Juniper JN0-336 Dumps

The correct answers are A and D. For identity-aware security policies, Junos can obtain user identity information from supported identity sources such as Active Directory and Juniper Identity Management Service (JIMS). Active Directory is the direct identity-source option where the SRX integrates with Microsoft Windows Active Directory and uses directory information for user and group mapping. Juniper’s identity-aware firewall documentation states that the firewall obtains user information from identity sources including Active Directory and JIMS, and then uses that identity data in policy decisions.

JIMS is also correct because it centralizes identity collection and provides SRX enforcement points with user, device, IP address, and group-mapping information. Juniper describes JIMS as providing SRX firewalls with high-scale identity data so they can make user-firewall policy decisions. Option B, TACACS+, is wrong because TACACS+ is primarily an administrative authentication, authorization, and accounting protocol, not the LDAP identity-source service used for identity-aware firewall mappings. Option C, RADIUS, is also wrong in this context because RADIUS can authenticate users, but it is not the LDAP directory integration service being tested here. Reference topics: Identity-Aware Firewall, Active Directory identity source, JIMS, LDAP user/group mapping, SRX authentication table.

The correct answers are B and C. To form an SRX chassis cluster, both devices must be assigned the same cluster ID and different node IDs. Juniper states that the cluster ID identifies the cluster, while the node ID identifies the individual node within that cluster. A valid two-node SRX chassis cluster uses node 0 on one chassis and node 1 on the other chassis. Juniper’s example shows the operational-mode commands as set chassis cluster cluster-id 1 node 0 reboot on the first device and set chassis cluster cluster-id 1 node 1 reboot on the second device.

Option A is wrong because cluster-id 0 disables clustering rather than forming a cluster. It also shows configuration-mode prompt #, while this chassis cluster node assignment is performed from operational mode. Option D is doubly wrong: cluster-id 0 disables clustering, and node 2 is invalid because SRX chassis cluster node IDs are limited to 0 and 1. The exam options omit the reboot keyword, but the only logically valid pair is still SRX1 as node 0 and SRX2 as node 1 under the same nonzero cluster ID. Reference topics: HA Clustering, chassis cluster ID, node ID, operational-mode cluster enablement.

The correct answers are B and D. On SRX Series Firewalls, SSL proxy is configured by creating an SSL proxy profile and then applying that profile to the relevant security policy as an application service. Juniper’s SSL proxy configuration overview lists the required workflow: configure certificates and CA profile material, configure the SSL proxy profile, create a security policy matching the traffic to be inspected, and apply the SSL proxy profile to that security policy. Juniper further states that SSL proxy is enabled as an application service within a security policy, where the policy match criteria identify the traffic and the SSL proxy profile is applied to that traffic.

Option A is wrong because enabling the SSL ALG is not the required control point for SSL proxy. SSL proxy is a decryption/inspection service applied through policy, not simply an ALG toggle. Option C is wrong because creating a separate SSL application object is not the mandatory SSL proxy configuration action. The policy can match the desired traffic and then invoke SSL proxy through then permit application-services ssl-proxy profile-name. Juniper’s example explicitly shows applying the SSL proxy profile under the security policy action.

Reference topics: SSL Proxy, SSL forward proxy, SSL proxy profiles, security policy application-services, encrypted traffic inspection.

The correct answers are B and C. The exhibit shows the command request security idp security-package install failing with: “Security package installation disabled temporarily due to invalid license.” In the IDP update workflow, the SRX must have a valid IDP/AppSecure-related license to install updated security packages. Juniper’s support guidance for an expired IDP license states that if the IDP license expires, attacks continue to be inspected, but IDP update installation is not allowed. That maps directly to this exhibit: the existing IDP engine and currently installed attack database can continue to inspect traffic, but the device cannot install the newer downloaded package until licensing is corrected.

Option A is wrong because expiration does not immediately stop all IDP inspection; it prevents installing new updates. Option D is not the best answer because the specific operational behavior shown is consistent with an invalid/expired license condition after attempting a package install, not proof that no license was ever installed. The practical remediation is to validate the installed license, renew or reinstall the correct IDP license, then retry the security-package installation. Reference topics: IDP licensing, security-package download/install, attack database updates, installed signature inspection behavior.

