Which two features are configurable on Juniper Secure Analytics (JSA) to ensure that alerts are triggered when matching certain criteria? (Choose two.)
building blocks
assets
events
tests
Juniper Secure Analytics (JSA) is a security information and event management (SIEM) system that consolidates, analyzes, and manages surveillance data from network devices, endpoints, and applications1
JSA uses two features to configure alerts based on certain criteria: building blocks and events2
Building blocks are reusable components that define common characteristics of network activity, such as IP addresses, ports, protocols, usernames, or threat categories. Building blocks can be used to create custom rules, searches, reports, and filters that can trigger alerts when certain conditions are met2
Events are records of network activity that are collected and normalized by JSA. Events can be classified into different categories, such as offenses, flows, logs, or anomalies. Events can also be correlated with other data sources, such as vulnerability scanners, threat intelligence feeds, or asset databases, to provide more context and insight. Events can trigger alerts when they match predefined or custom rules that specify the severity, frequency, or duration of the activity2
References: 1: JSA Series Secure Analytics - Juniper Networks 2: Juniper Secure Analytics Users Guide
You have implemented a vSRX in your VMware environment. You want to implement a second vSRX Series device and enable chassis clustering.
Which two statements are correct in this scenario about the control-link settings? (Choose two.)
In the vSwitch security settings, accept promiscuous mode.
In the vSwitch properties settings, set the VLAN ID to None.
In the vSwitch security settings, reject forged transmits.
In the vSwitch security settings, reject MAC address changes.
References:
Which two statements are correct about the fab interface in a chassis cluster? (Choose two.)
Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization.
In an active/active configuration, inter-chassis transit traffic is sent over the fab interface.
The fab interface enables configuration synchronization.
Heartbeat signals sent on the fab interface monitor the health of the control plane link.
The fab interface is the data link between the nodes of a chassis cluster and is used to forward traffic between the chassis and to synchronize the data plane software’s dynamic runtime state. Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization for operations such as authentication, NAT, ALGs, and IPsec. In an active/active configuration, inter-chassis transit traffic is sent over the fab interface, as traffic arriving on a node that needs to be processed on the other or traffic processed on a node that needs to exit through an interface on the other is forwarded over the fabric. The fab interface does not enable configuration synchronization, as this is done by the control link. Heartbeat signals sent on the fab interface monitor the health of the data plane link, not the control plane link. References: Chassis Cluster Fabric Interfaces, HA Chassis cluster, difference between Swfab and Fab
How does Juniper ATP Cloud protect a network from zero-day threats?
It uses a cache lookup.
It uses antivirus software.
It uses dynamic analysis.
It uses known virus signatures.
Juniper ATP Cloud is a cloud-based service that provides advanced malware detection and prevention for the network. It uses machine learning to find and block both known and unknown cyberthreats, analyzing files and network traffic looking for signs of malicious behavior. One of the methods that Juniper ATP Cloud uses to identify zero-day threats is dynamic analysis, which is the process of executing suspicious files or code in a sandbox environment and observing their behavior and network activity. Dynamic analysis can uncover zero-day malware threats and malicious connections, including botnets and command-and-control servers hiding in encrypted traffic, by detecting anomalous or malicious patterns. Dynamic analysis is complemented by other methods, such as static analysis, which examines the file structure and content without executing it, and machine learning, which uses artificial intelligence to classify and predict threats based on previous data and models. References:
You want to be alerted if the wrong password is used more than three times on a single device within five minutes.
Which Juniper Networks solution will accomplish this task?
Adaptive Threat Profiling
Juniper Secure Analytics
Juniper Identity Management Service
Intrusion Prevention System
The Juniper Networks solution that will accomplish the task of alerting if the wrong password is used more than three times on a single device within five minutes is Juniper Secure Analytics (JSA). JSA is a security intelligence platform that collects, analyzes, and correlates network data from various sources, such as firewalls, routers, switches, servers, and applications. JSA can detect and respond to threats, anomalies, and vulnerabilities in real time using rules, offenses, reports, and dashboards. JSA can also integrate with JIMS (Juniper Identity Management Service) to obtain user identity information from Active Directory domains or syslog sources. JSA can use this information to create custom rules that trigger offenses or alerts based on user behavior or activity, such as failed login attempts or password changes.
