JN0-336 Sample Questions Answers

The correct answers are A and D. Preparing Active Directory for JIMS requires creating limited-permission service accounts and assigning those accounts to the required Active Directory groups. Juniper’s JIMS deployment guidance states that you must create service accounts so JIMS can read from the defined directory services and identity producers; if PC probing is used, a service account is also required for that function. The same JIMS documentation includes a section named Configure Limited-Permission User Accounts, followed by Add Limited Permission User Accounts to Active Directory Groups.

Option A is correct because the JIMS preparation workflow commonly uses limited-permission accounts for event log access and PC probe access. Juniper identifies accounts such as JIMS-EventLogRemoteAccess and JIMS-PC-Probe in the Active Directory group-membership procedure. Option D is correct because those limited accounts must be added to the proper AD groups, including Event Log Readers and the groups required for remote management or PC probe operation.

Option B is wrong because the tested preparation requirement is not three limited-access accounts. Option C is wrong because JIMS should not be prepared by adding a broad full-access account; the course objective is least-privilege identity collection. Reference topics: JIMS, Active Directory preparation, limited-permission service accounts, Event Log Readers, PC probe account.

The correct answer is A. The same cluster ID was used on both clusters. In an SRX chassis cluster, a redundant Ethernet interface, or reth, uses a cluster-derived virtual MAC address. When two separate chassis clusters are placed in the same Layer 2 domain and use the same cluster ID, their corresponding reth interfaces can generate the same virtual MAC address. That is exactly why the network team sees the same MAC address for reth0 from both clusters on VLAN 1042. Juniper community guidance states bluntly that the reth interface MAC address is derived from the cluster ID and that two clusters using the same ID produce identical MAC addresses.

Option B is wrong because split-brain would describe both nodes inside the same cluster thinking they are primary, not two separate chassis clusters producing the same reth MAC address. Option C is wrong because multiple SRX clusters can exist on the same VLAN if their cluster IDs are unique. Option D is wrong because LACP synchronization affects bundled link operation, not the generation of the reth virtual MAC address. The correction is to assign unique cluster IDs to clusters sharing the same Layer 2 segment. Reference topics: HA Clustering, chassis cluster ID, reth virtual MAC address, duplicate MAC prevention, Layer 2 cluster design.

The correct answer is A. Manually configure and apply an SSL proxy profile. HTTPS traffic is encrypted, so ATP Cloud cannot extract and submit downloaded files for malware analysis unless the SRX can decrypt the SSL/TLS session first. Juniper’s ATP Cloud documentation states that to detect malware in HTTPS traffic, you must configure the SSL inspection CA used for SSL forward proxy, and the ATP Cloud policy workflow specifically includes configuring an SSL proxy profile to inspect HTTPS traffic. Juniper’s example shows the SSL proxy profile being created with a root CA and then applied so HTTPS sessions can be inspected before advanced anti-malware processing occurs.

Option B is wrong because lowering the threat score only changes the enforcement threshold after a file verdict is returned; it does not solve the inability to inspect encrypted payloads. Option C is wrong because changing the ATP device profile alone does not decrypt HTTPS traffic. The exhibit already shows a malware profile and HTTP file-download configuration, but HTTPS malware detection still requires SSL proxy. Option D is wrong because Junos ATP Cloud integration does not require redirecting encrypted traffic to a separate decryption appliance for this task. The SRX performs SSL forward proxy locally, then advanced anti-malware can inspect extracted content. Reference topics: ATP Cloud, HTTPS malware inspection, SSL forward proxy, SSL inspection CA, advanced anti-malware policy.

The correct answer is B. ESP. In IPsec, the security protocol responsible for encrypting protected traffic is Encapsulating Security Payload (ESP). Juniper defines ESP as the IPsec protocol used for encrypting the IP packet and authenticating its contents. In practical SRX VPN design, ESP is the normal protocol selected when confidentiality is required because it can provide encryption, packet integrity, authentication, and anti-replay protection depending on the configured IPsec proposal.

Option A, SHA-1, is incorrect because SHA-1 is an authentication/hash algorithm, not an IPsec security protocol and not a payload encryption mechanism. Option C, AH, is incorrect because Authentication Header validates packet source and integrity but does not encrypt payload data. AH is therefore unsuitable when the requirement explicitly says payload data must be encrypted. Option D, PFS, is incorrect because Perfect Forward Secrecy is a key-exchange property used during Phase 2 rekeying; it strengthens key independence but does not itself encrypt packets. In Junos IPsec configuration logic, the security protocol decision is between ESP and AH, and encryption requires ESP. Reference topics: IPsec VPN, ESP, AH, IPsec security protocols, payload confidentiality, IPsec proposal design.