The correct answer is B. LDAP. In Juniper identity-aware firewall deployments, the SRX Series Firewall integrates with Microsoft Active Directory so that user and group information can be used in security policy decisions. Juniper’s Active Directory identity-source documentation states that the LDAP protocol helps identify the groups to which users belong, and that username and group information are queried from the LDAP service running on the Active Directory domain controller. It also explains that the device uses Lightweight Directory Access Protocol to obtain user and group information required for Active Directory identity-source operation.

Option A, SSH, is wrong because SSH is a device management protocol, not the protocol SRX uses to query Active Directory user/group membership. Option C, DNS, is wrong because DNS can resolve names but does not provide Active Directory group mapping to the firewall. Option D, NETCONF, is wrong because NETCONF is used for network device configuration and automation, not Windows domain-controller identity queries. In a complete identity-aware firewall workflow, SRX may also use WMI/DCOM-related mechanisms to read Windows event-log data, but among the available protocol choices, LDAP is the correct answer because it is the directory protocol used to query user and group information. Reference topics: Active Directory identity source, LDAP, domain controller communication, user and group mapping.

The correct answer is A. The same cluster ID was used on both clusters. In an SRX chassis cluster, a redundant Ethernet interface, or reth, uses a cluster-derived virtual MAC address. When two separate chassis clusters are placed in the same Layer 2 domain and use the same cluster ID, their corresponding reth interfaces can generate the same virtual MAC address. That is exactly why the network team sees the same MAC address for reth0 from both clusters on VLAN 1042. Juniper community guidance states bluntly that the reth interface MAC address is derived from the cluster ID and that two clusters using the same ID produce identical MAC addresses.

Option B is wrong because split-brain would describe both nodes inside the same cluster thinking they are primary, not two separate chassis clusters producing the same reth MAC address. Option C is wrong because multiple SRX clusters can exist on the same VLAN if their cluster IDs are unique. Option D is wrong because LACP synchronization affects bundled link operation, not the generation of the reth virtual MAC address. The correction is to assign unique cluster IDs to clusters sharing the same Layer 2 segment. Reference topics: HA Clustering, chassis cluster ID, reth virtual MAC address, duplicate MAC prevention, Layer 2 cluster design.

The correct answers are C and D. The exhibit shows ESP encrypted bytes = 0, ESP decrypted bytes = 0, encrypted packets = 0, and decrypted packets = 0. That means no traffic is successfully passing through the IPsec tunnel. Juniper’s show security ipsec statistics command displays ESP encrypted/decrypted packet and byte counters, so zero values on these counters indicate that the tunnel is not successfully carrying protected ESP traffic.

Option C is also correct because the output shows ESP authentication failures and ESP decryption failures. Since ESP is the IPsec protocol responsible for encrypted payload handling, failures in ESP authentication/decryption point to an ESP/IPsec Phase 2 mismatch or incorrect configuration, such as mismatched authentication algorithm, encryption algorithm, keys, proposal parameters, or incompatible negotiated SA settings. Juniper’s IPsec overview explains that Phase 2 negotiates the IPsec SA used to authenticate traffic flowing through the tunnel, so ESP-related failures belong to the IPsec/ESP configuration path rather than AH.

Option A is wrong because the AH counters and AH authentication failures are zero; the evidence is not pointing to AH. Option B is unsupported because the output does not show peer reboot behavior. Reference topics: IPsec VPN, ESP statistics, Phase 2/IPsec SA negotiation, ESP authentication failures, ESP decryption failures.

The correct answer is D. drop packet. In IDP terminology, a silent discard means the offending packet is discarded without sending reset packets or other connection-closing signals back to the endpoints. Juniper defines the Drop Packet IDP action as dropping a matching packet before it reaches its destination while not closing the connection. That is the closest and correct IDP action for “silent discard” in the listed choices.