References := Juniper Secure Analytics Troubleshooting Guide, Juniper Identity Management Service User Guide
Regarding static attack object groups, which two statements are true? (Choose two.)
Matching attack objects are automatically added to a custom group.
Group membership automatically changes when Juniper updates the IPS signature database.
Group membership does not automatically change when Juniper updates the IPS signature database.
You must manually add matching attack objects to a custom group.
Static attack object groups are predefined groups of attack objects that are included in Juniper’s IPS signature database. These groups do not change automatically when Juniper updates the database. You must manually add matching attack objects to a custom group34 References:
Which two statements about the DNS ALG are correct? (Choose two.)
The DNS ALG supports DDNS.
The DNS ALG supports VPN tunnels.
The DNS ALG performs DNS doctoring.
The DNS ALG does not support NAT.
The DNS ALG is an application layer gateway that handles data associated with locating and translating domain names into IP addresses. The DNS ALG supports the following features:
The DNS ALG does not support VPN tunnels or NAT itself. The DNS ALG works with NAT, but does not perform NAT. The DNS ALG only supports UDP traffic, not TCP traffic2 References:
Which sequence does an SRX Series device use when implementing stateful session security policies using Layer 3 routes?
An SRX Series device will perform a security policy search before conducting a longest-match Layer 3 route table lookup.
An SRX Series device performs a security policy search before implementing an ALG security check on the longest-match Layer 3 route.
An SRX Series device will conduct a longest-match Layer 3 route table lookup before performing a security policy search.
An SRX Series device conducts an ALG security check on the longest-match route before performing a security policy search.
References:
Which two statements are correct about a policy scheduler? (Choose two.)
A policy scheduler can only be applied when using the policy-rematch feature.
A policy scheduler can be dynamically activated based on traffic flow volumes.
A policy scheduler can be defined using a daily schedule.
A policy scheduler determines the time frame that a security policy is actively evaluated.
A policy scheduler is a feature that allows you to specify when a security policy is in effect. You can configure a policy scheduler to start at a specific date and time or start on a recurrent basis, such as daily, weekly, or monthly. A policy scheduler determines the time frame that a security policy is actively evaluated and enforced by the SRX Series device2
A policy scheduler can only be applied to security policies that have the action of permit or reject. A policy scheduler cannot be applied to security policies that have the action of deny. A policy scheduler is not related to the policy-rematch feature, which is used to reevaluate existing sessions when a security policy is modified. A policy scheduler cannot be dynamically activated based on traffic flow volumes2 References:
Exhibit

Which two statements are correct about the configuration shown in the exhibit? (Choose two.)
The session-class parameter in only used when troubleshooting.
The others 300 parameter means unidentified traffic flows will be dropped in 300 milliseconds.
Every session that enters the SRX Series device will generate an event
Replacing the session-init parameter with session-lose will log unidentified flows.
The configuration shown in the exhibit is a pre-ID default policy, which is a security policy that applies to traffic that cannot be identified by the SRX Series device before the user authentication process is complete. The pre-ID default policy has the following characteristics1:
The session-timeout parameter specifies the maximum time that a session can remain idle before it is closed by the SRX Series device. The session-timeout parameter can have different values for different types of traffic, such as TCP, UDP, or others. The others parameter applies to traffic that is not TCP or UDP, such as ICMP or GRE. The value of the others parameter is in seconds, not milliseconds. Therefore, the others 300 parameter means unidentified traffic flows will be dropped in 300 seconds, not milliseconds2. This statement is correct, so option B is a valid answer.
The log parameter enables the SRX Series device to generate a log message for each session that matches the pre-ID default policy. The log parameter can have two values: session-init and session-close. The session-init value logs the session when it is created, and the session-close value logs the session when it is closed. The session-init value is useful for identifying the source and destination of the unidentified traffic, while the session-close value is useful for measuring the duration and volume of the traffic3. The configuration shown in the exhibit has the session-init value, which means every session that enters the SRX Series device will generate an event. This statement is correct, so option C is a valid answer.
The session-class parameter is used to assign a priority to the sessions that match the pre-ID default policy. The session-class parameter can have four values: high, medium-high, medium-low, and low. The session-class parameter is useful for managing the resources allocated to the sessions and for applying quality of service (QoS) policies. The session-class parameter is not only used when troubleshooting, but also when optimizing the performance and security of the SRX Series device4. This statement is incorrect, so option A is not a valid answer.
