JN0-335 Exam Dumps - Security, Specialist (JNCIS-SEC)

 The policy rematch feature enables the device to reevaluate an active session when its associated security policy is modified. The session remains open if it still matches the policy that allowed the session initially. The session is closed if its associated policy is renamed, deactivated, or deleted1

When a policy change includes changing the policy’s action from permit to deny, all existing sessions are dropped. This is because the policy rematch feature does not allow a session to continue if it violates the new policy action1

When a policy change includes changing the policy’s source or destination address match condition, all existing sessions are reevaluated. This is because the policy rematch feature tries to find a suitable policy that can still permit the session based on the new address criteria. If no such policy exists, the session is dropped12

References: 1: policy-rematch | Junos OS | Juniper Networks 2: What is session rematch and how to use it to avoid traffic disruption during a policy update via NSM - Juniper Networks

AppQoS is a service that allows you to prioritize and manage the quality of service (QoS) for different types of applications on SRX Series devices. AppQoS uses application signatures to identify and classify the traffic, and then applies QoS policies to assign bandwidth, priority, and scheduling parameters to the traffic. AppQoS can help you optimize the performance of critical applications, such as VoIP, and ensure that they get the required bandwidth and latency in a congested network12. In this scenario, you can use AppQoS to prioritize the VoIP traffic over other traffic and guarantee its QoS on the SRX Series device at the branch office. References:

• Understanding Application Quality of Service
• Configuring Application Quality of Service

The Junos IPS feature is a security service that is integrated on SRX Series devices, which are high-performance network security platforms that offer firewall, VPN, IPS, application security, and unified threat management capabilities. The Junos IPS feature uses various methods to detect and prevent intrusions, such as signature-based detection, protocol anomaly detection, behavioral anomaly detection, and custom signatures. Signature-based detection compares network traffic against predefined patterns of known attacks and blocks traffic when a match is found. Protocol anomaly detection monitors network traffic for deviations from the expected or normal behavior of common protocols, such as HTTP, FTP, SMTP, and DNS, and blocks traffic when an anomaly is detected. Behavioral anomaly detection monitors network traffic forchanges in the baseline behavior of hosts, networks, or applications, and blocks traffic when a significant deviation is detected. Custom signatures allow administrators to create their own patterns of attacks based on specific criteria, such as IP addresses, ports, protocols, or payload content, and block traffic when a match is found. The Junos IPS feature does not use sandboxing to detect unknown attacks, as this is a function of the Juniper ATP Cloud service, which is a cloud-based service that provides advanced malware detection and prevention for the network. The Junos IPS feature is not a standalone platform, but rather a service that runs on SRX Series devices, which can be deployed as physical or virtual appliances. References:

• [Juniper Security, Professional (JNCIP-SEC) Reference Materials] 1
• [Juniper Security, Specialist (JNCIS-SEC) Reference Materials] 2
• [Junos OS Security Configuration Guide] 3
• [Junos OS Security Feature Guide] 4
• [Junos OS Security Feature Support Reference] 5

 The configuration shown in the exhibit is a pre-ID default policy, which is a security policy that applies to traffic that cannot be identified by the SRX Series device before the user authentication process is complete. The pre-ID default policy has the following characteristics1:

• It is applied to all traffic that matches the from-zone and to-zone parameters, regardless of the source and destination addresses or applications.
• It can only have the permit action, and it cannot be deleted or renamed.
• It can have optional parameters such as log, session-timeout, and session-class.

The session-timeout parameter specifies the maximum time that a session can remain idle before it is closed by the SRX Series device. The session-timeout parameter can have different values for different types of traffic, such as TCP, UDP, or others. The others parameter applies to traffic that is not TCP or UDP, such as ICMP or GRE. The value of the others parameter is in seconds, not milliseconds. Therefore, the others 300 parameter means unidentified traffic flows will be dropped in 300 seconds, not milliseconds2. This statement is correct, so option B is a valid answer.

The log parameter enables the SRX Series device to generate a log message for each session that matches the pre-ID default policy. The log parameter can have two values: session-init and session-close. The session-init value logs the session when it is created, and the session-close value logs the session when it is closed. The session-init value is useful for identifying the source and destination of the unidentified traffic, while the session-close value is useful for measuring the duration and volume of the traffic3. The configuration shown in the exhibit has the session-init value, which means every session that enters the SRX Series device will generate an event. This statement is correct, so option C is a valid answer.

