Question 65 - JN0-636 discussion

The IPS signature database is one of the major components of the intrusion prevention system (IPS).

It contains definitions of different objects, such as attack objects, application signature objects, and service objects, that are used in defining IDP policy rules. As a response to new vulnerabilities, Juniper Networks periodically provides a file containing attack database updates on the Juniper Networks website. You can download this file to protect your network from new threats. Note: IPS does not need a separate license to run as a service on the SRX Series Firewall; however, a license is required for IPS updates1.

When you configure a chassis cluster, the two nodes back up each other, with one node acting as the primary device and the other as the secondary device, ensuring stateful failover of processes and services in the event of system or hardware failure. If the primary device fails, the secondary device takes over processing of traffic2.

To download and install the IPS signature database to a device operating in chassis cluster mode, you must perform the following steps:

Download the IPS signature package from the Juniper Networks website to the primary node of the chassis cluster. You can use the request security idp security-package download CLI command or the Security Director user interface to download the package. Note: You must have a valid license key installed on the device to download the package3.

Install the IPS signature package on the primary node of the chassis cluster. You can use the request security idp security-package install CLI command or the Security Director user interface to install the package. Note: You must reboot the primary node after installing the package3.

Synchronize the IPS signature package from the primary node to the backup node of the chassis cluster. You can use the request security idp security-package install-backup CLI command or the Security Director user interface to synchronize the package. Note: You do not need to reboot the backup node after synchronizing the package3.

Therefore, the correct answer is A. You must download and install the IPS signature package on the primary node. The other options are incorrect because:

B) The first synchronization of the backup node and the primary node is performed automatically after you install the package on the primary node. You do not need to perform it manually3.

C) The first time you synchronize the IPS signature package from the primary node to the backup node, the primary node does not need to be rebooted. You only need to reboot the primary node after installing the package3.

D) The IPS signature package does not need to be downloaded and installed on the primary and backup nodes separately. You only need to download and install it on the primary node and then synchronize it to the backup node3.

Reference:

IDP Signature Database Overview

Understanding IDP Signature Database for Migration

Configuring Chassis Clustering on SRX Series Devices