Option A, no action, is wrong because it does not discard anything; Juniper describes No Action as taking no enforcement action, typically used when the administrator only wants logging. Option B, close client and server, is wrong because that action actively closes the session by sending TCP RST packets to both sides, which is explicitly not silent. Option C, ignore connection, is wrong because it stops further IDP scanning for the rest of the connection; it does not discard the packet. Juniper distinguishes these actions clearly: drop packet discards the offending packet, drop connection blocks the whole connection, and close actions send reset packets. Reference topics: IDP actions, drop packet, close client and server, ignore connection, silent discard behavior.

The correct answer is B. Add custom-attack Custom-FTP-Attack to the attacks section and change the action to drop-packet. In the exhibit, the IDP rule is built under rulebase-ips with a match block and a then block. Attack objects belong inside the match attacks hierarchy because they define what malicious pattern the IDP rule is trying to detect. Juniper’s IDP documentation states that attack objects are specified in rules to identify malicious activity and that the rule’s attack objects/groups are the attacks the device matches in monitored traffic.

The enforcement behavior belongs in the then action hierarchy. The current rule uses close-client; to meet the requirement, it must be changed to drop-packet. Juniper defines Drop Packet as an IDP action that drops a matching packet before it reaches its destination without closing the connection. Option A keeps the wrong action. Option C is structurally wrong because a custom attack object is not configured under the action section. Option D is also wrong because the notification section controls logging/alert behavior, not attack matching. Reference topics: IDP rulebase, custom attack objects, match attacks hierarchy, IDP actions, drop-packet behavior.

The correct answers are B and C. In Junos route-based IPsec VPNs, the default proxy ID is broad: local 0.0.0.0/0, remote 0.0.0.0/0, and service any. This default behavior allows routed traffic entering the secure tunnel interface to determine what is protected by the VPN rather than requiring a narrow policy-based encryption domain. Juniper’s IPsec VPN configuration guidance also states that proxy IDs are used in Phase 2 negotiations, and that a proxy ID mismatch is one of the common causes of Phase 2 failure. For interoperability with some third-party VPN peers, Juniper notes that proxy IDs may need to be manually configured to match the peer.

Option A is wrong because proxy IDs can override default route-based behavior when manually configured, especially when a peer requires specific local and remote protected subnets. Option D is wrong because proxy IDs are not created during IKE Phase 1. Phase 1 builds the secure IKE channel; proxy IDs belong to Phase 2/IPsec SA negotiation, where the peers agree on traffic selectors for encrypted traffic. Reference topics: IPsec VPN, route-based VPNs, proxy IDs, Phase 2 negotiation, traffic selectors, third-party VPN interoperability.

The correct answers are B, D, and E. Security Director device onboarding depends on management reachability and valid administrative access. Juniper’s device discovery documentation states that Junos Space discovers network devices using SSH, with optional ping and SNMP, and connects to the physical device to retrieve running configuration and status information. It also explains that device authentication uses administrator login credentials, SSH credentials, SNMP settings, or keys depending on the discovery method.

Option E is required because Security Director must target a reachable management IP address or hostname. Juniper’s discovery-profile workflow explicitly uses the target IP address, hostname, IP range, or subnet to locate devices. Option D is required because invalid username/password or insufficient privileges prevent discovery and management; Juniper’s device-management guidance identifies credentials as required input for discovering devices. Option B is required because onboarding uses SSH, so the correct SSH service and port must be reachable. Juniper’s device access procedure explicitly includes a Port field for the SSH connection.

Option A is wrong because chassis serial number is not the normal troubleshooting field for Security Director discovery. Option C is wrong because active security policies do not determine whether Security Director can initially discover and onboard the device. Reference topics: Security Director, device discovery, SSH access, management IP reachability, authentication credentials.