The correct answers are B and C. Juniper IDP uses attack objects as match conditions inside IDP policy rules. Juniper states that IDP attack objects represent known and unknown attacks and that the predefined attack object database is periodically updated by Juniper Networks. The main IDP attack object types include signature attack objects, protocol anomaly attack objects, and compound attack objects.

Option C is correct because signature attack objects detect known attacks using stateful attack signatures. Juniper defines a signature as a pattern that exists within a specific section of an attack and includes protocol, service, direction, flow, and context information to reduce false positives.

Option B is correct because protocol anomaly attack objects detect abnormal protocol behavior. Juniper explains that protocol anomaly objects identify unusual or ambiguous traffic that violates protocol specifications, RFCs, or common RFC extensions.

Option A is wrong because “statistic-based” is not one of the IDP attack object database types being tested here. Option D is wrong because “vector-based” is not a Juniper IDP attack object type. Reference topics: IDP, attack object database, signature-based attack objects, protocol anomaly attack objects, predefined attack objects.

The correct answers are A and C. To log denied traffic on an SRX Series Firewall, the security policy must deny the traffic and must generate a log at session initiation. Juniper’s security policy monitoring documentation states that to view logs from denied connections, you enable logging on session-init. Juniper’s traffic-logging guidance also states that for a security policy with a deny action, traffic logs must be generated when a session starts.

Option C is required because the policy action must be deny; otherwise the traffic is not denied by that policy. Option A is required because denied traffic does not complete a normal permitted session lifecycle, so session-init is the correct logging stage for denied connection attempts. Option B, session-close, is used to log permitted sessions after teardown or conclusion; it is not the required parameter for denied traffic. Option D, count, increments policy counters but does not create traffic logs. The correct configuration concept is: match the unwanted traffic, apply then deny, and enable then log session-init. Reference topics: SRX security policies, deny action, session-init logging, traffic log generation, policy counters.

The correct answers are B and D. On SRX Series Firewalls, SSL proxy is configured by creating an SSL proxy profile and then applying that profile to the relevant security policy as an application service. Juniper’s SSL proxy configuration overview lists the required workflow: configure certificates and CA profile material, configure the SSL proxy profile, create a security policy matching the traffic to be inspected, and apply the SSL proxy profile to that security policy. Juniper further states that SSL proxy is enabled as an application service within a security policy, where the policy match criteria identify the traffic and the SSL proxy profile is applied to that traffic.

Option A is wrong because enabling the SSL ALG is not the required control point for SSL proxy. SSL proxy is a decryption/inspection service applied through policy, not simply an ALG toggle. Option C is wrong because creating a separate SSL application object is not the mandatory SSL proxy configuration action. The policy can match the desired traffic and then invoke SSL proxy through then permit application-services ssl-proxy profile-name. Juniper’s example explicitly shows applying the SSL proxy profile under the security policy action.

Reference topics: SSL Proxy, SSL forward proxy, SSL proxy profiles, security policy application-services, encrypted traffic inspection.

The correct answer is C. fxp0 or fxp1 on either device has an existing configuration. The exhibit shows each node reporting itself in hold state and the peer as lost under redundancy group 0. Juniper’s chassis cluster troubleshooting documentation shows this same hold/lost symptom and states that when a node is in hold, it is not ready to operate in a chassis cluster. For branch SRX devices, when cluster mode is enabled, specific physical interfaces are automatically converted into fxp0 for out-of-band management and fxp1 for the HA control link. These interfaces cannot retain normal transit or standalone interface configuration. If the ports that become fxp0 or fxp1 already have configuration, the cluster can enter the hold/lost condition shown in the exhibit.

Option A is wrong because the output does not indicate a Junos version mismatch. Option B is wrong because hardware mismatch is not the symptom being shown. Option D is too specific: a factory-default configuration can cause this problem because it may include configuration on interfaces that become fxp0/fxp1, but the exhibit does not prove specifically that node1 alone is running factory-default configuration. The tested issue is the existing configuration on the interfaces reserved for chassis-cluster management/control. Reference topics: HA Clustering, chassis cluster hold/lost state, fxp0, fxp1, branch SRX cluster initialization.

