Juniper JN0-636 Practice Test - Questions Answers, Page 10

You are connecting two remote sites to your corporate headquarters site. You must ensure that traffic passes through the corporate headquarters. In this scenario, the VPN that should be used is:

D) Hub-and-spoke IPsec VPN with the corporate firewall acting as the hub device. A hub-and-spoke IPsec VPN is a type of VPN that connects multiple remote sites to a central site, or hub, over a public network. The hub site acts as a gateway for the remote sites and provides security and routing services. The remote sites, or spokes, communicate with each other through the hub site. The hub site and the spoke sites use IPsec tunnels to encrypt and authenticate the traffic between them. A hub-and-spoke IPsec VPN is suitable for connecting two remote sites to your corporate headquarters site, because it allows you to control the traffic flow and enforce security policies at the hub site. The corporate firewall can act as the hub device and provide IPsec VPN services to the remote sites1.

The other options are incorrect because:

A) Full mesh IPsec VPNs with tunnels between all sites. A full mesh IPsec VPN is a type of VPN that connects every site to every other site over a public network. Each site has an IPsec tunnel with every other site, forming a mesh topology. A full mesh IPsec VPN provides direct and secure communication between any pair of sites, but it also requires a large number of IPsec tunnels and complex configuration. A full mesh IPsec VPN is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate headquarters site, and it may introduce unnecessary overhead and complexity2.

B) A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device. A full mesh Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider's network. Each site has a BGP session with every other site, forming a full mesh topology. A BGP route reflector is a device that reduces the number of BGP sessions required in a full mesh topology by reflecting routes between its clients. A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate firewall device, and it may require additional configuration and coordination with the service provider3.

C) A Layer 3 VPN with the corporate firewall acting as the hub device. A Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider's network. A Layer 3 VPN can have different topologies, such as full mesh, hub-andspoke, or partial mesh. A Layer 3 VPN with the corporate firewall acting as the hub device is not suitable for connecting two remote sites to your corporate headquarters site, because the corporate firewall may not support MPLS and BGP, and it may require additional configuration and coordination with the service provider3.

Reference:

Hub-and-Spoke VPNs Overview

Full Mesh VPNs Overview

Layer 3 VPNs Overview

You must set up a DDoS solution for your ISP. The solution must be agile and not block legitimate traffic. The two products that will accomplish this task are:

B) MX Series device. MX Series devices are high-performance routers that can provide DDoS protection at the network edge by integrating with Corero SmartWall Threat Defense Director (TDD) software. MX Series devices can leverage the packet processing capabilities of the MX-SPC3 Services Card to perform real-time DDoS detection and mitigation at line rate, scaling from 50 Gbps to 40 Tbps. MX Series devices can also use Juniper Networks Security Intelligence (SecIntel) to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies. MX Series devices can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic12.

C) Corero SmartWall TDD. Corero SmartWall TDD is a software solution that runs on MX Series devices and PTX Series devices to provide DDoS protection at the network edge. Corero SmartWall TDD uses behavioral analytics and detailed network visibility to detect and block DDoS attacks in seconds, without affecting the normal traffic. Corero SmartWall TDD can also provide advanced protection from "carpet bombing" attacks, 5G DDoS visibility, and multi-tenant portal for as-a-service offerings or views by department within an enterprise. Corero SmartWall TDD can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic34.

The other options are incorrect because:

A) Contrail Insights. Contrail Insights is a software solution that provides network analytics and visibility for cloud and data center environments. Contrail Insights can help you monitor, troubleshoot, and optimize the performance and security of your network, but it does not provide

DDoS protection by itself. Contrail Insights can integrate with other Juniper products, such as Contrail Enterprise Multicloud, Contrail Service Orchestration, and AppFormix, to provide a comprehensive network management solution, but it is not a DDoS solution for your ISP5.

D) SRX Series device. SRX Series devices are high-performance firewalls that can provide DDoS protection at the network perimeter by integrating with Juniper ATP Cloud and Juniper Threat Labs.

