Juniper JN0-636 Practice Test - Questions Answers, Page 5

The exhibit shows the output of the show security mka sessions summary command on an SRX Series device. This command displays the status of the MACsec Key Agreement (MKA) sessions on the device. In the output, we can see that there are two CAKs configured for the interface ge-0/0/1 - FFFF and EEEE. The CAK named FFFF has the type preceding and the status live. The CAK named EEEE has the type fallback and the status active.

The two statements that are true about the CAK status for the CAK named FFFF are:

CAK is not used for encryption and decryption of the MACsec session. This is because the CAK is only used for authentication and key exchange between the MACsec peers. The CAK is not used for encrypting or decrypting the MACsec traffic. The encryption and decryption of the MACsec session is done by the Secure Association Key (SAK), which is derived from the CAK using the MKA protocol. SAK is not generated using this key. This is because the CAK named FFFF has the type preceding, which means that it is a legacy key that is used for backward compatibility with older MACsec devices. The preceding key is not used for generating the SAK, but only for authenticating the MACsec peers. The SAK is generated using the active key, which is the CAK named EEEE in this case.

Reference: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents:

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/showsecurity-mka-sessions-summary.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-macsecoverview.html

According to the Juniper documentation, the infected host score is a global setting that determines the minimum threat level required for a host to be considered infected and blocked by Juniper ATP Cloud. The infected host score can be configured from 1 to 10, where 1 is the lowest and 10 is the highest. The default infected host score is 5, which means that any host with a threat level of 5 or higher will be automatically blocked by Juniper ATP Cloud. However, the infected host score can be changed to a higher value, such as 6 or 7, to reduce the number of false positives and allow more traffic to pass through. In the exhibit, the host has a threat level of 5, which indicates that it is infected with malware and has attempted to contact command-and-control servers. However, some of the events have not been automatically mitigated, which means that the host has not been blocked by Juniper ATP Cloud. A possible reason for this behavior is that the infected host score is globally set above a threat level of 5, such as 6 or 7, which means that the host does not meet the minimum threshold for blocking. Therefore, the correct answer is C. The infected host score is globally set above a threat level of 5. Reference: [Configuring the Infected Host Score] 1, [Compromised Hosts: More Information] 2

1: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-userguide/topics/task/sky-atp-infected-host-score.html 2:

https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-userguide/topics/concept/sky-atp-infected-host-overview.html

DNS doctoring is a feature that allows the SRX Series firewall to modify the IP address in a DNS response based on a static NAT rule. This can be useful when the DNS server returns an IP address that is not reachable by the client, such as a private IP address or an IP address from a different network. To use DNS doctoring, the following requirements must be met:

The DNS ALG must be enabled. The DNS ALG is responsible for parsing the DNS messages and performing the IP address translation. The DNS ALG can be enabled globally or per security policy. To enable the DNS ALG globally, use the command set security alg dns enable. To enable the DNS ALG per security policy, use the command set security policies from-zone zone1 to-zone zone2 policy policy1 then permit application-services application-firewall rule-set rule-set-name application junos-dns.

Static NAT must be configured for the IP address that needs to be translated. Static NAT is a type of NAT that maps a fixed IP address to another fixed IP address. Static NAT can be configured using the command set security nat static rule-set rule-set-name rule rule-name match destination-address address and set security nat static rule-set rule-set-name rule rule-name then static-nat prefix prefix. Reference:

DNS ALG and Doctoring Support

Understanding DNS ALG and NAT Doctoring

Disabling DNS ALG and NAT Doctoring

SRX Getting Started - Configure DNS

When enrolling your devices, you only need to enroll one node: The Juniper ATP Cloud automatically recognizes the HA configuration and applies the same license and configuration to both nodes of the cluster.

You must use the same license key on both cluster nodes: The HA cluster needs to share the same license key in order to be recognized as a single device by the Juniper ATP Cloud.

You must set up your HA cluster before enrolling your devices with Juniper ATP Cloud. And it is not necessary to use different license keys on both cluster nodes because the HA cluster shares the same license key.

The two statements that are correct in this scenario are:

When enrolling your devices, you only need to enroll one node. This is because the Juniper ATP Cloud service supports chassis cluster mode for SRX Series devices. When you enroll a chassis cluster, you only need to enroll the primary node of the cluster. The secondary node will be automatically enrolled and synchronized with the primary node. You do not need to enroll the secondary node separately or perform any additional configuration on it.

