Free Juniper JN0-636 Practice Exam with Questions & Answers

Referring to the exhibit, your company’s infrastructure team implemented new printers. To make sure that the policy enforcer pushes the updated IP address list to the SRX, you need to perform the following actions:

• A. Configure the server feed URL as http://172.25.10.254/myprinters. The server feed URL is the address of the remote server that provides the custom feed data. You need to configure the server feed URL to match the location of the file that contains the IP addresses of the new printers. In this case, the file name is myprinters and the server IP address is 172.25.10.254, so the server feed URL should be http://172.25.10.254/myprinters1.
• B. Create a security policy that uses the dynamic address feed to allow access. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You need to create a security policy that uses the dynamic address feed as the source or destination address to allow access to the new printers. A dynamic address feed is a custom feed that contains a group of IP addresses that can be entered manually or imported from external sources. The dynamic address feed can be used in security policies to either deny or allow traffic based on either source or destination IP criteria2.
• C. Configure Security Director to create a dynamic address feed. Security Director is a Junos Space application that enables you to create and manage security policies and objects. You need to configure Security Director to create a dynamic address feed that contains the IP addresses of the new printers. You can create a dynamic address feed by using the local file or the remote file server option. In this case, you should use the remote file server option and specify the server feed URL as http://172.25.10.254/myprinters3.

The other options are incorrect because:

• D. Configuring Security Director to create a C&C feed is not required to complete the requirement. A C&C feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The C&C feed is not related to the new printers or the dynamic address feed.
• E. Configuring the server feed URL as https://172.25.10.254/myprinters is not required to complete the requirement. The server feed URL can use either the HTTP or the HTTPS protocol, depending on the configuration of the remote server. In this case, the exhibit shows that the remote server is using the HTTP protocol, so the server feed URL should use the same protocol1.

References:

• Configuring the Server Feed URL
• Dynamic Address Overview
• Creating Custom Feeds
• [Command and Control Feed Overview]

The solution to this problem is to enable address persistence. This will ensure that the same external IP address is used for multiple sessions between an internal host and an external host. This will result in only one authentication being required, as the same external IP address will be used for all sessions.

The result of adding the count action to a security policy can be seen in the show security policies detail command output. The count action is a feature that allows you to enable statistics collection for sessions that enter the device for a given policy, and for the number of packets and bytes that pass through the device in both directions for a given policy. The count action can help you to monitor the traffic that matches a security policy and to troubleshoot security policy issues. The show security policies detail command displays the detailed information about the security policies configured on the device, including the count statistics. The output shows the number of packets and bytes that have been processed by the policy in both directions, as well as the number of sessions that have been created by the policy. You can use this command to verify that the count action is working as expected and to see the traffic volume and session count for each policy. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-policies-detail.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-count-overview.html

The SRX Series device in transparent mode uses packet flooding to learn about unknown devices in a network. Packet flooding is a process wherein the device sends out packets to every device it knows about or suspects in the network. When the packets are returned, the device can identify and classify the unknown devices in the network.

Source NAT is a type of NAT that is used to translate the source IP address and port number of a packet. This is typically used to allow multiple devices on a private network to access the internet using a single public IP address. In the exhibit, we can see that the source IP address and port number of the packet are being translated from 10.10.10.2/61606 to 203.0.113.100/179. This is a clear indication that Source NAT is being performed. References:

• Network Address Translation Feature Guide
• SRX NAT with Illustrated Examples

Referring to the exhibit, the following statements are correct:

• B. All of the entries are command and control entries. Command and control entries are dynamic addresses that represent the IP addresses of servers that are used by malware to communicate with infected hosts. The SRX Series device can block or log the traffic to or from these IP addresses based on the security policies. The exhibit shows that all of the entries have the category DC/1, which stands for command and control1.
• C. All of the entries are Dshield entries. Dshield is a feed source that provides a list of IP addresses that are associated with malicious activities, such as scanning, spamming, or attacking. The SRX Series device can download the Dshield feed and use it to populate the dynamic address entries. The exhibit shows that all of the entries have the feed dshield, which indicates that they are from the Dshield feed source2.

