JN0-335 Exam Dumps : Security, Specialist (JNCIS-SEC)

 SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server. It allows inspection of encrypted traffic by terminating the SSL connection from either end and applying security policies to the clear text. SSL proxy can leverage pre-match or post-match results to determine whether to apply SSL proxy to a session. Pre-match results are based on the initial packet of the session, while post-match results are based on the application identification after the session is established. In the exhibit, the session shows that the application services identification is “ssl-proxy”, which means that SSL proxy is applied based on the pre-match results. The cache lookup status for application services is “on”, which means that the SRX Series device uses the application system cache to store the pre-match results for faster processing. Therefore, the correct answer is D. SSL proxy leverages pre-match result. References: = SSL Proxy, Configuring SSL Proxy, and Application System Cache

 This is because the error message indicates that the client device does not trust the certificate authority that issued the certificate for the external server. Therefore, you need to import the root CA certificate from the SRX Series device to the client device and add it to the trusted certificate store. This will allow the client device to verify the identity of the SRX Series device and accept the certificates it generates for the external servers3.

The other options are not correct because:

• A. Load a known good, but expired. CA certificate onto the SRX Series device. This will not solve the problem because the client device will still reject the certificates from the SRX Series device if they are signed by an expired CA certificate. The expiration date of the CA certificate is one of the factors that the client device checks when validating the certificate2.
• B. Install a new SRX Series device to act as the client proxy. This will not solve the problem because the new SRX Series device will still need to have a root CA certificate configured and imported to the client devices. The problem is not with the SRX Series device itself, but with the trust relationship between the SRX Series device and the client devices2.
• C. Reboot the SRX Series device. This will not solve the problem because rebooting the SRX Series device will not change the configuration or the certificates on the SRX Series device or the client devices. The problem is not caused by a temporary glitch or a malfunction, but by a mismatch between the certificates on the SRX Series device and the client devices2.

I hope this helps you understand the problem and the solution better. If you want to learn more about SSL client protection proxy, you can check out the following references:

• SSL Proxy Overview
• Configuring SSL Forward Proxy
• Configuring a Root CA Certificate
• SSL Proxy - Client Protection

SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design. References: Chassis Cluster Overview, Connecting SRX Series Firewalls to Create a Chassis Cluster