The correct answers are C and D. Once the SSL proxy profile already exists, the SRX still needs a security policy that matches the SSL/TLS traffic and applies the SSL proxy profile as an application service. Juniper’s SSL proxy configuration procedure explicitly shows creating the security policy match criteria and then applying the SSL proxy profile with then permit application-services ssl-proxy profile-name. It also states that SSL forward and reverse proxy require the profile to be configured at the firewall rule level.

Option D is correct because SSL proxy is not an end goal by itself; it decrypts SSL/TLS traffic so Layer 7 security services can inspect it. Juniper states that decrypted SSL traffic is available for security services and provides examples where the SSL proxy profile and a Content Security/UTM policy are both attached to the same security policy. Option A is wrong because host-inbound-traffic HTTPS controls HTTPS access to the SRX itself, not transit SSL proxy inspection. Option B is wrong because SSL proxy profiles are not referenced under a security zone for this function; they are applied under the matching security policy. Reference topics: SSL Proxy, SSL proxy profile, security policy application-services, Layer 7 inspection, UTM/IDP/ATP integration.

The correct answers are A and C. To use user identity information on an SRX Series Firewall, the firewall must first be able to obtain identity mappings from an identity source or identity provider, such as Active Directory, JIMS, Aruba ClearPass, or another supported identity-aware firewall component. Juniper’s identity-aware firewall documentation states that identity parameters are used to configure security policies so authenticated users receive the correct level of access, and that firewalls can query JIMS, obtain user identity information, and then enforce security policy decisions.

Option A is required because identity-aware enforcement only happens when security policies include user identity match criteria, such as source identity, users, roles, or groups. Juniper’s source-identity policy reference states that source identities are used as match criteria in security policies, and when configured, traffic is matched against authentication-table entries before policy lookup completes. Option C is required because the SRX must be configured with an identity source/provider so it can populate or query identity mappings. Option B is not an SRX configuration task and is not generally required because users may already exist in appropriate AD groups. Option D is wrong for this question; the required SRX tasks are configuring identity integration and identity-aware policies, not adding a separate “user identity” license. Reference topics: Identity-Aware Security Policies, identity source/provider, authentication table, source-identity policy matching.

The correct answers are C and D. Juniper Secure Connect is Juniper’s remote-access VPN client for SRX Series Firewalls. Juniper describes it as a flexible SSL VPN and IPsec application that gives remote workers secure access to corporate and cloud-protected resources. That directly supports option D, because SSL VPN provides a connection method that is useful when traditional IPsec ports are restricted or blocked. Juniper’s Secure Connect guide also states that enabling SSL VPN gives the client flexibility in connecting to SRX Series Firewalls and that SSL VPN is enabled by default.

Option C is also correct because Juniper Secure Connect supports external authentication, allowing users to authenticate with enterprise identity systems rather than relying only on local firewall credentials. Juniper’s external authentication procedure notes that this method lets users use the same username and password as their domain login and is recommended for authenticating users.

Option A is not the best answer because having a client application is not the specific connection/authentication flexibility being tested. Option B is wrong because Kerberos is not the stated Secure Connect authentication method in this context. Reference topics: Juniper Secure Connect, remote-access VPN, SSL VPN, IPsec, external authentication.

The correct answer is D. You have too many domain controllers. The exhibit shows 15 Active Directory domain controllers. Juniper’s integrated Active Directory identity-source configuration for SRX identity-aware firewall supports a limited number of domain controllers; Juniper documentation states that an SRX Series device can configure a maximum of 10 domain controllers for Active Directory identity-source integration. Because this environment has 15 domain controllers, the direct Active Directory identity-source method exceeds the supported scale and JIMS must be used instead.

Option A is wrong because SRX devices can use Active Directory directly as an identity source; JIMS is not the only possible method. Option B is wrong because 1,500 users does not exceed the relevant identity-source scale shown here; Juniper documentation also notes probe functionality support well above this number. Option C is wrong because the issue being tested is not the Windows Server version. JIMS is designed for larger identity-aware deployments and can centralize identity collection from Active Directory, domain controllers, Exchange servers, and syslog sources, then provide identity mappings to SRX firewalls. Juniper’s JIMS datasheet shows much higher scale, including up to 100 active directories, 25 domains, and 500,000 user entries. Reference topics: Identity-Aware Security Policies, Active Directory identity source limits, JIMS scalability, domain controller scale limitations.