SRX Series devices can use SecIntel to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies. SRX Series devices can also use IDP to detect and prevent application-level attacks, such as SQL injection, cross-site scripting, and buffer overflow. SRX Series devices can provide a robust and effective DDoS solution for your network, but they are not designed to handle high-volume DDoS attacks at the network edge, as MX Series devices and Corero SmartWall TDD are .

Reference:

Juniper and Corero Joint DDoS Protection Solution

MX-SPC3 Services Card Overview

Corero SmartWall Threat Defense Director (TDD)

Juniper Networks and Corero: A Modern Approach to DDoS Protection at Scale

Contrail Insights Overview

[SRX Series Services Gateways]

[Juniper Networks Security Intelligence (SecIntel)]

Your company wants to take your Juniper ATP Appliance into private mode. You must give them a list of impacted features for this request. The two features that are impacted in this scenario are:

A) False Positive Reporting. False Positive Reporting is a feature that allows you to report false positive detections to Juniper Networks for analysis and improvement. False Positive Reporting requires an Internet connection to send the reports to Juniper Networks. If you take your Juniper ATP Appliance into private mode, False Positive Reporting will be disabled and you will not be able to report false positives1.

C) GSS Telemetry. GSS Telemetry is a feature that allows you to send anonymized threat data to Juniper Networks for analysis and improvement. GSS Telemetry requires an Internet connection to send the data to Juniper Networks. If you take your Juniper ATP Appliance into private mode, GSS Telemetry will be disabled and you will not be able to contribute to the threat intelligence community2.

The other options are incorrect because:

B) Threat Progression Monitoring. Threat Progression Monitoring is a feature that allows you to monitor the threat activity and progression across your network. Threat Progression Monitoring does not require an Internet connection and can be performed locally by the Juniper ATP Appliance. If you take your Juniper ATP Appliance into private mode, Threat Progression Monitoring will not be impacted and you will still be able to monitor the threat activity and progression3.

D) Cyber Kill Chain mapping. Cyber Kill Chain mapping is a feature that allows you to map the threat activity and progression to the stages of the Cyber Kill Chain framework. Cyber Kill Chain mapping does not require an Internet connection and can be performed locally by the Juniper ATP Appliance. If you take your Juniper ATP Appliance into private mode, Cyber Kill Chain mapping will not be impacted and you will still be able to map the threat activity and progression4.

Reference:

False Positive Reporting

GSS Telemetry

Threat Progression Monitoring

Cyber Kill Chain Mapping

A)company wants to partition their physical SRX series firewall into multiple logical units and assign each unit (tenant) to a department within the organization. You are the primary administrator of the firewall and a colleague is the administrator for one of the departments. The two statements that are correct about your colleague are:

B) The colleague can access and view the resources of the tenant system. A tenant system is a type of logical system that is created and managed by the primary administrator of the firewall. A tenant system has its own discrete administrative domain, logical interfaces, routing instances, security policies, and other features. The primary administrator can assign a tenant system to a department within the organization and delegate the administration of the tenant system to a colleague. The colleague can access and view the resources of the tenant system, such as the allocated CPU, memory, and bandwidth, and the configured interfaces, zones, and policies1.

C) The colleague can create and assign logical interfaces to the tenant system. A logical interface is a software interface that represents a subset of the physical interface. A logical interface can have its own address, encapsulation, and routing parameters. The primary administrator can allocate a number of logical interfaces to a tenant system and allow the colleague to create and assign logical interfaces to the tenant system. The colleague can configure the logical interfaces with the appropriate address, encapsulation, and routing parameters for the tenant system2.

The other statements are incorrect because:

A) The colleague cannot configure the resources allocated and routing protocols. The resources allocated and routing protocols are configured by the primary administrator of the firewall. The primary administrator can allocate a fixed amount of resources, such as CPU, memory, and bandwidth, to a tenant system and specify the routing protocols that are allowed for the tenant system. The colleague cannot modify the resources allocated or routing protocols for the tenant system1.

D) The colleague cannot modify the number of allocated resources for the tenant system. The number of allocated resources for the tenant system is configured by the primary administrator of the firewall. The primary administrator can allocate a fixed amount of resources, such as CPU, memory, and bandwidth, to a tenant system and monitor the resource usage of the tenant system. The colleague cannot modify the number of allocated resources for the tenant system1.

