Juniper JN0-636 Practice Test - Questions Answers, Page 11

To solve the problem of the operator user being unable to save configuration files to a USB stick that is plugged into SRX, you need to add the system-control permission flag to the operations class. The other options are incorrect because:

A) Adding the floppy permission flag to the operations class is not sufficient or necessary to save configuration files to a USB stick. The floppy permission flag allows the user to access the floppy drive, but not the USB drive. The USB drive is accessed by the system permission flag, which is already included in the operations class1.

C) Adding the interface-control permission flag to the operations class is also not sufficient or necessary to save configuration files to a USB stick. The interface-control permission flag allows the user to configure and monitor interfaces, but not to save configuration files. The configuration permission flag, which is also already included in the operations class, allows the user to save configuration files1.

D) Adding the system permission flag to the operations class is redundant and ineffective to save configuration files to a USB stick. The system permission flag allows the user to access the system directory, which includes the USB drive. However, the operations class already has the system permission flag by default1. The problem is not the lack of system permission, but the lack of systemcontrol permission.

Therefore, the correct answer is B. You need to add the system-control permission flag to the operations class to solve the problem. The system-control permission flag allows the user to perform system-level operations, such as rebooting, halting, or snapshotting the device1. These operations are required to mount, unmount, and copy files to and from the USB drive2. To add the systemcontrol permission flag to the operations class, you need to perform the following steps:

Enter the configuration mode: user@host> configure Navigate to the system login class hierarchy: user@host# edit system login class operations Add the system-control permission flag: user@host# set permissions system-control Commit the changes: user@host# commit Reference:

login (System)

How to mount a USB drive on EX/SRX/MX/QFX Series platforms to import/export files

To create a secure fabric in your company's network, you need to know the following facts:

A secure fabric is a collection of sites that contain network devices (switches, routers, firewalls, and other security devices) that are used in policy enforcement groups. A site is a grouping of network devices that contribute to threat prevention. When threat prevention policies are applied to policy enforcement groups, the system automatically discovers to which sites those groups belong. This is how threat prevention is aggregated across your secure fabric1.

MX Series devices associated with tenants can belong to multiple sites. Tenants are logical partitions of the network that can have their own security policies and enforcement points. Sites that are associated with tenants do not need switches as enforcement points, because MX Series devices can perform tenant-based policy enforcement1.

SRX Series devices can belong to only one site. SRX Series devices are firewalls that can act as perimeter enforcement points for the secure fabric. They can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic. SRX Series devices cannot belong to multiple sites, because they do not support tenant-based policy enforcement1.

A switch must be assigned to the site to enforce an infected host policy within the network. An infected host policy is a policy that blocks or quarantines hosts that are identified as infected by the Juniper ATP Cloud. A switch can act as an internal enforcement point for the secure fabric by applying the infected host policy to the hosts that are connected to it. A switch must be assigned to the site where the infected hosts are located, because SRX Series devices cannot enforce infected host policies1.

Switches and connectors cannot be added to the same site. Connectors are software agents that can be installed on Windows or Linux servers to enable them to act as enforcement points for the secure fabric. Connectors can apply infected host policies to the hosts that are connected to them. However, connectors cannot coexist with switches in the same site, because they use different methods of policy enforcement. Switches use VLANs and ACLs, while connectors use IPtables and WFP1.

Therefore, the correct answer is B, D, and E. The other options are incorrect because:

A) MX Series devices associated with tenants can belong to multiple sites, not only one site1.

C) SRX Series devices can belong to only one site, not multiple sites1.

Reference:

Secure Fabric Overview

The two security intelligence feed types that are supported are:

A) Infected host feed. An infected host feed is a security intelligence feed that contains the IP addresses of hosts that are infected by malware or compromised by attackers. The SRX Series device can download the infected host feed from the Juniper ATP Cloud or generate its own infected host feed based on the detection events from IDP. The SRX Series device can use the infected host feed to block or quarantine the traffic to or from the infected hosts based on the security policies1.

B) Command and Control feed. A command and control feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The SRX Series device can download the command and control feed from the Juniper ATP Cloud or generate its own command and control feed based on the detection events from

IDP. The SRX Series device can use the command and control feed to block or log the traffic to or from the command and control servers based on the security policies2.

The other options are incorrect because:

C) Custom feeds. Custom feeds are not a security intelligence feed type, but a feature that allows you to create your own security intelligence feeds based on your own criteria and sources. You can configure custom feeds by using the Junos Space Security Director or the CLI. Custom feeds are not supported by the Juniper ATP Cloud or the IDP3.

D) Malicious URL feed. Malicious URL feed is not a security intelligence feed type, but a feature that allows you to block or log the traffic to or from malicious URLs based on the security policies. The SRX Series device can download the malicious URL feed from the Juniper ATP Cloud or the Juniper Threat Labs. Malicious URL feed is not supported by the IDP4.

Reference:

Infected Host Feed Overview

Command and Control Feed Overview

Custom Feed Overview

Malicious URL Feed Overview

The security feature that bypasses routing or switching lookup is transparent mode. The other options are incorrect because:

B) Secure wire is a feature that allows you to connect two interfaces on the same device and forward traffic between them without any processing. Secure wire does not bypass routing or switching lookup, but rather eliminates them altogether1.

C) Mixed mode is a mode of operation for SRX Series devices that allows you to configure both transparent mode and switching mode on the same device. Mixed mode does not bypass routing or switching lookup, but rather uses them depending on the interface type2.

D) MACsec (Media Access Control Security) is a feature that provides encryption and authentication for Layer 2 traffic. MACsec does not bypass routing or switching lookup, but rather operates at a lower layer3.