You must use the same license key on both cluster nodes. This is because the Juniper ATP Cloud service requires a license key to activate the service on the SRX Series devices. The license key is tied to the serial number of the device. When you enroll a chassis cluster, you must use the same license key on both nodes of the cluster. The license key must match the serial number of the primary node of the cluster. You cannot use different license keys on the cluster nodes.

Reference: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents:

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-atp-cloudenrolling-srx-series.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud-licensingoverview.html

The exhibit shows the configuration of filter-based forwarding on an SRX Series device. Filter-based forwarding is a feature that allows the device to use firewall filters to direct traffic to different routing instances based on the match criteria. In this scenario, the device has two routing instances - ISP-1 and ISP-2 - and two firewall filters - FBF and FBF-ISP-1. The FBF filter is applied to the ge-0/0/1 interface as an input filter. The FBF filter has one term that matches the traffic from the 172.25.0.0/24 network and directs it to the ISP-1 routing instance. The ISP-1 routing instance has a static route to the next hop 172.20.0.2. The FBF-ISP-1 filter is applied to the ge-0/0/0 interface as an output filter. The FBF-ISP-1 filter has one term that matches the traffic to the 172.20.0.2 next hop and sets the forwarding class to expedited-forwarding.

The problem in this scenario is that the traffic from the other network (172.25.1.0/24) is not being forwarded to the upstream 172.21.0.2 neighbor. This is because the FBF filter does not have a term that accepts the traffic from the 172.25.1.0/24 network. The FBF filter only has one term that matches the traffic from the 172.25.0.0/24 network and directs it to the ISP-1 routing instance. The traffic from the 172.25.1.0/24 network does not match this term and is therefore discarded by the implicit deny action at the end of the filter. The traffic from the 172.25.1.0/24 network should be forwarded to the ISP-2 routing instance, which has a static default route to the next hop 172.21.0.2.

To solve this problem, you must add another term to the FBF filter to accept the traffic from the 172.25.1.0/24 network. This term should have the action accept, which means that the traffic will be forwarded according to the routing table of the master routing instance. The master routing instance has a static default route to the ISP-2 routing instance, which in turn has a static default route to the next hop 172.21.0.2. By adding this term, the traffic from the 172.25.1.0/24 network will be forwarded to the upstream 172.21.0.2 neighbor as expected.

The configuration of the new term in the FBF filter could look something like this:

[edit firewall family inet filter FBF] term 2 { from { source-address { 172.25.1.0/24; } } then { accept; } }

Reference: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents:

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-filterbased-forwarding-overview.html

https://www.juniper.net/documentation/en_US/junos/topics/example/filter-based-forwardingexample.html

The output shown in the exhibit is from the command "show security flow session family inet6". This command displays the IPv6 flow sessions on the SRX Series device. The output shows that there are two total sessions, both of which are valid. This means that the SRX Series device is configured with flow-based IPv6 forwarding options. Flow-based IPv6 forwarding options enable the device to process IPv6 packets using the security policies, NAT, and other security features. To configure flowbased IPv6 forwarding options, use the command set security forwarding-options family inet6 mode flow-based and reboot the device. Reference:

show security flow session family inet6

Configuring Flow-Based IPv6 Forwarding Options

SRX Getting Started - Configure IPv6

The security feature that achieves the objective of identifying potential threats within SSL-encrypted sessions without requiring SSL proxy to decrypt the session contents is encrypted traffic insights.

Encrypted traffic insights (ETI) is a feature of Juniper ATP Cloud that helps you to detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. ETI uses machine learning and behavioral analysis to identify anomalies and suspicious patterns in the encrypted traffic metadata, such as the SSL/TLS handshake, the certificate, the cipher suite, and the session duration. ETI can also leverage third-party feeds and threat intelligence from Juniper ATP Cloud to correlate the encrypted traffic with known indicators of compromise (IoCs). ETI can provide insights into the risk level, the threat category, the threat location, and the threat time of the encrypted traffic. ETI can also trigger mitigation actions, such as blocking, quarantining, or alerting, based on the threat severity and the policy configuration. ETI can help you to improve your security posture and visibility without compromising the privacy and performance of the encrypted traffic. Reference: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atpcloud-encrypted-traffic-insights-overview.html