Free Practice Questions for Juniper JN0-636 Exam

The correct action to solve this problem on the SRX device is to refresh the feed in ATP Cloud. This is because the number of IP address entries in the monitoring section of the Juniper ATP Cloud portal does not match the number of entries locally on the SRX Series device. This discrepancy can be caused by a number of factors, such as the SRX device not being properly configured for Adaptive Threat Profiling, or the feed not being properly downloaded from the Juniper ATP Cloud portal. By refreshing the feed in ATP Cloud, the SRX device can synchronize its local feed with the latest feed from the cloud service and ensure that the entries are consistent and accurate. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-adaptive-threat-profiling-configuring.html

The security trace options configuration shown in the exhibit is committed to your SRX series firewall. The following statements are correct in this scenario:

B. Once the trace has generated 10 log files, older logs will be overwritten. The files option in the traceoptions statement specifies the maximum number of trace files to keep. When a trace file reaches its maximum size, it is renamed with a numeric suffix, such as kmd.0, kmd.1, and so on, until the maximum number of files is reached. Then the oldest trace file is overwritten by the newest one. In this case, the files option is set to 10, which means that the trace will generate 10 log files and then overwrite the older ones1.

D. The file debugger will be readable only by the user who committed this configuration. The file option in the traceoptions statement specifies the name of the trace file and the permissions for the file. The permissions can be either world-readable or owner-readable. In this case, the file option is set to debugger owner-readable, which means that the trace file will be named debugger and will be readable only by the user who committed the configuration1.

The other statements are incorrect because:

A. The file debugger will not be readable by all users, but only by the user who committed this configuration, as explained above.

C. The trace will not halt after generating 10 log files, but will continue to overwrite the older ones, as explained above.

References:

traceoptions (Security)

According to the Juniper documentation, the steps to detect domain generation algorithms (DGA) on an SRX Series firewall are as follows:

Define a security-metadata-streaming policy under [edit services]. A security-metadata-streaming policy is a configuration that enables the SRX Series firewall to collect and stream security metadata, such as DNS queries and responses, to Juniper ATP Cloud for analysis. Juniper ATP Cloud uses machine learning models and known pre-computed DGA domain names to provide domain verdicts, which helps in-line blocking and sinkholing of DNS queries on SRX Series firewalls1. You can define a security-metadata-streaming policy by using the following command:

set services security-metadata-streaming policy

Attach the security-metadata-streaming policy to a security zone. A security zone is a logical grouping of interfaces that have similar security requirements. You can attach the security-metadata-streaming policy to a security zone by using the following command:

set security zones security-zone services security-metadata-streaming policy

The following steps are not required or incorrect:

Define an advanced-anti-malware policy under [edit services]. An advanced-anti-malware policy is a configuration that enables the SRX Series firewall to scan files for malware using Juniper ATP Cloud. It is not related to DGA detection2.

Attach the advanced-anti-malware policy to a security policy. A security policy is a configuration that defines the rules for permitting or denying traffic between security zones. It is not related to DGA detection3.

References: 1: Configuring Security Metadata Streaming 2: Configuring Advanced Anti-Malware Policies 3: Configuring Security Policies

According to the exhibit, which is a security flow trace on an SRX Series device, the following statements are true:

The packet’s destination is to an interface on the SRX Series device. This is indicated by the line packet dropped for self but not interested, which means that the packet is destined to the SRX device itself, but the device does not have the corresponding service configured in the host-inbound-traffic stanza for the interface1.

The packet originated within the Trust zone. This is indicated by the line zone name: Trust, which shows that the packet belongs to the Trust zone. The Trust zone is typically the zone where the internal network is connected to the SRX device2.

The packet is dropped before making an SSH connection. This is indicated by the line flow_first_inline_processing: pak(0x4a9c0d0), which shows that the packet is the first packet in the session and is processed by the firewall. The packet is dropped because it does not match any security policy or host-inbound-traffic rule1. The packet is trying to make an SSH connection, which uses TCP port 22, as shown by the line source port: 22.

The following statements are false:

The packet’s destination is to a server in the DMZ zone. There is no indication of the DMZ zone in the trace output. The DMZ zone is typically the zone where the external servers are connected to the SRX device2.

The packet is allowed to make an SSH connection. The packet is not allowed to make an SSH connection, as explained above.

References: 1: SRX Getting Started - Troubleshoot Security Policy 2: SRX Getting Started - Configure Security Zones

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/policy-based-vpn-using-j-series-srxseries-device-configuring.html

https://www.juniper.net/us/en/local/pdf/app-notes/3500202-en.pdf

The SRX Series device in transparent mode uses packet flooding to learn about unknown devices in a network. Packet flooding is a process wherein the device sends out packets to every device it knows about or suspects in the network. When the packets are returned, the device can identify and classify the unknown devices in the network.

The two types of source NAT translations that are supported in this scenario are translation of IPv4 hosts to IPv6 hosts with or without port address translation, and translation of one IPv6 subnet to another IPv6 subnet without port address translation. These are the types of source NAT translations that are supported by the Junos OS for IPv6 NAT. Translation of IPv4 hosts to IPv6 hosts allows IPv4-only hosts to communicate with IPv6-only hosts by changing the source IPv4 address to a corresponding IPv6 address. Port address translation can be optionally enabled to conserve IPv6 addresses by using different port numbers for different sessions. Translation of one IPv6 subnet to another IPv6 subnet allows IPv6 hosts to use a different IPv6 address range for outbound traffic, such as for security or policy reasons. Port address translation is not supported for this type of translation, as IPv6 addresses are abundant and do not need to be conserved. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-nat-ipv6-overview.html

The packet is silently discarded because the traceoptions output shows that the packet is dropped with the flag flow_spu_drop, which indicates that the packet is dropped by the SPU without sending any response to the sender. The traceoptions output also shows the reason for the drop as “no session found, start first path. in_tunnel - 0, from_cp_flag - 0” which means that the packet does not match any existing session and is not part of a tunnel or a control plane traffic1.

The packet is part of a new session because the traceoptions output shows that the packet is the first packet of a TCP connection with the flag flow_tcp_syn, which indicates that the packet has the SYN flag set. The traceoptions output also shows that the packet is processed in the first path packet flow with the message “no session found, start first path” which means that the packet is initiating a new session1.

References:

traceoptions (Security Flow) | Junos OS | Juniper Networks

[SRX] How to interpret Flow TraceOptions output for NAT troubleshooting