Replacing the session-init parameter with session-lose will not log unidentified flows, but rather log the sessions that are closed due to session timeout or other reasons. This will not help in identifying the source and destination of the unidentified traffic, but rather provide information about the duration and volume of the traffic. This statement is incorrect, so option D is not a valid answer.
References:
Your manager asks you to provide firewall and NAT services in a private cloud.
Which two solutions will fulfill the minimum requirements for this deployment? (Choose two.)
a single vSRX
a vSRX for firewall services and a separate vSRX for NAT services
a cSRX for firewall services and a separate cSRX for NAT services
a single cSRX
A vSRX is a virtualized security platform that runs on various hypervisors and cloud environments. It provides firewall and NAT services, as well as other security features, such as IPS, VPN, UTM, and AppSecure. A single vSRX can fulfill the minimum requirements for providing firewall and NAT services in a private cloud, as it can be deployed as a gateway or an edge device, and can scale up or down as needed. A vSRX can also interoperate with other Juniper and third-party products, such as Contrail Networking, Junos Space Security Director, and Sky ATP. A single vSRX is more cost-effective and simpler to manage than having separate vSRX instances for firewall and NAT services. A cSRX is a containerized version of vSRX that runs on Linux-based platforms. It provides similar security features as vSRX, but with a smaller footprint and faster deployment. However, a cSRX is not yet supported on all cloud environments, and it may have some limitations compared to vSRX, such as lower throughput and fewer interfaces. Therefore, a single cSRX may not be able to fulfill the minimum requirements for providing firewall and NAT services in a private cloud, depending on the specific cloud platform and the performance and scalability needs. A cSRX for firewall services and a separate cSRX for NAT services would also introduce more complexity and overhead than a single vSRX. References: vSRX Overview, cSRX Overview, JNCIP-SEC Certification
Your JIMS server is unable to view event logs.
Which two actions would you take to solve this issue? (Choose two.)
Enable the correct host-inbound-traffic rules on the SRX Series devices.
Enable remote event log management within Windows Firewall on the necessary Exchange servers.
Enable remote event log management within Windows Firewall on the necessary domain controllers.
Enable remote event log management within Windows Firewall on the JIMS server.
JIMS server is a Windows service application that collects and maintains user, device, and group information from Active Directory domains or syslog sources. JIMS server uses the Windows event logs to obtain user login and logout information from the domain controllers and Exchange servers. Therefore, to enable JIMS server to view the event logs, you need to perform the following actions:
netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes
netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes
Option C and Option D show the correct actions for solving this issue. Option A and Option B are incorrect because they are not related to the JIMS server’s ability to view the event logs. Host-inbound-traffic rules are used to control the traffic that is allowed to reach the SRX Series devices, not the JIMS server. Enabling remote event log management on the Exchange servers is not necessary if JIMS server does not need to collect user information from them.
References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials
Which two statements about SRX Series device chassis clusters are true? (Choose two.)
Redundancy group 0 is only active on the cluster backup node.
Each chassis cluster member requires a unique cluster ID value.
Each chassis cluster member device can host active redundancy groups
Chassis cluster member devices must be the same model.
A chassis cluster is a pair of SRX Series devices that are connected and configured to operate as a single node, providing high availability and load balancing for traffic flows1. A chassis cluster consists of two nodes: one primary and one secondary. Each node can host one or more redundancy groups, which are logical entities that group the interfaces and services that need to fail over together in case of a node failure2. Redundancy group 0 is a special group that monitors the control plane of the cluster, such as the routing engine and the control link. Redundancy group 0 is always active on the primary node and standby on the secondary node3. Therefore, option A is false. Each chassis cluster member requires a unique node ID value, which can be either 0 or 1, to identify itself within the cluster4. However, the cluster ID value is the same for both nodes, and it is used to identify the cluster as a whole. Therefore, option B is false. Each chassis cluster member device can host active redundancy groups, depending on the configuration and the status of the nodes. By default, the primary node hosts all the redundancy groups, but you can configure some groups to be preempted by the secondary node if it has a higher priority or load-sharing between the nodes if they have the same priority. Therefore, option C is true. Chassis cluster member devices must be the same model, because different models have different hardware and software specifications that may not be compatible with each other in a cluster. Therefore, option D is true. References:
You are asked to determine how much traffic a popular gaming application is generating on your network.