Therefore, the correct answer is

A) Transparent mode is a mode of operation for SRX Series devices that provides Layer 2 bridging capabilities with full security services. In transparent mode, the SRX Series device acts as a bridge between two network segments and inspects the packets without modifying the source or destination information in the IP packet header. The SRX Series device does not have an IP address in transparent mode, except for the management interface. Transparent mode bypasses routing or switching lookup, because the SRX Series device does not perform any routing or switching functions, but rather forwards the packets based on the MAC addresses4.

Reference:

Secure Wire Overview

Mixed Mode Overview

MACsec Overview

Transparent Mode Overview

Referring to the exhibit, your company's infrastructure team implemented new printers. To make sure that the policy enforcer pushes the updated IP address list to the SRX, you need to perform the following actions:

A) Configure the server feed URL as http://172.25.10.254/myprinters. The server feed URL is the address of the remote server that provides the custom feed data. You need to configure the server feed URL to match the location of the file that contains the IP addresses of the new printers. In this case, the file name is myprinters and the server IP address is 172.25.10.254, so the server feed URL should be http://172.25.10.254/myprinters1.

B) Create a security policy that uses the dynamic address feed to allow access. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You need to create a security policy that uses the dynamic address feed as the source or destination address to allow access to the new printers. A dynamic address feed is a custom feed that contains a group of IP addresses that can be entered manually or imported from external sources. The dynamic address feed can be used in security policies to either deny or allow traffic based on either source or destination IP criteria2.

C) Configure Security Director to create a dynamic address feed. Security Director is a Junos Space application that enables you to create and manage security policies and objects. You need to configure Security Director to create a dynamic address feed that contains the IP addresses of the new printers. You can create a dynamic address feed by using the local file or the remote file server option. In this case, you should use the remote file server option and specify the server feed URL as http://172.25.10.254/myprinters3.

The other options are incorrect because:

D) Configuring Security Director to create a C&C feed is not required to complete the requirement. A

C&C feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The C&C feed is not related to the new printers or the dynamic address feed.

E) Configuring the server feed URL as https://172.25.10.254/myprinters is not required to complete the requirement. The server feed URL can use either the HTTP or the HTTPS protocol, depending on the configuration of the remote server. In this case, the exhibit shows that the remote server is using the HTTP protocol, so the server feed URL should use the same protocol1.

Reference:

Configuring the Server Feed URL Dynamic Address Overview Creating Custom Feeds [Command and Control Feed Overview]

The two statements about the configuration shown in the exhibit are correct are:

A) The remote IKE gateway IP address is 203.0.113.100. The exhibit shows that the address option under the gateway statement is set to 203.0.113.100, which specifies the IP address of the primary IKE gateway. The address option is used to configure the IP address or the hostname of the remote peer that has a static IP address1.

D) The remote peer is assigned a dynamic IP address. The exhibit shows that the dynamic option under the gateway statement is configured with various attributes, such as general-ikeid, ike-usertype, and user-at-hostname. The dynamic option is used to configure the identifier for the remote gateway with a dynamic IP address. The dynamic option also enables the SRX Series device to accept multiple connections from remote peers that have the same identifier2.

The other statements are incorrect because:

B) The local peer is not assigned a dynamic IP address, but a static IP address. The exhibit shows that the local-address option under the gateway statement is set to 192.0.2.100, which specifies the IP address of the local IKE gateway. The local-address option is used to configure the IP address of the local peer that has a static IP address1.

C) The local IKE gateway IP address is not 203.0.113.100, but 192.0.2.100, as explained above.

Reference:

gateway (Security IKE) dynamic (Security IKE)

To control access to network resources based on the identity of an authenticated device on the SRX Series firewalls, you need to perform the following steps:

A) Configure an end-user-profile that characterizes a device or set of devices. An end-user-profile is a device identity profile that contains a collection of attributes that are characteristics of a specific group of devices, or of a specific device, depending on the attributes configured in the profile. The end-user-profile must contain a domain name and at least one value in each attribute. The attributes include device-identity, device-category, device-vendor, device-type, device-os, and device-osversion1.

You can configure an end-user-profile by using the Junos Space Security Director or the CLI2.

C) Reference the end-user-profile in the security policy. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You can reference the end-user-profile in the source-end-user-profile field of the security policy to identify the traffic source based on the device from which the traffic issued. The SRX Series device matches the IP address of the device to the enduser-profile and applies the security policy accordingly3. You can reference the end-user-profile in the security policy by using the Junos Space Security Director or the CLI4.

E) Configure the authentication source to be used to authenticate the device. An authentication source is a system that provides the device identity information to the SRX Series device. The authentication source can be Microsoft Windows Active Directory or a third-party network access control (NAC) system. You need to configure the authentication source to be used to authenticate the device and to send the device identity information to the SRX Series device. The SRX Series device stores the device identity information in the device identity authentication table5. You can configure the authentication source by using the Junos Space Security Director or the CLI6.

The other options are incorrect because:

B) Referencing the end-user-profile in the security zone is not a valid step to control access to network resources based on the identity of an authenticated device. A security zone is a logical grouping of interfaces that have similar security requirements. You can reference the user role in the security zone to identify the user who is accessing the network resources, but not the end-userprofile7.

D) Applying the end-user-profile at the interface connecting the devices is also not a valid step to control access to network resources based on the identity of an authenticated device. You cannot apply the end-user-profile at the interface level, but only at the security policy level. The end-userprofile is not a firewall filter or a security policy, but a device identity profile that is referenced in the security policy1.

Reference:

End User Profile Overview

Creating an End User Profile

source-end-user-profile

Creating Firewall Policy Rules

Understanding the Device Identity Authentication Table and Its Entries

Configuring the Authentication Source for Device Identity

user-role

https://www.juniper.net/us/en/products-services/security/advanced-threat-prevention/