Juniper JN0-636 Exam Actual Questions

You want traffic to avoid the flow daemon for administrative tasks. In this scenario, the two stateless services that are available with selective stateless packet-based services are:

A) Layer 2 switching. Layer 2 switching is a stateless service that forwards packets based on the MAC addresses of the source and destination hosts. Layer 2 switching does not require any routing or flow processing, and can be performed by the Packet Forwarding Engine (PFE) of the SRX Series device. You can use selective stateless packet-based services to enable Layer 2 switching for traffic that matches a stateless firewall filter.The firewall filter must have the packet-mode action modifier to bypass the flow daemon1.

B) IPv4 routing. IPv4 routing is a stateless service that forwards packets based on the IP addresses of the source and destination hosts. IPv4 routing does not require any flow processing, and can be performed by the PFE of the SRX Series device. You can use selective stateless packet-based services to enable IPv4 routing for traffic that matches a stateless firewall filter.The firewall filter must have the packet-mode action modifier to bypass the flow daemon1.

The other options are incorrect because:

C) IPsec. IPsec is a stateful service that provides security and encryption for IP packets. IPsec requires flow processing, and cannot be performed by the PFE of the SRX Series device. You cannot use selective stateless packet-based services to enable IPsec for traffic that matches a stateless firewall filter.The firewall filter cannot have the packet-mode action modifier to bypass the flow daemon2.

D) IPv6 routing. IPv6 routing is a stateful service that forwards packets based on the IP addresses of the source and destination hosts. IPv6 routing requires flow processing, and cannot be performed by the PFE of the SRX Series device. You cannot use selective stateless packet-based services to enable IPv6 routing for traffic that matches a stateless firewall filter.The firewall filter cannot have the packet-mode action modifier to bypass the flow daemon3.

Selective Stateless Packet-Based Services Overview

IPsec VPN Overview

IPv6 Overview

You are connecting two remote sites to your corporate headquarters site. You must ensure that traffic passes through the corporate headquarters. In this scenario, the VPN that should be used is:

D) Hub-and-spoke IPsec VPN with the corporate firewall acting as the hub device. A hub-and-spoke IPsec VPN is a type of VPN that connects multiple remote sites to a central site, or hub, over a public network. The hub site acts as a gateway for the remote sites and provides security and routing services. The remote sites, or spokes, communicate with each other through the hub site. The hub site and the spoke sites use IPsec tunnels to encrypt and authenticate the traffic between them. A hub-and-spoke IPsec VPN is suitable for connecting two remote sites to your corporate headquarters site, because it allows you to control the traffic flow and enforce security policies at the hub site.The corporate firewall can act as the hub device and provide IPsec VPN services to the remote sites1.

The other options are incorrect because:

A) Full mesh IPsec VPNs with tunnels between all sites. A full mesh IPsec VPN is a type of VPN that connects every site to every other site over a public network. Each site has an IPsec tunnel with every other site, forming a mesh topology. A full mesh IPsec VPN provides direct and secure communication between any pair of sites, but it also requires a large number of IPsec tunnels and complex configuration.A full mesh IPsec VPN is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate headquarters site, and it may introduce unnecessary overhead and complexity2.

B) A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device. A full mesh Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider's network. Each site has a BGP session with every other site, forming a full mesh topology. A BGP route reflector is a device that reduces the number of BGP sessions required in a full mesh topology by reflecting routes between its clients.A full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device is not suitable for connecting two remote sites to your corporate headquarters site, because it does not ensure that traffic passes through the corporate firewall device, and it may require additional configuration and coordination with the service provider3.

C) A Layer 3 VPN with the corporate firewall acting as the hub device. A Layer 3 VPN is a type of VPN that uses MPLS and BGP to provide Layer 3 connectivity and routing between multiple sites over a service provider's network. A Layer 3 VPN can have different topologies, such as full mesh, hub-and-spoke, or partial mesh.A Layer 3 VPN with the corporate firewall acting as the hub device is not suitable for connecting two remote sites to your corporate headquarters site, because the corporate firewall may not support MPLS and BGP, and it may require additional configuration and coordination with the service provider3.

Hub-and-Spoke VPNs Overview

Full Mesh VPNs Overview

Layer 3 VPNs Overview

You must set up a DDoS solution for your ISP. The solution must be agile and not block legitimate traffic. The two products that will accomplish this task are:

B) MX Series device. MX Series devices are high-performance routers that can provide DDoS protection at the network edge by integrating with Corero SmartWall Threat Defense Director (TDD) software. MX Series devices can leverage the packet processing capabilities of the MX-SPC3 Services Card to perform real-time DDoS detection and mitigation at line rate, scaling from 50 Gbps to 40 Tbps. MX Series devices can also use Juniper Networks Security Intelligence (SecIntel) to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies.MX Series devices can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic12.

C) Corero SmartWall TDD. Corero SmartWall TDD is a software solution that runs on MX Series devices and PTX Series devices to provide DDoS protection at the network edge. Corero SmartWall TDD uses behavioral analytics and detailed network visibility to detect and block DDoS attacks in seconds, without affecting the normal traffic. Corero SmartWall TDD can also provide advanced protection from ''carpet bombing'' attacks, 5G DDoS visibility, and multi-tenant portal for as-a-service offerings or views by department within an enterprise.Corero SmartWall TDD can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic34.

