JN0-336 Questions and Answers

The correct answer is B. Add custom-attack Custom-FTP-Attack to the attacks section and change the action to drop-packet. In the exhibit, the IDP rule is built under rulebase-ips with a match block and a then block. Attack objects belong inside the match attacks hierarchy because they define what malicious pattern the IDP rule is trying to detect. Juniper’s IDP documentation states that attack objects are specified in rules to identify malicious activity and that the rule’s attack objects/groups are the attacks the device matches in monitored traffic.

The enforcement behavior belongs in the then action hierarchy. The current rule uses close-client; to meet the requirement, it must be changed to drop-packet. Juniper defines Drop Packet as an IDP action that drops a matching packet before it reaches its destination without closing the connection. Option A keeps the wrong action. Option C is structurally wrong because a custom attack object is not configured under the action section. Option D is also wrong because the notification section controls logging/alert behavior, not attack matching. Reference topics: IDP rulebase, custom attack objects, match attacks hierarchy, IDP actions, drop-packet behavior.

The correct answers are C and D. The exhibit shows ESP encrypted bytes = 0, ESP decrypted bytes = 0, encrypted packets = 0, and decrypted packets = 0. That means no traffic is successfully passing through the IPsec tunnel. Juniper’s show security ipsec statistics command displays ESP encrypted/decrypted packet and byte counters, so zero values on these counters indicate that the tunnel is not successfully carrying protected ESP traffic.

Option C is also correct because the output shows ESP authentication failures and ESP decryption failures. Since ESP is the IPsec protocol responsible for encrypted payload handling, failures in ESP authentication/decryption point to an ESP/IPsec Phase 2 mismatch or incorrect configuration, such as mismatched authentication algorithm, encryption algorithm, keys, proposal parameters, or incompatible negotiated SA settings. Juniper’s IPsec overview explains that Phase 2 negotiates the IPsec SA used to authenticate traffic flowing through the tunnel, so ESP-related failures belong to the IPsec/ESP configuration path rather than AH.

Option A is wrong because the AH counters and AH authentication failures are zero; the evidence is not pointing to AH. Option B is unsupported because the output does not show peer reboot behavior. Reference topics: IPsec VPN, ESP statistics, Phase 2/IPsec SA negotiation, ESP authentication failures, ESP decryption failures.

The correct answer is D. You have too many domain controllers. The exhibit shows 15 Active Directory domain controllers. Juniper’s integrated Active Directory identity-source configuration for SRX identity-aware firewall supports a limited number of domain controllers; Juniper documentation states that an SRX Series device can configure a maximum of 10 domain controllers for Active Directory identity-source integration. Because this environment has 15 domain controllers, the direct Active Directory identity-source method exceeds the supported scale and JIMS must be used instead.

Option A is wrong because SRX devices can use Active Directory directly as an identity source; JIMS is not the only possible method. Option B is wrong because 1,500 users does not exceed the relevant identity-source scale shown here; Juniper documentation also notes probe functionality support well above this number. Option C is wrong because the issue being tested is not the Windows Server version. JIMS is designed for larger identity-aware deployments and can centralize identity collection from Active Directory, domain controllers, Exchange servers, and syslog sources, then provide identity mappings to SRX firewalls. Juniper’s JIMS datasheet shows much higher scale, including up to 100 active directories, 25 domains, and 500,000 user entries. Reference topics: Identity-Aware Security Policies, Active Directory identity source limits, JIMS scalability, domain controller scale limitations.

The correct answers are A, D, and E. In IPsec VPN terminology, DES, 3DES, and AES are encryption algorithms used to provide confidentiality for protected IP traffic. Juniper’s IPsec material identifies AES, DES, and Triple DES/3DES as IPsec encryption standards, while separating them from authentication hash algorithms such as MD5, SHA-1, and SHA-2. This distinction matters heavily in JNCIS-SEC because IPsec proposals contain different cryptographic functions: encryption protects packet confidentiality, while authentication/hash algorithms validate integrity and origin.

Option B, SHA-1, is incorrect because SHA-1 is a hashing/authentication algorithm, not an encryption algorithm. It produces a message digest used for integrity checking and authentication, commonly as an HMAC variant. Option C, MD5, is also incorrect for the same reason: MD5 is a message-digest algorithm used for authentication/integrity, not for encrypting payload data. AES is the modern preferred encryption family because it is cryptographically stronger than DES and 3DES at comparable key strengths, while DES and 3DES remain historically recognized IPsec encryption algorithms. Reference topics: IPsec VPN, IPsec proposals, encryption algorithms, authentication algorithms, DES, 3DES, AES, SHA, and MD5.

The correct answer is A. Manually configure and apply an SSL proxy profile. HTTPS traffic is encrypted, so ATP Cloud cannot extract and submit downloaded files for malware analysis unless the SRX can decrypt the SSL/TLS session first. Juniper’s ATP Cloud documentation states that to detect malware in HTTPS traffic, you must configure the SSL inspection CA used for SSL forward proxy, and the ATP Cloud policy workflow specifically includes configuring an SSL proxy profile to inspect HTTPS traffic. Juniper’s example shows the SSL proxy profile being created with a root CA and then applied so HTTPS sessions can be inspected before advanced anti-malware processing occurs.