The correct answers are B and C. IDP false positives occur when legitimate traffic matches an attack signature or attack object incorrectly. One valid way to reduce false positives is to remove the problematic attack object from the IDP rule, especially when that object is not relevant to the protected application, server role, or traffic direction. Juniper defines attack objects as the items specified in IDP rules to identify malicious activity, so removing an irrelevant or noisy attack object directly reduces unwanted matches.

Option C is also correct because Juniper specifically recommends using an exempt rulebase when an IDP rule uses an attack object group containing attack objects that produce false positives or irrelevant log records. Exempt rules can exclude a specific source, destination, or source/destination pair from matching an IDP rule, preventing unnecessary alarms.

Option A is wrong because changing the action to a lower severity response does not reduce the false positive; it only changes what happens after the false match occurs. Option D is wrong because a terminal rule at the end of the rule base does not prevent earlier false-positive matches. Reference topics: IDP, attack objects, exempt rulebase, false-positive tuning, IDP rule matching.

The correct answer is C. device policy rules. In Junos Space Security Director, a firewall rule that must apply uniquely to one SRX Series device belongs in the device-specific policy layer, not in global or group-level policy. Juniper’s Security Director documentation states that a device can have a device-specific policy and can also be part of multiple group policies; the rule processing order places policies applied before device-specific policies first, then device-specific policies, then policies applied after device-specific policies. Juniper also explains that rules applied before device-specific policies take priority and cannot be overridden, while rules applied after device-specific policies can be overridden by adding a rule in the device-specific policy.

Option A is wrong because all-devices prerules are global mandatory rules applied before device-specific policy, not unique device exceptions. Option B is wrong because group policy prerules apply to a group of devices, not one specific SRX. Option D is wrong because all-devices postrules are still global policy rules, although they can be overridden. For a unique policy requirement on one SRX device, device policy rules are the precise Security Director construct. Reference topics: Security Director, firewall policies, device-specific policies, policy rule precedence, global/group/device rule hierarchy.

The correct answers are B and C. In Junos route-based IPsec VPNs, the default proxy ID is broad: local 0.0.0.0/0, remote 0.0.0.0/0, and service any. This default behavior allows routed traffic entering the secure tunnel interface to determine what is protected by the VPN rather than requiring a narrow policy-based encryption domain. Juniper’s IPsec VPN configuration guidance also states that proxy IDs are used in Phase 2 negotiations, and that a proxy ID mismatch is one of the common causes of Phase 2 failure. For interoperability with some third-party VPN peers, Juniper notes that proxy IDs may need to be manually configured to match the peer.

Option A is wrong because proxy IDs can override default route-based behavior when manually configured, especially when a peer requires specific local and remote protected subnets. Option D is wrong because proxy IDs are not created during IKE Phase 1. Phase 1 builds the secure IKE channel; proxy IDs belong to Phase 2/IPsec SA negotiation, where the peers agree on traffic selectors for encrypted traffic. Reference topics: IPsec VPN, route-based VPNs, proxy IDs, Phase 2 negotiation, traffic selectors, third-party VPN interoperability.

The correct answers are B and D. The command output is from the SRX Series device: show services user-identification identity-management status. Under Primary server, the exhibit shows Address: 192.168.1.10, Port: 443, Connection method: HTTPS, and Connection status: Online. In Juniper Identity Management Service integration, the SRX is the client that connects to the configured primary JIMS server. Juniper’s configuration workflow specifically describes configuring “the IP address of the primary JIMS server” under services user-identification identity-management connection primary address, and the verification output shows that primary server address with its connection status.

Option A is wrong because 192.168.1.10 is listed under Primary server, not as the local SRX address. Option C is also wrong because this SRX command verifies the SRX-to-JIMS identity-management connection, not the backend JIMS-to-domain-controller connection. Domain controller reachability would be validated from JIMS or through JIMS-specific status/monitoring, not by this SRX-side output. The displayed Online state and OK (200) status confirm that the SRX successfully reached the JIMS HTTPS service and received a valid response. Juniper examples use the same status command to validate that the SRX identity-management connection to JIMS is online.

Reference topics: Identity-Aware Security Policies, Juniper Identity Management Service, SRX-to-JIMS connectivity, identity-management status verification.