Which action will you perform to accomplish this task?
Enable AppQoS on the proper security zones
Enable APBR on the proper security zones
Enable screen options on the proper security zones
Enable AppTrack on the proper security zones.
AppTrack is a logging and reporting tool that provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. AppTrack sends log messages through syslog, providing application activity update messages. AppTrack can be used to share information for application visibility with devices such as Security Threat Response Manager (STRM)12 References:
Which two types of SSL proxy are available on SRX Series devices? (Choose two.)
Web proxy
client-protection
server-protection
DNS proxy
SSL proxy is a feature that allows SRX Series devices to act as an intermediary between the client and the server for SSL/TLS encrypted traffic. SRX Series devices support two types of SSL proxy: SSL forward proxy and SSL reverse proxy. SSL forward proxy is also known as web proxy or client-protection, and SSL reverse proxy is also known as server-protection1.
SSL forward proxy enables the SRX Series device to decrypt the client-side traffic and apply security policies before re-encrypting and forwarding it to the server. This allows the SRX Series device to inspect the application data and identify the applications and threats in the encrypted traffic2.
SSL reverse proxy enables the SRX Series device to decrypt the server-side traffic and apply security policies before re-encrypting and forwarding it to the client. This allows the SRX Series device to protect the server from malicious clients and provide load balancing and high availability for the server3.
References:
A client has attempted communication with a known command-and-control server and it has reached the configured threat level threshold.
Which feed will the clients IP address be automatically added to in this situation?
the command-and-control cloud feed
the allowlist and blocklist feed
the custom cloud feed
the infected host cloud feed
The infected host cloud feed is a list of IP addresses that have been identified as compromised or infected by malware. The feed is updated by Juniper ATP Cloud based on the detection of malicious activity from the hosts, such as contacting known command-and-control servers. When a host on the network reaches the configured threat level threshold, its IP address is automatically added to the infected host cloud feed and blocked from communicating with any other hosts on the Internet. The other feeds are not relevant for this situation. The command-and-control cloud feed is a list of IP addresses that are known to be used by malware for remote control and communication. The allowlist and blocklist feed is a user-defined list of IP addresses that are either allowed or denied by the SRX Series device. The custom cloud feed is a user-defined list of IP addresses that are associated with a specific category or threat level. References:
Which two statements about SRX Series device chassis clusters are correct? (Choose two.)
The chassis cluster data plane is connected with revenue ports.
The chassis cluster can contain a maximum of three devices.
The chassis cluster data plane is connected with SPC ports.
The chassis cluster can contain a maximum of two devices.
SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design. References: Chassis Cluster Overview, Connecting SRX Series Firewalls to Create a Chassis Cluster
Which two statements about unified security policies are correct? (Choose two.)
Unified security policies require an advanced feature license.
Unified security policies are evaluated after global security policies.
Traffic can initially match multiple unified security policies.
APPID results are used to determine the final security policy
Unified policies are security policies that enable you to use dynamic applications as match conditions along with the existing 5-tuple or 6-tuple (with user firewall) match conditions to detect application changes over time3 If the traffic matches the security policy rule, one or more actions defined in the policy are applied to the traffic3 During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies in the potential policy list, the SRX Series Firewall applies the default security policy until a more explicit match has occurred2 The policy that best matches the application is the final policy2 APPID results are used to determine the final security policy1 References:
Exhibit

Referring to the exhibit, which two statements describe the type of proxy used? (Choose two.)
forward proxy
client protection proxy
server protection proxy
reverse proxy
Exhibit

Referring to the SRX Series flow module diagram shown in the exhibit, where is application security processed?
Forwarding Lookup
Services ALGs
Security Policy
Screens
References:
When a security policy is modified, which statement is correct about the default behavior for active sessions allowed by that policy?
The active sessions allowed by the policy will be dropped.
Only policy changes that involve modification of the action field will cause the active sessions affected by the change to be dropped.
Only policy changes that involve modification of the application will cause the active sessions affected by the change to be dropped.
The active sessions allowed by the policy will continue unchanged.
References:
On an SRX Series firewall, what are two ways that Encrypted Traffic Insights assess the threat of the traffic? (Choose two.)
