JN0-335 Exam Dumps : Security, Specialist (JNCIS-SEC)

• A stateful firewall in SRX Series devices keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets that match a known active connection. Sessions are created when a TCP SYN packet is received and permitted by the security policy1.
• A security policy is a set of rules that defines how traffic is processed by the SRX Series device. A security policy applies the security rules to the transit traffic within a context (from-zone to to-zone) and each policy is uniquely identified by its name. The traffic is classified by matching the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane2.
• A Layer 3 route is a path that a packet takes to reach its destination based on the destination IP address. The SRX Series device performs a longest-match Layer 3 route table lookup to determine the next hop for the packet3.
• An Application Layer Gateway (ALG) is a software component that provides application-level awareness, security, and control for specific protocols. An ALG inspects the application-layer payload of a packet and modifies it if necessary to allow the application to traverse the SRX Series device. For example, an ALG can rewrite IP addresses and port numbers in the payload of FTP or SIP packets4.
• The sequence that an SRX Series device uses when implementing stateful session security policies using Layer 3 routes is as follows3:

References:

• 1: Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks
• 2: Best Practices for Defining Policies on High-End SRX Series Devices - TechLibrary - Juniper Networks
• 3: [SRX] Example: Configuring TCP SYN Check options on a per-policy basis
• 4: Application Layer Gateways Overview | Junos OS | Juniper Networks

 To implement IPS on your SRX Series device, you need to download and install the IPS signature database. The IPS signature database contains the attack signatures and predefined attack groups that are used to detect and prevent intrusions. You can download the IPS signature database from the Juniper Networks website or from a local server. You can install the IPS signature database manually or automatically. You do not need to enroll the SRX Series device with Juniper ATP Cloud or reboot the SRX Series device to implement IPS34 References:

• Configuring the IPS Policy on SRX Series Devices Using NSM
• Installing SRX 1400 with IPS activation ??? | SRX - Juniper Networks
• Download an IPS Signature | J-Web for SRX Series 21.2 - Juniper Networks
• IPS Configuration (CLI) | Junos OS | Juniper Networks

The SRX Series device will drop packets from the infected hosts with a threat level of 8 and no log message will be generated. This is because the security intelligence profile “ATP_Infected-Hosts” has a rule “Rule-1” that matches packets with a threat level of 8 and the action is to block and drop them. There is no log option specified in the action, so no log message will be generated. Options A and B are not correct because the rule only matches packets with a threat level of 8, not 8 or above. Option C is not correct because the action is to drop, not permit, the packets. References: The answer can be verified from Juniper’s official documentation on security intelligence available on their website. Here are some relevant links:

• Security Intelligence Feature Guide for Security Devices
• security-intelligence | Junos OS
• Configure the Security Intelligence Policy on the SRX Series Device