The correct answer is A. Manually configure and apply an SSL proxy profile. HTTPS traffic is encrypted, so ATP Cloud cannot extract and submit downloaded files for malware analysis unless the SRX can decrypt the SSL/TLS session first. Juniper’s ATP Cloud documentation states that to detect malware in HTTPS traffic, you must configure the SSL inspection CA used for SSL forward proxy, and the ATP Cloud policy workflow specifically includes configuring an SSL proxy profile to inspect HTTPS traffic. Juniper’s example shows the SSL proxy profile being created with a root CA and then applied so HTTPS sessions can be inspected before advanced anti-malware processing occurs.

Option B is wrong because lowering the threat score only changes the enforcement threshold after a file verdict is returned; it does not solve the inability to inspect encrypted payloads. Option C is wrong because changing the ATP device profile alone does not decrypt HTTPS traffic. The exhibit already shows a malware profile and HTTP file-download configuration, but HTTPS malware detection still requires SSL proxy. Option D is wrong because Junos ATP Cloud integration does not require redirecting encrypted traffic to a separate decryption appliance for this task. The SRX performs SSL forward proxy locally, then advanced anti-malware can inspect extracted content. Reference topics: ATP Cloud, HTTPS malware inspection, SSL forward proxy, SSL inspection CA, advanced anti-malware policy.

The correct answers are A and D. Juniper provides predefined IDP policy templates to simplify IDP deployment. These templates are supplied by Juniper Networks and include common templates such as client protection, server protection, DMZ services, DNS server, file server, web server, IDP default, and recommended policies. Juniper’s IDP documentation states that predefined templates are available from a secured Juniper Networks website, and the listed templates are explicitly described as being provided by Juniper Networks.

Option D is correct because these templates are not automatically present as usable policies in a factory-default SRX configuration. Juniper’s procedure says that to use predefined IDP policy templates, you download the policy templates and then install them. The CLI process includes request security idp security-package download policy-templates followed by request security idp security-package install policy-templates; committing then makes them available under the IDP policy hierarchy.

Option B is wrong because Juniper specifically says you should customize these templates for your network and recommends using a copied template so you can safely make changes. Option C is wrong because they must be downloaded and installed, so they are not simply available in the factory-default configuration. Reference topics: IDP, predefined IDP policy templates, security-package download, security-package install, active IDP policy.

The correct answers are A and B. In an SRX chassis cluster, the cluster ID identifies the chassis cluster itself, while the node ID identifies the individual SRX device inside that two-node cluster. Juniper states that a cluster is identified by a cluster-id value from 1 through 255, and that setting the cluster ID to 0 is equivalent to disabling clustering. Therefore, option A is correct and option C is wrong.

Option B is also correct because Juniper states that a cluster node is identified by a node ID specified as a number from 0 through 1. A normal SRX chassis cluster has two nodes: node0 and node1. The two devices must use the same nonzero cluster ID so they belong to the same cluster, but each device must use a different node ID so Junos can apply node-specific configuration, interface numbering, redundancy-group ownership, and management settings correctly. Option D is wrong because node IDs do not range from 1 through 255; that range applies to cluster IDs, not node IDs. Reference topics: HA Clustering, cluster ID, node ID, chassis cluster formation, node0/node1 identification.

The correct answer is A. the action taken is defined in the IDP policy that includes this attack object. The exhibit defines a custom attack object named BGP-DEFEND under the security idp custom-attack hierarchy. The custom object includes metadata such as recommended-action drop, severity critical, and signature match conditions such as BGP update AS-path context and pattern 65501. However, an attack object by itself does not determine the final enforcement behavior. The attack object defines what to match; the IDP policy rule that references the object defines what action to take when that match occurs. Juniper describes attack objects as objects used inside IDP rules to identify malicious activity, while IDP rules include rule actions such as drop-packet, drop-connection, close-client, close-server, recommended, and others.

Option B is wrong because the firewall security policy enables IDP inspection by applying an IDP policy, but the IDP action is not selected directly by the normal security policy. Options C and D are too absolute. Even though the custom object shows recommended-action drop, that is only used if the IDP rule action invokes recommended behavior. Without seeing the IDP policy rule action, you cannot conclude reject or drop. Reference topics: IDP custom attack objects, IDP policy rule actions, recommended action, signature-based attack matching.