The other options are incorrect because:

A) Contrail Insights. Contrail Insights is a software solution that provides network analytics and visibility for cloud and data center environments. Contrail Insights can help you monitor, troubleshoot, and optimize the performance and security of your network, but it does not provide DDoS protection by itself.Contrail Insights can integrate with other Juniper products, such as Contrail Enterprise Multicloud, Contrail Service Orchestration, and AppFormix, to provide a comprehensive network management solution, but it is not a DDoS solution for your ISP5.

D) SRX Series device. SRX Series devices are high-performance firewalls that can provide DDoS protection at the network perimeter by integrating with Juniper ATP Cloud and Juniper Threat Labs. SRX Series devices can use SecIntel to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies. SRX Series devices can also use IDP to detect and prevent application-level attacks, such as SQL injection, cross-site scripting, and buffer overflow. SRX Series devices can provide a robust and effective DDoS solution for your network, but they are not designed to handle high-volume DDoS attacks at the network edge, as MX Series devices and Corero SmartWall TDD are .

Juniper and Corero Joint DDoS Protection Solution

MX-SPC3 Services Card Overview

Corero SmartWall Threat Defense Director (TDD)

Juniper Networks and Corero: A Modern Approach to DDoS Protection at Scale

Contrail Insights Overview

[SRX Series Services Gateways]

[Juniper Networks Security Intelligence (SecIntel)]

Your company wants to take your Juniper ATP Appliance into private mode. You must give them a list of impacted features for this request. The two features that are impacted in this scenario are:

A) False Positive Reporting. False Positive Reporting is a feature that allows you to report false positive detections to Juniper Networks for analysis and improvement. False Positive Reporting requires an Internet connection to send the reports to Juniper Networks.If you take your Juniper ATP Appliance into private mode, False Positive Reporting will be disabled and you will not be able to report false positives1.

C) GSS Telemetry. GSS Telemetry is a feature that allows you to send anonymized threat data to Juniper Networks for analysis and improvement. GSS Telemetry requires an Internet connection to send the data to Juniper Networks.If you take your Juniper ATP Appliance into private mode, GSS Telemetry will be disabled and you will not be able to contribute to the threat intelligence community2.

The other options are incorrect because:

B) Threat Progression Monitoring. Threat Progression Monitoring is a feature that allows you to monitor the threat activity and progression across your network. Threat Progression Monitoring does not require an Internet connection and can be performed locally by the Juniper ATP Appliance.If you take your Juniper ATP Appliance into private mode, Threat Progression Monitoring will not be impacted and you will still be able to monitor the threat activity and progression3.

D) Cyber Kill Chain mapping. Cyber Kill Chain mapping is a feature that allows you to map the threat activity and progression to the stages of the Cyber Kill Chain framework. Cyber Kill Chain mapping does not require an Internet connection and can be performed locally by the Juniper ATP Appliance.If you take your Juniper ATP Appliance into private mode, Cyber Kill Chain mapping will not be impacted and you will still be able to map the threat activity and progression4.

False Positive Reporting

GSS Telemetry

Threat Progression Monitoring

Cyber Kill Chain Mapping

A)company wants to partition their physical SRX series firewall into multiple logical units and assign each unit (tenant) to a department within the organization. You are the primary administrator of the firewall and a colleague is the administrator for one of the departments. The two statements that are correct about your colleague are:

B) The colleague can access and view the resources of the tenant system. A tenant system is a type of logical system that is created and managed by the primary administrator of the firewall. A tenant system has its own discrete administrative domain, logical interfaces, routing instances, security policies, and other features. The primary administrator can assign a tenant system to a department within the organization and delegate the administration of the tenant system to a colleague.The colleague can access and view the resources of the tenant system, such as the allocated CPU, memory, and bandwidth, and the configured interfaces, zones, and policies1.

C) The colleague can create and assign logical interfaces to the tenant system. A logical interface is a software interface that represents a subset of the physical interface. A logical interface can have its own address, encapsulation, and routing parameters. The primary administrator can allocate a number of logical interfaces to a tenant system and allow the colleague to create and assign logical interfaces to the tenant system.The colleague can configure the logical interfaces with the appropriate address, encapsulation, and routing parameters for the tenant system2.

The other statements are incorrect because:

A) The colleague cannot configure the resources allocated and routing protocols. The resources allocated and routing protocols are configured by the primary administrator of the firewall. The primary administrator can allocate a fixed amount of resources, such as CPU, memory, and bandwidth, to a tenant system and specify the routing protocols that are allowed for the tenant system.The colleague cannot modify the resources allocated or routing protocols for the tenant system1.

D) The colleague cannot modify the number of allocated resources for the tenant system. The number of allocated resources for the tenant system is configured by the primary administrator of the firewall. The primary administrator can allocate a fixed amount of resources, such as CPU, memory, and bandwidth, to a tenant system and monitor the resource usage of the tenant system.The colleague cannot modify the number of allocated resources for the tenant system1.

Understanding Tenant Systems

Understanding Logical Interfaces