Reference:

Understanding Tenant Systems

Understanding Logical Interfaces

You are required to secure a network against malware. You must ensure that in the event that a compromised host is identified within the network, the host is isolated from the rest of the network.

In this scenario, after a threat has been identified, the two components that are responsible for enforcing MAC-level infected host are:

C) Policy Enforcer. Policy Enforcer is a software solution that integrates with Juniper ATP Cloud and Juniper ATP Appliance to provide automated threat remediation across the network. Policy Enforcer can receive threat intelligence feeds from Juniper ATP Cloud or Juniper ATP Appliance and apply them to the security policies on the SRX Series devices and the EX Series devices. Policy Enforcer can also enforce MAC-level infected host, which is a feature that allows you to quarantine a compromised host by blocking its MAC address on the switch port. Policy Enforcer can communicate with the EX Series devices and instruct them to apply the MAC-level infected host policy to the infected host1.

D) EX Series device. EX Series devices are Ethernet switches that can provide Layer 2 and Layer 3 switching capabilities and security features. EX Series devices can integrate with Policy Enforcer and Juniper ATP Cloud or Juniper ATP Appliance to provide automated threat remediation across the network. EX Series devices can support MAC-level infected host, which is a feature that allows them to quarantine a compromised host by blocking its MAC address on the switch port. EX Series devices can receive instructions from Policy Enforcer and apply the MAC-level infected host policy to the infected host2.

The other options are incorrect because:

A) SRX Series device. SRX Series devices are high-performance firewalls that can provide Layer 3 and Layer 4 security features and integrate with Juniper ATP Cloud or Juniper ATP Appliance to provide advanced threat prevention. SRX Series devices can receive threat intelligence feeds from Juniper ATP Cloud or Juniper ATP Appliance and apply them to the security policies. However, SRX Series devices cannot enforce MAC-level infected host, which is a feature that requires Layer 2 switching capabilities and is supported by EX Series devices3.

B) Juniper ATP Appliance. Juniper ATP Appliance is a hardware solution that provides advanced threat prevention by detecting and blocking malware, ransomware, and other cyberattacks. Juniper ATP Appliance can analyze the network traffic and identify the compromised hosts based on their behavior and communication patterns. Juniper ATP Appliance can also send threat intelligence feeds to Policy Enforcer and SRX Series devices to enable automated threat remediation across the network. However, Juniper ATP Appliance cannot enforce MAC-level infected host, which is a feature that requires Layer 2 switching capabilities and is supported by EX Series devices.

Reference:

Policy Enforcer Overview

EX Series Switches Overview

SRX Series Services Gateways Overview

[Juniper ATP Appliance Overview]

To modify the configuration to fulfill the requirements, you need to modify the log-all term to add the next term action. The other options are incorrect because:

B) Deleting the log-all term would prevent logging all traffic, which is one of the requirements. The log-all term matches all traffic from any source address and logs it to the system log file1.

C) Adding a term before the log-all term that blocks Telnet would also prevent logging all traffic, because the log-all term would never be reached. The firewall filter evaluates the terms in sequential order and applies the first matching term. If a term before the log-all term blocks Telnet, then the log-all term would not match any traffic and no logging would occur2.

D) Applying a firewall filter to the loopback interface that blocks Telnet traffic would not block inbound Telnet traffic on interface ge-0/0/3, which is another requirement. The loopback interface is a logical interface that is always up and reachable. It is used for routing and management purposes, not for filtering traffic on physical interfaces3.

Therefore, the correct answer is A. You need to modify the log-all term to add the next term action.