It decrypts the file in a sandbox.
It validates the certificates used.
It decrypts the data to validate the hash.
It reviews the timing and frequency of the connections.
Encrypted Traffic Insights is a feature of Juniper ATP Cloud and SRX Series firewalls that can detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. It permits organizations greater visibility and policy control over encrypted traffic, without requiring resource-intensive SSL Decryption1.
Encrypted Traffic Insights assesses the threat of the traffic by using two methods:
Encrypted Traffic Insights does not decrypt the file or the data in a sandbox or to validate the hash, as these methods would require breaking the encryption of the traffic, which would violate data privacy laws and introduce latency and performance issues21. References:
Which two statements are true about the vSRX? (Choose two.)
It does not have VMXNET3 vNIC support.
It has VMXNET3 vNIC support.
UNIX is the base OS.
Linux is the base OS.
The vSRX is a virtual firewall that offers the same features as the physical SRX Series firewalls, but in a virtualized form factor. It supports next-generation firewall (NGFW) capabilities, networking, and automated lifecycle management. It also integrates with cloud orchestration tools and software-defined networking (SDN) solutions1
The vSRX supports VMXNET3 vNICs, which are optimized for performance in virtualized environments. VMXNET3 vNICs offer enhanced networking features such as jumbo frames, hardware offloads, and multicast filtering2
The vSRX runs on Linux as the base OS, which provides a stable and secure platform for the Junos OS and the firewall functionality. Linux also enables the vSRX to leverage the native hypervisor drivers and APIs for better performance and compatibility3
References: 1: vSRX Virtual Firewall | Juniper Networks US 2: vSRX Virtual Firewall for VMware - TechLibrary - Juniper Networks 3: vSRX Overview - TechLibrary - Juniper Networks
Exhibit

You are asked to track BitTorrent traffic on your network. You need to automatically add the workstations to the High_Risk_Workstations feed and the servers to the BitTorrent_Servers feed automatically to help mitigate future threats.
Which two commands would add this functionality to the FindThreat policy? (Choose two.)
A)

B)

C)

D)

Option A
Option B
Option C
Option D
To track BitTorrent traffic on your network, you need to use the Security Intelligence feature, which allows you to apply actions to traffic based on predefined or custom feeds. The High_Risk_Workstations and BitTorrent_Servers are examples of custom feeds that you can create and populate with IP addresses of devices that match certain criteria. To automatically add the workstations and servers to the respective feeds, you need to use the administration-feed option under the application-services security-intelligence hierarchy. This option specifies the feed name and the action to be taken for the traffic that matches the feed. For example, to add the workstations to the High_Risk_Workstations feed and drop the traffic, you would use:
set security policies from-zone untrust policy FindThreat then permit application-services security-intelligence administration-feed High_Risk_Workstations drop
To add the servers to the BitTorrent_Servers feed and log the traffic, you would use:
set security policies from-zone untrust policy FindThreat then permit application-services security-intelligence administration-feed BitTorrent_Servers log
Option B and Option C show the correct commands for these scenarios. Option A and Option D are incorrect because they use the wrong syntax for the administration-feed option. They also use the wrong feed names, as the feeds are case-sensitive and must match the ones defined under the security-intelligence hierarchy. References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials
You are asked to create an IPS-exempt rule base to eliminate false positives from happening.
Which two configuration parameters are available to exclude traffic from being examined? (Choose two.)
source port
source IP address
destination IP address
destination port
You can create an exempt rule to skip detection of a set of attacks in certain traffic. You can specify the source and destination IP addresses as the match criteria for the exempt rule. This allows you to exclude traffic from specific hosts or networks from being examined by the IPS rulebase. You can also specify other parameters such as protocol, application, and attack objects for the exempt rule, but source and destination IP addresses are the most common ones. References: = Create IPS or Exempt Rules and rulebase-exempt
After JSA receives external events and flows, which two steps occur? (Choose two.)
After formatting the data, the data is stored in an asset database.
Before formatting the data, the data is analyzed for relevant information.
Before the information is filtered, the information is formatted
After the information is filtered, JSA responds with active measures
After JSA receives external events and flows, the data goes through the following steps in the event and flow pipeline 1:
TESTED 05 Jul 2026