The session-class parameter is used to assign a priority to the sessions that match the pre-ID default policy. The session-class parameter can have four values: high, medium-high, medium-low, and low. The session-class parameter is useful for managing the resources allocated to the sessions and for applying quality of service (QoS) policies. The session-class parameter is not only used when troubleshooting, but also when optimizing the performance and security of the SRX Series device4. This statement is incorrect, so option A is not a valid answer.

Replacing the session-init parameter with session-lose will not log unidentified flows, but rather log the sessions that are closed due to session timeout or other reasons. This will not help in identifying the source and destination of the unidentified traffic, but rather provide information about the duration and volume of the traffic. This statement is incorrect, so option D is not a valid answer.

References:

• Pre-ID Default Policy Overview
• Configuring Session Timeout Values for Security Policies
• Configuring Logging for Security Policies
• Configuring Session Class for Security Policies

The fab interface is the data link between the nodes of a chassis cluster and is used to forward traffic between the chassis and to synchronize the data plane software’s dynamic runtime state. Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization for operations such as authentication, NAT, ALGs, and IPsec. In an active/active configuration, inter-chassis transit traffic is sent over the fab interface, as traffic arriving on a node that needs to be processed on the other or traffic processed on a node that needs to exit through an interface on the other is forwarded over the fabric. The fab interface does not enable configuration synchronization, as this is done by the control link. Heartbeat signals sent on the fab interface monitor the health of the data plane link, not the control plane link. References: Chassis Cluster Fabric Interfaces, HA Chassis cluster, difference between Swfab and Fab

• B: Chassis cluster member devices synchronize configuration using the control link. The control link is used to exchange control messages and configuration information between the two nodes of a chassis cluster1. The primary node pushes the configuration to the secondary node and ensures that both nodes have the same configuration2.
• C: A control link failure causes the secondary cluster node to be disabled. If the control link fails, the primary node cannot communicate with the secondary node and assumes that the secondary node is down1. The primary node then disables the secondary node and takes over all the traffic processing2.
• E: Heartbeat messages verify that the chassis cluster control link is working. The control link also carries heartbeat messages that are exchanged between the two nodes every 500 milliseconds by default1. The heartbeat messages indicate the status and health of the nodes and the control link2.
• A: Chassis cluster control links must be configured using RFC 1918 IP addresses. This is a false statement. The control link can use any IP address range as long as it is not in conflict with other interfaces or routes on the cluster nodes1. RFC 1918 IP addresses are private addresses that are not routable on the Internet4.
• D: Recovery from a control link failure requires that the secondary member device be rebooted. This is also a false statement. Recovery from a control link failure does not require rebooting the secondary node1. The secondary node can rejoin the cluster when the control link is restored and the configuration is synchronized2.

References:

• 1: Configuring Chassis Clustering on SRX Series Devices
• 2: Chassis Cluster User Guide for SRX Series Devices
• 3: Connecting SRX Series Firewalls to Create a Chassis Cluster
• 4: RFC 1918 - Address Allocation for Private Internets

https://supportportal.juniper.net/s/article/SRX-Secondary-node-of-a-Chassis-Cluster-is-in-Disabled-state-how-do-you-find-the-cause

A policy scheduler is a feature that allows you to specify when a security policy is in effect. You can configure a policy scheduler to start at a specific date and time or start on a recurrent basis, such as daily, weekly, or monthly. A policy scheduler determines the time frame that a security policy is actively evaluated and enforced by the SRX Series device2

A policy scheduler can only be applied to security policies that have the action of permit or reject. A policy scheduler cannot be applied to security policies that have the action of deny. A policy scheduler is not related to the policy-rematch feature, which is used to reevaluate existing sessions when a security policy is modified. A policy scheduler cannot be dynamically activated based on traffic flow volumes2 References:

• 1: Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide 3
• 2: Junos OS Security Configuration Guide | Configuring Policy Schedulers 4

The SRX Series device will drop packets from the infected hosts with a threat level of 8 and no log message will be generated. This is because the security intelligence profile “ATP_Infected-Hosts” has a rule “Rule-1” that matches packets with a threat level of 8 and the action is to block and drop them. There is no log option specified in the action, so no log message will be generated. Options A and B are not correct because the rule only matches packets with a threat level of 8, not 8 or above. Option C is not correct because the action is to drop, not permit, the packets. References: The answer can be verified from Juniper’s official documentation on security intelligence available on their website. Here are some relevant links:

• Security Intelligence Feature Guide for Security Devices
• security-intelligence | Junos OS
• Configure the Security Intelligence Policy on the SRX Series Device