The next term action instructs the firewall filter to continue evaluating the subsequent terms after matching the current term. This way, the log-all term would log all traffic and then proceed to the block-telnet term, which would block only inbound Telnet traffic on interface ge-0/0/34. To modify the log-all term to add the next term action, you need to perform the following steps:

Enter the configuration mode: user@host> configure

Navigate to the firewall filter hierarchy: user@host# edit firewall family inet filter block-telnet

Add the next term action to the log-all term: user@host# set term log-all then next term

Commit the changes: user@host# commit

Reference:

log (Firewall Filter Action)

Firewall Filter Configuration Overview

loopback (Interfaces)

next term (Firewall Filter Action)

To troubleshoot the traffic problem using the match criteria, you need to use the show security match-policies CLI command. The other options are incorrect because:

A) The show security policy-report CLI command displays the policy report, which is a summary of the policy usage statistics, such as the number of sessions, bytes, and packets that match each policy. It does not show the match criteria or the reason why the traffic is not hitting the policy1.

B) The show security application-tracking counters CLI command displays the application tracking counters, which are the statistics of the application usage, such as the number of sessions, bytes, and packets that match each application. It does not show the match criteria or the reason why the traffic is not hitting the policy2.

D) The request security policies check CLI command checks the validity and consistency of the security policies, such as the syntax, the references, and the conflicts. It does not show the match criteria or the reason why the traffic is not hitting the policy3.

Therefore, the correct answer is C. You need to use the show security match-policies CLI command to troubleshoot the traffic problem using the match criteria. The show security match-policies CLI command displays the policies that match the specified criteria, such as the source and destination addresses, the zones, the protocols, and the ports. It also shows the action and the hit count of each matching policy. You can use this command to verify if the traffic is matching the expected policy or not, and if not, what policy is blocking or rejecting the traffic4

To answer this question, you need to know what transparent mode is and what types of traffic it permits. Transparent mode is a mode of operation for SRX Series devices that provides Layer 2 bridging capabilities with full security services. In transparent mode, the SRX Series device acts as a bridge between two network segments and inspects the packets without modifying the source or destination information in the IP packet header. The SRX Series device does not have an IP address in transparent mode, except for the management interface1. Therefore, the types of traffic that will be permitted in transparent mode are:

A) ARP (Address Resolution Protocol) traffic. ARP is a protocol that maps IP addresses to MAC addresses. ARP traffic is a type of Layer 2 traffic that does not require an IP address on the SRX Series device. ARP traffic is permitted in transparent mode to allow the SRX Series device to learn the MAC addresses of the hosts on the bridged network segments2.

B) Layer 2 non-IP multicast traffic. Layer 2 non-IP multicast traffic is a type of traffic that uses MAC addresses to send data to multiple destinations. Layer 2 non-IP multicast traffic does not require an IP address on the SRX Series device. Layer 2 non-IP multicast traffic is permitted in transparent mode to allow the SRX Series device to forward data to the appropriate destinations on the bridged network segments3.

The other options are incorrect because:

C) BGP (Border Gateway Protocol) traffic. BGP is a protocol that exchanges routing information between autonomous systems. BGP traffic is a type of Layer 3 traffic that requires an IP address on the SRX Series device. BGP traffic is not permitted in transparent mode, because the SRX Series device does not have an IP address in transparent mode, except for the management interface1.

D) IPsec (Internet Protocol Security) traffic. IPsec is a protocol that provides security and encryption for IP packets. IPsec traffic is a type of Layer 3 traffic that requires an IP address on the SRX Series device. IPsec traffic is not permitted in transparent mode, because the SRX Series device does not have an IP address in transparent mode, except for the management interface1.

Reference:

Transparent Mode Overview

ARP Support in Transparent Mode

Layer 2 Non-IP Multicast Traffic Support in Transparent Mode

The exhibit shows a security policy configuration with a threshold of 1000 policy violations by a source network identifier and a threshold of 10 policy violations to an application within a specified period. If either of these thresholds are exceeded, an alarm will be generated. Therefore, the correct answer is A and D. The other options are incorrect because:

B) The ratio of policy violation traffic compared to accepted traffic is not a criterion for triggering an alarm. The security policy configuration does not specify any ratio or percentage of policy violation traffic that would cause an alarm.

C) The number of policy violation by a destination TCP port is also not a criterion for triggering an alarm. The security policy configuration does not specify any threshold or duration for policy violation by a destination TCP port.

Reference:

policy (Security Alarms)

Monitoring Security Policy Violations