Juniper JN0-636 Exam Questions

The two security intelligence feed types that are supported are:

A) Infected host feed. An infected host feed is a security intelligence feed that contains the IP addresses of hosts that are infected by malware or compromised by attackers. The SRX Series device can download the infected host feed from the Juniper ATP Cloud or generate its own infected host feed based on the detection events from IDP.The SRX Series device can use the infected host feed to block or quarantine the traffic to or from the infected hosts based on the security policies1.

B) Command and Control feed. A command and control feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The SRX Series device can download the command and control feed from the Juniper ATP Cloud or generate its own command and control feed based on the detection events from IDP.The SRX Series device can use the command and control feed to block or log the traffic to or from the command and control servers based on the security policies2.

The other options are incorrect because:

C) Custom feeds. Custom feeds are not a security intelligence feed type, but a feature that allows you to create your own security intelligence feeds based on your own criteria and sources. You can configure custom feeds by using the Junos Space Security Director or the CLI.Custom feeds are not supported by the Juniper ATP Cloud or the IDP3.

D) Malicious URL feed. Malicious URL feed is not a security intelligence feed type, but a feature that allows you to block or log the traffic to or from malicious URLs based on the security policies. The SRX Series device can download the malicious URL feed from the Juniper ATP Cloud or the Juniper Threat Labs.Malicious URL feed is not supported by the IDP4.

Infected Host Feed Overview

Command and Control Feed Overview

Custom Feed Overview

Malicious URL Feed Overview

The command 'show security dynamic-address category-name DS hield' will show the IP addresses that are part of the DS hield category. By filtering the output of this command with the 'match 203.0.113.5' command, you can determine if the IP address 203.0.113.5 is part of the DS hield feed. This command will check the feeds that are configured on SRX Series device and are associated to juniper ATP Cloud.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-configure-jims.html

Referring to the exhibit, your company's infrastructure team implemented new printers. To make sure that the policy enforcer pushes the updated IP address list to the SRX, you need to perform the following actions:

A) Configure the server feed URL as http://172.25.10.254/myprinters. The server feed URL is the address of the remote server that provides the custom feed data. You need to configure the server feed URL to match the location of the file that contains the IP addresses of the new printers.In this case, the file name is myprinters and the server IP address is 172.25.10.254, so the server feed URL should be http://172.25.10.254/myprinters1.

B) Create a security policy that uses the dynamic address feed to allow access. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You need to create a security policy that uses the dynamic address feed as the source or destination address to allow access to the new printers. A dynamic address feed is a custom feed that contains a group of IP addresses that can be entered manually or imported from external sources.The dynamic address feed can be used in security policies to either deny or allow traffic based on either source or destination IP criteria2.

C) Configure Security Director to create a dynamic address feed. Security Director is a Junos Space application that enables you to create and manage security policies and objects. You need to configure Security Director to create a dynamic address feed that contains the IP addresses of the new printers. You can create a dynamic address feed by using the local file or the remote file server option.In this case, you should use the remote file server option and specify the server feed URL as http://172.25.10.254/myprinters3.

The other options are incorrect because:

D) Configuring Security Director to create a C&C feed is not required to complete the requirement. A C&C feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The C&C feed is not related to the new printers or the dynamic address feed.

E) Configuring the server feed URL as https://172.25.10.254/myprinters is not required to complete the requirement. The server feed URL can use either the HTTP or the HTTPS protocol, depending on the configuration of the remote server.In this case, the exhibit shows that the remote server is using the HTTP protocol, so the server feed URL should use the same protocol1.

Configuring the Server Feed URL

Dynamic Address Overview

Creating Custom Feeds

[Command and Control Feed Overview]

To create a secure fabric in your company's network, you need to know the following facts:

A secure fabric is a collection of sites that contain network devices (switches, routers, firewalls, and other security devices) that are used in policy enforcement groups. A site is a grouping of network devices that contribute to threat prevention. When threat prevention policies are applied to policy enforcement groups, the system automatically discovers to which sites those groups belong.This is how threat prevention is aggregated across your secure fabric1.

MX Series devices associated with tenants can belong to multiple sites. Tenants are logical partitions of the network that can have their own security policies and enforcement points.Sites that are associated with tenants do not need switches as enforcement points, because MX Series devices can perform tenant-based policy enforcement1.

SRX Series devices can belong to only one site. SRX Series devices are firewalls that can act as perimeter enforcement points for the secure fabric. They can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic.SRX Series devices cannot belong to multiple sites, because they do not support tenant-based policy enforcement1.

A switch must be assigned to the site to enforce an infected host policy within the network. An infected host policy is a policy that blocks or quarantines hosts that are identified as infected by the Juniper ATP Cloud. A switch can act as an internal enforcement point for the secure fabric by applying the infected host policy to the hosts that are connected to it.A switch must be assigned to the site where the infected hosts are located, because SRX Series devices cannot enforce infected host policies1.

Switches and connectors cannot be added to the same site. Connectors are software agents that can be installed on Windows or Linux servers to enable them to act as enforcement points for the secure fabric. Connectors can apply infected host policies to the hosts that are connected to them. However, connectors cannot coexist with switches in the same site, because they use different methods of policy enforcement.Switches use VLANs and ACLs, while connectors use IPtables and WFP1.

Therefore, the correct answer is B, D, and E. The other options are incorrect because:

A)MX Series devices associated with tenants can belong to multiple sites, not only one site1.

C)SRX Series devices can belong to only one site, not multiple sites1.

Secure Fabric Overview