Option B is wrong because lowering the threat score only changes the enforcement threshold after a file verdict is returned; it does not solve the inability to inspect encrypted payloads. Option C is wrong because changing the ATP device profile alone does not decrypt HTTPS traffic. The exhibit already shows a malware profile and HTTP file-download configuration, but HTTPS malware detection still requires SSL proxy. Option D is wrong because Junos ATP Cloud integration does not require redirecting encrypted traffic to a separate decryption appliance for this task. The SRX performs SSL forward proxy locally, then advanced anti-malware can inspect extracted content. Reference topics: ATP Cloud, HTTPS malware inspection, SSL forward proxy, SSL inspection CA, advanced anti-malware policy.

The correct answers are B and D. On SRX Series Firewalls, SSL proxy is configured by creating an SSL proxy profile and then applying that profile to the relevant security policy as an application service. Juniper’s SSL proxy configuration overview lists the required workflow: configure certificates and CA profile material, configure the SSL proxy profile, create a security policy matching the traffic to be inspected, and apply the SSL proxy profile to that security policy. Juniper further states that SSL proxy is enabled as an application service within a security policy, where the policy match criteria identify the traffic and the SSL proxy profile is applied to that traffic.

Option A is wrong because enabling the SSL ALG is not the required control point for SSL proxy. SSL proxy is a decryption/inspection service applied through policy, not simply an ALG toggle. Option C is wrong because creating a separate SSL application object is not the mandatory SSL proxy configuration action. The policy can match the desired traffic and then invoke SSL proxy through then permit application-services ssl-proxy profile-name. Juniper’s example explicitly shows applying the SSL proxy profile under the security policy action.

Reference topics: SSL Proxy, SSL forward proxy, SSL proxy profiles, security policy application-services, encrypted traffic inspection.

The correct answers are B and C. The exhibit shows the command request security idp security-package install failing with: “Security package installation disabled temporarily due to invalid license.” In the IDP update workflow, the SRX must have a valid IDP/AppSecure-related license to install updated security packages. Juniper’s support guidance for an expired IDP license states that if the IDP license expires, attacks continue to be inspected, but IDP update installation is not allowed. That maps directly to this exhibit: the existing IDP engine and currently installed attack database can continue to inspect traffic, but the device cannot install the newer downloaded package until licensing is corrected.

Option A is wrong because expiration does not immediately stop all IDP inspection; it prevents installing new updates. Option D is not the best answer because the specific operational behavior shown is consistent with an invalid/expired license condition after attempting a package install, not proof that no license was ever installed. The practical remediation is to validate the installed license, renew or reinstall the correct IDP license, then retry the security-package installation. Reference topics: IDP licensing, security-package download/install, attack database updates, installed signature inspection behavior.

The correct answers are A and C. To use user identity information on an SRX Series Firewall, the firewall must first be able to obtain identity mappings from an identity source or identity provider, such as Active Directory, JIMS, Aruba ClearPass, or another supported identity-aware firewall component. Juniper’s identity-aware firewall documentation states that identity parameters are used to configure security policies so authenticated users receive the correct level of access, and that firewalls can query JIMS, obtain user identity information, and then enforce security policy decisions.

Option A is required because identity-aware enforcement only happens when security policies include user identity match criteria, such as source identity, users, roles, or groups. Juniper’s source-identity policy reference states that source identities are used as match criteria in security policies, and when configured, traffic is matched against authentication-table entries before policy lookup completes. Option C is required because the SRX must be configured with an identity source/provider so it can populate or query identity mappings. Option B is not an SRX configuration task and is not generally required because users may already exist in appropriate AD groups. Option D is wrong for this question; the required SRX tasks are configuring identity integration and identity-aware policies, not adding a separate “user identity” license. Reference topics: Identity-Aware Security Policies, identity source/provider, authentication table, source-identity policy matching.

The correct answer is B. ip-notify. When administrators want visibility without enforcement impact, ip-notify is the correct IP action. Juniper Security Director documentation defines IP Notify as an IP action that does not take any action against future traffic but logs the event. That is exactly the requirement in the question: traffic matching the IDP condition must not be blocked, closed, or rate-limited until administrators have reviewed the events and decided whether enforcement is appropriate.

Option A, ip-block, is wrong because it blocks future packets matching the IP action rule. That would immediately impact traffic. Option C, ip-connection-rate-limit, is wrong because it limits the connection rate and therefore changes traffic behavior before administrators complete evaluation. Option D, ip-close, is also wrong because it closes matching future sessions by sending reset packets to the client and server, which is disruptive. In a safe evaluation or tuning phase, the proper approach is to log and observe first, then move to stronger actions such as block, close, or rate-limit only after the detected condition has been validated. Reference topics: IDP IP actions, ip-notify, event logging, non-disruptive evaluation mode, IDP policy tuning.