The other statements are incorrect because:

• A. All of the entries are not a threat level 8, but a threat level 10. The threat level is a numeric value that indicates the severity of the threat associated with a dynamic address entry. The higher the threat level, the more dangerous the threat. The SRX Series device can use the threat level to prioritize the actions for the dynamic address entries. The exhibit shows that all of the entries have the cc CN, which stands for country code China. According to the Juniper documentation, the country code China has a threat level of 10, which is the highest.
• D. All of the entries are not a threat level 10, but they are. See the explanation for option A.

References:

• Understanding Dynamic Address Categories
• Understanding Dynamic Address Feed Sources
• [Understanding Dynamic Address Threat Levels]

In IPsec CoS-based VPNs, the number of IPsec Security Associations (SAs) associated with a peer is based on the number of forwarding classes configured for the VPN. The forwarding classes are used to classify and prioritize different types of traffic, such as voice and data traffic. Each forwarding class requires a separate IPsec SA to be established between the peers, in order to provide the appropriate level of security and quality of service for each type of traffic.

According to the Juniper documentation, the local identity for an IPsec VPN tunnel must match the remote identity of the peer device. The local identity can be configured as an IP address, a hostname, a distinguished name, or an advpn identifier. The advpn identifier is used for dynamic VPNs that support multiple remote endpoints. In the exhibit, the corporate device has the local identity configured as inet advpn, which means it expects the branch1 device to have the same remote identity. However, the branch1 device has the local identity configured as inet, which does not match the corporate device’s remote identity. Therefore, the IKE negotiation fails and the IPsec tunnel is not established. To solve this problem, the local identity on the branch1 device should be changed to inet advpn, so that it matches the corporate device’s remote identity. References: [Configuring an IKE Gateway] 1, [Configuring Local and Remote Identities] 2

1: https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/task/configuration/security-ike-gateway-configuring.html  2: https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-ipsec-vpn-identities.html

 You are connecting two remote sites to your corporate headquarters site. You must ensure that traffic passes through the corporate headquarters. In this scenario, the VPN that should be used is:

• D. Hub-and-spoke IPsec VPN with the corporate firewall acting as the hub device. A hub-and-spoke IPsec VPN is a type of VPN that connects multiple remote sites to a central site, or hub, over a public network. The hub site acts as a gateway for the remote sites and provides security and routing services. The remote sites, or spokes, communicate with each other through the hub site. The hub site and the spoke sites use IPsec tunnels to encrypt and authenticate the traffic between them. A hub-and-spoke IPsec VPN is suitable for connecting two remote sites to your corporate headquarters site, because it allows you to control the traffic flow and enforce security policies at the hub site. The corporate firewall can act as the hub device and provide IPsec VPN services to the remote sites1.

The other options are incorrect because:

• A. Full mesh IPsec VPNs with tunnels between all sites. A full mesh IPsec VPN is a type of VPN that connects every site to every other site over a public network. Each site has an IPsec tunnel with every other site, forming a mesh topology. A full mesh IPsec VPN provides direct and secure communication between any pair of sites, but it also requires a large number of IPsec tunnels and complex configuration. A full mesh IPsec VPN is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate headquarters site, and it may introduce unnecessary overhead and complexity2.
• B. A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device. A full mesh Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider’s network. Each site has a BGP session with every other site, forming a full mesh topology. A BGP route reflector is a device that reduces the number of BGP sessions required in a full mesh topology by reflecting routes between its clients. A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate firewall device, and it may require additional configuration and coordination with the service provider3.
• C. A Layer 3 VPN with the corporate firewall acting as the hub device. A Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider’s network. A Layer 3 VPN can have different topologies, such as full mesh, hub-and-spoke, or partial mesh. A Layer 3 VPN with the corporate firewall acting as the hub device is not suitable for connecting two remote sites to your corporate headquarters site, because the corporate firewall may not support MPLS and BGP, and it may require additional configuration and coordination with the service provider3.

References:

• Hub-and-Spoke VPNs Overview
• Full Mesh VPNs Overview
• Layer 3 VPNs Overview