The correct answers are A and D. Juniper documentation describes domain PC probing as a supplement to event-log reading. When a user logs in to the domain, the domain controller event log normally provides the user-to-IP mapping. If that IP address-to-username mapping is not available from the event log, JIMS initiates a domain PC probe to the endpoint to obtain the active username and domain. JIMS can also use probes to determine a device’s status after the logged-in state expires, so the operational idea is not blind periodic probing; it is used to resolve or validate identity state when normal event-log information is missing or stale.

Option D is correct because the result of identity collection is reported back to SRX Series devices. JIMS generates reports containing IP address, username, and group relationship information, keeps a list of reports communicated to SRX devices, and sends those reports so SRX devices can create authentication-table entries for identity-aware policy enforcement. Options B and C are wrong because the tested PC-probe behavior is not “every 30 seconds” or “every 60 seconds.” Those values confuse PC probing with other timers or query intervals. Reference topics: JIMS, domain PC probing, event-log identity mapping, SRX authentication table, identity-aware security policies.

The correct answers are B and C. IDP false positives occur when legitimate traffic matches an attack signature or attack object incorrectly. One valid way to reduce false positives is to remove the problematic attack object from the IDP rule, especially when that object is not relevant to the protected application, server role, or traffic direction. Juniper defines attack objects as the items specified in IDP rules to identify malicious activity, so removing an irrelevant or noisy attack object directly reduces unwanted matches.

Option C is also correct because Juniper specifically recommends using an exempt rulebase when an IDP rule uses an attack object group containing attack objects that produce false positives or irrelevant log records. Exempt rules can exclude a specific source, destination, or source/destination pair from matching an IDP rule, preventing unnecessary alarms.

Option A is wrong because changing the action to a lower severity response does not reduce the false positive; it only changes what happens after the false match occurs. Option D is wrong because a terminal rule at the end of the rule base does not prevent earlier false-positive matches. Reference topics: IDP, attack objects, exempt rulebase, false-positive tuning, IDP rule matching.

The correct answer is C. device policy rules. In Junos Space Security Director, policy scope matters. A rule intended for one specific SRX Series device must be placed in a device policy, because Juniper defines a device policy as a firewall policy created per device and used when you want to push a unique firewall policy configuration per device. Security Director also distinguishes this from group policies, which are shared with multiple devices, and from all-devices policy rules, which are global in scope rather than device-specific.

Option A is wrong because all-devices prerules are global rules evaluated before device-specific rules; they are not intended for a unique single-device exception. Option B is wrong because group policy prerules apply to devices within a group, not to one individually targeted SRX firewall. Option D is wrong because all-devices postrules are still globally scoped, even though they occur later in policy order. The clean Security Director design is to use device policy rules when the policy must apply only to one SRX device. Reference topics: Security Director, firewall policy hierarchy, device policy, group policy, all-devices prerules/postrules.

The correct answers are B and C. Juniper Secure Connect uses route-based VPN connectivity, not policy-based VPN connectivity. Juniper’s Secure Connect user guide contrasts Dynamic VPN and Juniper Secure Connect and identifies Juniper Secure Connect as using route-based VPN connectivity, with a tunnel interface selected or created to bind the VPN. This is why SRX configurations for Juniper Secure Connect use an st0 tunnel interface and routing/security policy logic, rather than policy-based encryption tied directly to individual firewall policies.

Option B is also correct because Juniper Secure Connect can use a self-signed certificate. Juniper’s certificate deployment guidance states that before deploying Juniper Secure Connect, the SRX should use an appropriate certificate, which can be a signed certificate, a self-signed certificate, or a Let’s Encrypt-signed certificate. The documentation also shows generating a self-signed certificate and binding it to the SRX for Secure Connect use.

Option A is wrong because policy-based VPN describes older Dynamic VPN behavior, not Juniper Secure Connect. Option D is directly contradicted by Juniper’s certificate guidance. Reference topics: Juniper Secure Connect, route-based VPN, st0 tunnel interface, certificate deployment, self-signed certificate support.