The correct answers are B and D. A terminal rule is specifically designed to stop further rule evaluation. Juniper states that the IDP rule-matching algorithm normally checks traffic against all matching rules in the rulebase, but when a terminal rule matches the source, destination, zones, and application, IDP does not continue to check subsequent rules for that same traffic. Juniper also warns that traffic matching a terminal rule is not compared to later rules even if it does not match the attack object inside that terminal rule.

Option D is also correct because the Ignore Connection action stops scanning traffic for the rest of the connection if an attack match is found. Juniper defines Ignore Connection as disabling the rulebase for that specific connection after a match. Option A is wrong because a close action closes the connection by sending reset behavior, but it is not the rule-processing control mechanism being tested. Option C is a trap: the exempt rulebase is used to suppress known false positives after an IPS rule match, but the two direct mechanisms that end IDP rule processing are terminal rule matching and ignore connection. Reference topics: IDP rulebases, terminal rules, Ignore Connection action, rule-matching algorithm, false-positive exemption.

The correct answers are B and C. To form an SRX chassis cluster, both devices must be assigned the same cluster ID and different node IDs. Juniper states that the cluster ID identifies the cluster, while the node ID identifies the individual node within that cluster. A valid two-node SRX chassis cluster uses node 0 on one chassis and node 1 on the other chassis. Juniper’s example shows the operational-mode commands as set chassis cluster cluster-id 1 node 0 reboot on the first device and set chassis cluster cluster-id 1 node 1 reboot on the second device.

Option A is wrong because cluster-id 0 disables clustering rather than forming a cluster. It also shows configuration-mode prompt #, while this chassis cluster node assignment is performed from operational mode. Option D is doubly wrong: cluster-id 0 disables clustering, and node 2 is invalid because SRX chassis cluster node IDs are limited to 0 and 1. The exam options omit the reboot keyword, but the only logically valid pair is still SRX1 as node 0 and SRX2 as node 1 under the same nonzero cluster ID. Reference topics: HA Clustering, chassis cluster ID, node ID, operational-mode cluster enablement.

The correct answers are A and D. For identity-aware security policies, Junos can obtain user identity information from supported identity sources such as Active Directory and Juniper Identity Management Service (JIMS). Active Directory is the direct identity-source option where the SRX integrates with Microsoft Windows Active Directory and uses directory information for user and group mapping. Juniper’s identity-aware firewall documentation states that the firewall obtains user information from identity sources including Active Directory and JIMS, and then uses that identity data in policy decisions.

JIMS is also correct because it centralizes identity collection and provides SRX enforcement points with user, device, IP address, and group-mapping information. Juniper describes JIMS as providing SRX firewalls with high-scale identity data so they can make user-firewall policy decisions. Option B, TACACS+, is wrong because TACACS+ is primarily an administrative authentication, authorization, and accounting protocol, not the LDAP identity-source service used for identity-aware firewall mappings. Option C, RADIUS, is also wrong in this context because RADIUS can authenticate users, but it is not the LDAP directory integration service being tested here. Reference topics: Identity-Aware Firewall, Active Directory identity source, JIMS, LDAP user/group mapping, SRX authentication table.

The correct answers are A and C. To log denied traffic on an SRX Series Firewall, the security policy must deny the traffic and must generate a log at session initiation. Juniper’s security policy monitoring documentation states that to view logs from denied connections, you enable logging on session-init. Juniper’s traffic-logging guidance also states that for a security policy with a deny action, traffic logs must be generated when a session starts.

Option C is required because the policy action must be deny; otherwise the traffic is not denied by that policy. Option A is required because denied traffic does not complete a normal permitted session lifecycle, so session-init is the correct logging stage for denied connection attempts. Option B, session-close, is used to log permitted sessions after teardown or conclusion; it is not the required parameter for denied traffic. Option D, count, increments policy counters but does not create traffic logs. The correct configuration concept is: match the unwanted traffic, apply then deny, and enable then log session-init. Reference topics: SRX security policies, deny action, session-init logging, traffic log generation, policy counters.

The correct answer is D. exempt. In Junos IDP, the exempt rulebase is specifically used to prevent selected traffic from triggering known false-positive detections. Juniper’s IDP documentation explains that exempt rules can be configured when an IDP policy generates false positives for a particular attack object, source, destination, or traffic pattern. The exempt rulebase lets the administrator exclude matching traffic from attack detection while still allowing the rest of the IDP policy to inspect other traffic normally.

Option A, IPS, is wrong because the IPS rulebase is the main inspection rulebase used to detect and act on attacks. It is where attack objects and actions are commonly applied, but it is not the rulebase designed to eliminate false positives. Option B, monitor, is not the correct false-positive elimination mechanism. Monitoring can help observe behavior, but it does not exempt traffic from matching an attack object. Option C, signature, is wrong because signatures are attack-detection patterns, not a rulebase type used to suppress false positives. The operational correction for noisy or irrelevant matches is to create an exempt rule for the specific trusted source, destination, or attack object. Reference topics: IDP rulebases, exempt rulebase, false-positive tuning, attack objects, IPS inspection.