cluster consists of two nodes: one primary and one secondary. Each node can host one or more redundancy groups, which are logical entities that group the interfaces and services that need to fail over together in case of a node failure2. Redundancy group 0 is a special group that monitors the control plane of the cluster, such as the routing engine and the control link. Redundancy group 0 is always active on the primary node and standby on the secondary node3. Therefore, option A is false. Each chassis cluster member requires a unique node ID value, which can be either 0 or 1, to identify itself within the cluster4. However, the cluster ID value is the same for both nodes, and it is used to identify the cluster as a whole. Therefore, option B is false. Each chassis cluster member device can host active redundancy groups, depending on the configuration and the status of the nodes. By default, the primary node hosts all the redundancy groups, but you can configure some groups to be preempted by the secondary node if it has a higher priority or load-sharing between the nodes if they have the same priority. Therefore, option C is true. Chassis cluster member devices must be the same model, because different models have different hardware and software specifications that may not be compatible with each other in a cluster. Therefore, option D is true. References:

Chassis Cluster User Guide for SRX Series Devices

Understanding Chassis Cluster Redundancy Groups

Understanding Redundancy Group 0

Understanding Chassis Cluster Node IDs

[Understanding Chassis Cluster Cluster IDs]

[Configuring Chassis Cluster Redundancy Group Settings]

[Chassis Cluster Feature Guide for SRX Series Devices]

 The policy rematch feature enables the device to reevaluate an active session when its associated security policy is modified. The session remains open if it still matches the policy that allowed the session initially. The session is closed if its associated policy is renamed, deactivated, or deleted1

When a policy change includes changing the policy’s action from permit to deny, all existing sessions are dropped. This is because the policy rematch feature does not allow a session to continue if it violates the new policy action1

When a policy change includes changing the policy’s source or destination address match condition, all existing sessions are reevaluated. This is because the policy rematch feature tries to find a suitable policy that can still permit the session based on the new address criteria. If no such policy exists, the session is dropped12

References: 1: policy-rematch | Junos OS | Juniper Networks 2: What is session rematch and how to use it to avoid traffic disruption during a policy update via NSM - Juniper Networks

The count logging parameter displays the number of packets that match the firewall filter term in a tabular format. The count parameter also creates a counter that you can view with the show firewall command. The other logging parameters (permit, session-init, and session-close) do not show tabular data, but rather log the packets that match the term to a system log file or a user-specified file. References:

Understanding Firewall Filter Counters

Configuring Firewall Filter Counters

show firewall

Referring to the SRX Series flow module diagram shown in the exhibit, application security is processed at the Services ALGs stage. Application Layer Gateways (ALGs) are software components that enable the SRX Series device to provide application-level security for specific protocols and applications1.

ALGs inspect the application layer payload of packets and perform various actions, such as modifying the payload, opening pinholes, creating sessions, applying security policies, and enforcing application-specific behavior12.

ALGs are required for protocols and applications that embed IP address information or port numbers in the application layer data, that open secondary connections, or that are dynamically assigned ports1. Some examples of protocols and applications that require ALGs are FTP, SIP, H.323, RTSP, PPTP, and DNS2.

ALGs are configured as part of the security policy and are applied to the traffic that matches the policy criteria. ALGs can also be enabled or disabled globally or per zone12.

References:

1: Application Layer Gateways Overview

2: Application Layer Gateways Feature Guide for Security Devices

JIMS server is a Windows service application that collects and maintains user, device, and group information from Active Directory domains or syslog sources. JIMS server uses the Windows event logs to obtain user login and logout information from the domain controllers and Exchange servers. Therefore, to enable JIMS server to view the event logs, you need to perform the following actions:

Enable remote event log management within Windows Firewall on the necessary domain controllers and Exchange servers. This allows JIMS server to access the event logs on these servers remotely. You can do this by using the Windows Firewall with Advanced Security snap-in or by using the netsh command. For example, to enable remote event log management on a domain controller, you can use the following command:

netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

Enable remote event log management within Windows Firewall on the JIMS server. This allows JIMS server to receive the event logs from the domain controllers and Exchange servers. You can do this by using the same method as above. For example, to enable remote event log management on the JIMS server, you can use the following command:

netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

Option C and Option D show the correct actions for solving this issue. Option A and Option B are incorrect because they are not related to the JIMS server’s ability to view the event logs. Host-inbound-traffic rules are used to control the traffic that is allowed to reach the SRX Series devices, not the JIMS server. Enabling remote event log management on the Exchange servers is not necessary if JIMS server does not need to collect user information from them.

References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials