JN0-336 Free Sample Questions

A financial institution is deploying a chassis cluster with two SRX4600 devices to protect their core banking application. The requirements state that the cluster must maintain stateful session persistence for all traffic, including management sessions to the devices themselves. During a failover test, the administrator observes that while user traffic fails over correctly, their SSH session to the primary Routing Engine (RE) is terminated. Which configuration element is most likely responsible for this behavior?

An organization is using Juniper ATP Cloud integrated with their SRX firewall. They want to prevent users from downloading potentially malicious files, but also need to allow specific business-critical executable files from a trusted partner to be downloaded without inspection. How should this be configured within the ATP Cloud policy framework?

A network security engineer is establishing a new site-to-site IPsec VPN between two SRX devices. The remote peer is a third-party device that requires the use of a specific proxy-id. The local network is 192.168.10.0/24 and the remote network is 10.10.20.0/24. After configuring the IKE and IPsec proposals, the tunnel fails to establish. Which configuration approach is necessary to accommodate the third-party requirement?

A security team has deployed Juniper Identity Management Service (JIMS) to create identity-aware security policies on their SRX firewalls. They have a requirement to apply a strict policy to all users in the 'Contractors' Active Directory group. After configuration, they notice that some contractors can still access resources that should be blocked. A review of the JIMS server shows it is correctly receiving user-to-IP mappings from the Domain Controllers. What is the most likely reason for the policy enforcement failure on the SRX? (Select TWO).

True or False: When configuring SSL Forward Proxy on an SRX Series device, the root CA certificate used to sign the proxied server certificates must be installed on the SRX device, but it is not necessary to distribute this root CA to the client browsers.

**Company Background:** Global-Retail Inc. operates a large e-commerce platform hosted in a private data center. They are expanding their security infrastructure to gain visibility into encrypted traffic and protect against advanced threats. The company has a strict user privacy policy that limits the decryption of traffic related to financial and healthcare services. **Current Situation:** They have deployed a pair of SRX4200 firewalls in a chassis cluster. They have also subscribed to Juniper ATP Cloud. All outbound web traffic from their corporate network is routed through the SRX cluster. The security team is tasked with inspecting web traffic for malware and command-and-control (C2) communication, while adhering to the privacy policy. **Requirements:** 1. All outbound web traffic (HTTP and HTTPS) must be inspected for threats. 2. HTTPS traffic to known financial and healthcare domains must NOT be decrypted. 3. The solution must still provide threat intelligence for the non-decrypted HTTPS traffic. 4. The configuration should minimize performance impact on the SRX cluster. **Problem:** The team needs to select the most effective combination of Junos security features to meet all requirements. Which approach should they take?

When implementing a custom IDP attack object on an SRX Series device, which component specifies the direction of the traffic to be inspected for the attack signature?

A network engineer is managing a large-scale deployment of SRX firewalls using Junos Space Security Director. To streamline the onboarding of 50 new branch office firewalls, a Zero Touch Provisioning (ZTP) approach is required. Which Security Director feature is specifically designed to apply a standardized base configuration, including management settings and security policies, to devices as they are onboarded via ZTP?

What is the primary function of the fabric link in an SRX chassis cluster?

An administrator is troubleshooting an IPsec VPN tunnel where IKE Phase 1 completes successfully, but IKE Phase 2 fails. The `show security ipsec security-associations` command shows no active SAs. The administrator suspects a mismatch in the IPsec proposals. Which two settings are negotiated during IKE Phase 2 and could be the cause of the failure? (Select TWO).