CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Juniper
  5. JN0-636

Free JN0-636 Exam Braindumps (page: 4)

Page 3 of 29
PDF with 115 Questions

You are asked to detect domain generation algorithms
Which two steps will accomplish this goal on an SRX Series firewall? (Choose two.)

  1. Define an advanced-anti-malware policy under [edit services].
  2. Attach the security-metadata-streaming policy to a security
  3. Define a security-metadata-streaming policy under [edit
  4. Attach the advanced-anti-malware policy to a security policy.

Answer(s): B,C

Explanation:

According to the Juniper documentation, the steps to detect domain generation algorithms (DGA) on an SRX Series firewall are as follows:
Define a security-metadata-streaming policy under [edit services]. A security-metadata-streaming policy is a configuration that enables the SRX Series firewall to collect and stream security metadata, such as DNS queries and responses, to Juniper ATP Cloud for analysis. Juniper ATP Cloud uses machine learning models and known pre-computed DGA domain names to provide domain verdicts, which helps in-line blocking and sinkholing of DNS queries on SRX Series firewalls. You can define a security-metadata-streaming policy by using the following command:
set services security-metadata-streaming policy <policy-name> Attach the security-metadata-streaming policy to a security zone. A security zone is a logical grouping of interfaces that have similar security requirements. You can attach the security-metadata- streaming policy to a security zone by using the following command:
set security zones security-zone <zone-name> services security-metadata-streaming policy <policy- name>
The following steps are not required or incorrect:
Define an advanced-anti-malware policy under [edit services]. An advanced-anti-malware policy is a configuration that enables the SRX Series firewall to scan files for malware using Juniper ATP Cloud. It is not related to DGA detection.
Attach the advanced-anti-malware policy to a security policy. A security policy is a configuration that defines the rules for permitting or denying traffic between security zones. It is not related to DGA detection.


Reference:

1: Configuring Security Metadata Streaming 2: Configuring Advanced Anti-Malware Policies 3: Configuring Security Policies



In Juniper ATP Cloud, what are two different actions available in a threat prevention policy to deal with an infected host? (Choose two.)

  1. Send a custom message
  2. Close the connection.
  3. Drop the connection silently.
  4. Quarantine the host.

Answer(s): B,D

Explanation:

In Juniper ATP Cloud, a threat prevention policy allows you to define how the system should handle an infected host. Two of the available actions are:
Close the connection: This action will close the connection between the infected host and the destination to which it is trying to connect. This will prevent the host from communicating with the destination and will stop any malicious activity.
Quarantine the host: This action will isolate the infected host from the network by placing it in a quarantine VLAN. This will prevent the host from communicating with other devices on the network, which will prevent it from spreading malware or exfiltrating data. Sending a custom message is used to notify the user and administrator of the action taken. Drop the connection silently is not an action available in Juniper ATP Cloud.

According to the Juniper documentation, the threat prevention policy in Juniper ATP Cloud is a configuration that defines the actions and notifications for different threat levels of the traffic. The threat levels are based on the verdicts returned by Juniper ATP Cloud after analyzing the files, URLs, and domains. The threat levels range from 1 to 10, where 1 is the lowest and 10 is the highest. The threat prevention policy allows the user to specify different actions for different threat levels. The actions can be applied to the traffic or to the infected host. The actions available for the traffic are:
Permit: Allows the traffic to pass through the SRX Series device without any interruption. Block: Blocks the traffic and sends a reset packet to the client and the server. Drop: Drops the traffic silently without sending any reset packet. Redirect: Redirects the traffic to a specified URL, such as a warning page or a sinkhole server.
The actions available for the infected host are:
None: Does not take any action on the infected host.
Quarantine: Quarantines the infected host by applying a firewall filter that blocks all outbound traffic from the host, except for the traffic to Juniper ATP Cloud or the specified redirect URL. Custom: Executes a custom script on the SRX Series device to perform a user-defined action on the infected host, such as sending an email notification or triggering an external system. Therefore, the two different actions available in a threat prevention policy to deal with an infected host are:
Block: This action will block the traffic from or to the infected host and send a reset packet to the client and the server. This will prevent the infected host from communicating with the malicious server or spreading the malware to other hosts.

Quarantine: This action will quarantine the infected host by blocking all outbound traffic from the host, except for the traffic to Juniper ATP Cloud or the redirect URL. This will isolate the infected host from the network and allow the user to remediate the infection.
The following actions are not available or incorrect:
Send a custom message: This is not an action available in the threat prevention policy. However, the user can use the custom action to execute a script that can send a custom message to the infected host or the administrator.
Drop the connection silently: This is an action available for the traffic, not for the infected host. It will drop the traffic without sending any reset packet, which may not be effective in stopping the infection or notifying the user.


Reference:

1: Configuring Threat Prevention Policies



Exhibit



You are using traceoptions to verify NAT session information on your SRX Series device. Referring to the exhibit, which two statements are correct? (Choose two.)

  1. This is the last packet in the session.
  2. The SRX Series device is performing both source and destination NAT on this session.
  3. This is the first packet in the session.
  4. The SRX Series device is performing only source NAT on this session.

Answer(s): B,C

Explanation:

The SRX Series device is performing both source and destination NAT on this session because the traceoptions output shows that both source and destination IP addresses and ports are translated. The source IP address 192.168.5.2 is translated to 192.168.100.1 and the destination IP address 1.1.1.1 is translated to 192.168.5.1. The source port 0 is translated to 14777 and the destination port 80 is translated to 80. The traceoptions output also shows the rule and pool IDs for both source and destination NAT: 2/32770 and 1/1 respectively.
This is the first packet in the session because the traceoptions output shows the flag flow_first_packet, which indicates that this is the first packet of a new session. The traceoptions output also shows the flag flow_first_src_xlate and flow_first_rule_dst_xlate, which indicate that this is the first time that source and destination NAT are applied to this session.


Reference:

traceoptions (Security NAT) | Junos OS | Juniper Networks [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting



Exhibit



Which two statements are correct about the output shown in the exhibit. (Choose two.)

  1. The source address is translated.
  2. The packet is an SSH packet
  3. The packet matches a user-configured policy
  4. The destination address is translated.

Answer(s): A,B

Explanation:

The source address is translated because the traceoptions output shows that the source IP address 192.168.5.2 is translated to 192.168.100.1 and the source port 0 is translated to 14777. The traceoptions output also shows the flag flow_first_src_xlate, which indicates that this is the first time that source NAT is applied to this session.
The packet is an SSH packet because the traceoptions output shows that the application protocol is tcp/22, which is the default port for SSH. The traceoptions output also shows the flag flow_tcp_syn, which indicates that this is the first packet of a TCP connection.


Reference:

traceoptions (Security NAT) | Junos OS | Juniper Networks [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting






Post your Comments and Discuss Juniper JN0-636 exam with other Community members:

JN0-636 Discussions & Posts