CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Juniper
  5. JN0-636

Free JN0-636 Exam Braindumps

Your IPsec VPN configuration uses two CoS forwarding classes to separate voice and data traffic. How many IKE security associations are required between the IPsec peers in this scenario?

  1. 1
  2. 3
  3. 4
  4. 2

Answer(s): A

Explanation:

An IKE security association (SA) is a set of parameters that define how the Internet Key Exchange (IKE) protocol will authenticate and establish the secure channel between the IPsec VPN peers.
When you configure an IPsec VPN, one IKE SA is created between the peers, regardless of how many CoS forwarding classes are used to separate the traffic. The SA will be used to negotiate the IPsec SA parameters, such as encryption algorithms and keys.
In this scenario, only 1 IKE security association is required between the IPsec peers, no matter how many CoS forwarding classes are used to separate the voice and data traffic.



You are required to deploy a security policy on an SRX Series device that blocks all known Tor network IP addresses.
Which two steps will fulfill this requirement? (Choose two.)

  1. Enroll the devices with Juniper ATP Appliance.
  2. Enroll the devices with Juniper ATP Cloud.
  3. Enable a third-party Tor feed.
  4. Create a custom feed containing all current known MAC addresses.

Answer(s): B,C

Explanation:

The two steps that will fulfill the requirement of deploying a security policy on an SRX Series device that blocks all known Tor network IP addresses are enrolling the devices with Juniper ATP Cloud and enabling a third-party Tor feed. Juniper ATP Cloud is a cloud-based service that provides advanced threat detection and mitigation capabilities for SRX Series devices. By enrolling the devices with Juniper ATP Cloud, the devices can leverage the cloud intelligence and analytics to identify and block malicious traffic, including Tor traffic. A third-party Tor feed is a source of information that provides a list of IP addresses that are associated with the Tor network. By enabling a third-party Tor feed on the SRX Series device, the device can use the feed to create a dynamic address object that contains all the known Tor IP addresses. The device can then apply a security policy that denies traffic from or to the dynamic address object, effectively blocking the Tor network IP addresses.


Reference:

Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents:
https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud- overview.html https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security- intelligence-third-party-feed-configuring.html



Your company uses non-Juniper firewalls and you are asked to provide a Juniper solution for zero-day malware protection.
Which solution would work in this scenario?

  1. Juniper ATP Cloud
  2. Juniper Secure Analytics
  3. Juniper ATP Appliance
  4. Juniper Security Director

Answer(s): A

Explanation:

Juniper ATP Cloud provides zero-day malware protection for non-Juniper firewalls. It's a cloud-based service that analyzes files and network traffic to detect and prevent known and unknown (zero-day) threats. It uses a combination of static and dynamic analysis techniques, as well as machine learning, to detect and block malicious files, even if they are not known to traditional anti-virus software. It also provides real-time visibility and detailed forensics for incident response and remediation.



Exhibit

You are trying to configure an IPsec tunnel between SRX Series devices in the corporate office and branch. You have committed the configuration shown in the exhibit, but the IPsec tunnel is not establishing.
In this scenario, what would solve this problem.

  1. Add multipoint to the st0.0 interface configuration on the branch1 device.
  2. Change the IKE proposal-set to compatible on the branch1 and corporate devices.
  3. Change the local identity to inet advpn on the branch1 device.
  4. Change the IKE mode to aggressive on the branch1 and corporate devices.

Answer(s): C

Explanation:

According to the Juniper documentation, the local identity for an IPsec VPN tunnel must match the remote identity of the peer device. The local identity can be configured as an IP address, a hostname, a distinguished name, or an advpn identifier. The advpn identifier is used for dynamic VPNs that support multiple remote endpoints. In the exhibit, the corporate device has the local identity configured as inet advpn, which means it expects the branch1 device to have the same remote identity. However, the branch1 device has the local identity configured as inet, which does not match the corporate device's remote identity. Therefore, the IKE negotiation fails and the IPsec tunnel is not established. To solve this problem, the local identity on the branch1 device should be changed to inet advpn, so that it matches the corporate device's remote identity.


Reference:

[Configuring an IKE Gateway] 1, [Configuring Local and Remote Identities] 2
1: https://www.juniper.net/documentation/us/en/software/junos/vpn- ipsec/topics/task/configuration/security-ike-gateway-configuring.html 2:
https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic- map/security-ipsec-vpn-identities.html






Post your Comments and Discuss Juniper JN0-636 exam with other Community members:

JN0-636 Discussions & Posts