Most Recent Juniper JN0-636 Exam Dumps

Your company wants to take your Juniper ATP Appliance into private mode. You must give them a list of impacted features for this request. The two features that are impacted in this scenario are:

A) False Positive Reporting. False Positive Reporting is a feature that allows you to report false positive detections to Juniper Networks for analysis and improvement. False Positive Reporting requires an Internet connection to send the reports to Juniper Networks.If you take your Juniper ATP Appliance into private mode, False Positive Reporting will be disabled and you will not be able to report false positives1.

C) GSS Telemetry. GSS Telemetry is a feature that allows you to send anonymized threat data to Juniper Networks for analysis and improvement. GSS Telemetry requires an Internet connection to send the data to Juniper Networks.If you take your Juniper ATP Appliance into private mode, GSS Telemetry will be disabled and you will not be able to contribute to the threat intelligence community2.

The other options are incorrect because:

B) Threat Progression Monitoring. Threat Progression Monitoring is a feature that allows you to monitor the threat activity and progression across your network. Threat Progression Monitoring does not require an Internet connection and can be performed locally by the Juniper ATP Appliance.If you take your Juniper ATP Appliance into private mode, Threat Progression Monitoring will not be impacted and you will still be able to monitor the threat activity and progression3.

D) Cyber Kill Chain mapping. Cyber Kill Chain mapping is a feature that allows you to map the threat activity and progression to the stages of the Cyber Kill Chain framework. Cyber Kill Chain mapping does not require an Internet connection and can be performed locally by the Juniper ATP Appliance.If you take your Juniper ATP Appliance into private mode, Cyber Kill Chain mapping will not be impacted and you will still be able to map the threat activity and progression4.

False Positive Reporting

GSS Telemetry

Threat Progression Monitoring

Cyber Kill Chain Mapping

https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/topic-map/jatp-custom-log-ingestion.html

The IPS signature database is one of the major components of the intrusion prevention system (IPS). It contains definitions of different objects, such as attack objects, application signature objects, and service objects, that are used in defining IDP policy rules. As a response to new vulnerabilities, Juniper Networks periodically provides a file containing attack database updates on the Juniper Networks website. You can download this file to protect your network from new threats.Note: IPS does not need a separate license to run as a service on the SRX Series Firewall; however, a license is required for IPS updates1.

When you configure a chassis cluster, the two nodes back up each other, with one node acting as the primary device and the other as the secondary device, ensuring stateful failover of processes and services in the event of system or hardware failure.If the primary device fails, the secondary device takes over processing of traffic2.

To download and install the IPS signature database to a device operating in chassis cluster mode, you must perform the following steps:

Download the IPS signature package from the Juniper Networks website to the primary node of the chassis cluster. You can use the request security idp security-package download CLI command or the Security Director user interface to download the package.Note: You must have a valid license key installed on the device to download the package3.

Install the IPS signature package on the primary node of the chassis cluster. You can use the request security idp security-package install CLI command or the Security Director user interface to install the package.Note: You must reboot the primary node after installing the package3.

Synchronize the IPS signature package from the primary node to the backup node of the chassis cluster. You can use the request security idp security-package install-backup CLI command or the Security Director user interface to synchronize the package.Note: You do not need to reboot the backup node after synchronizing the package3.

Therefore, the correct answer is A. You must download and install the IPS signature package on the primary node. The other options are incorrect because:

B) The first synchronization of the backup node and the primary node is performed automatically after you install the package on the primary node.You do not need to perform it manually3.

C) The first time you synchronize the IPS signature package from the primary node to the backup node, the primary node does not need to be rebooted.You only need to reboot the primary node after installing the package3.

D) The IPS signature package does not need to be downloaded and installed on the primary and backup nodes separately.You only need to download and install it on the primary node and then synchronize it to the backup node3.

IDP Signature Database Overview

Understanding IDP Signature Database for Migration

Configuring Chassis Clustering on SRX Series Devices

The exhibit shows the output of the show security mka sessions summary command on an SRX Series device. This command displays the status of the MACsec Key Agreement (MKA) sessions on the device. In the output, we can see that there are two CAKs configured for the interface ge-0/0/1 - FFFF and EEEE. The CAK named FFFF has the type preceding and the status live. The CAK named EEEE has the type fallback and the status active.

The two statements that are true about the CAK status for the CAK named FFFF are:

CAK is not used for encryption and decryption of the MACsec session. This is because the CAK is only used for authentication and key exchange between the MACsec peers. The CAK is not used for encrypting or decrypting the MACsec traffic. The encryption and decryption of the MACsec session is done by the Secure Association Key (SAK), which is derived from the CAK using the MKA protocol.

SAK is not generated using this key. This is because the CAK named FFFF has the type preceding, which means that it is a legacy key that is used for backward compatibility with older MACsec devices. The preceding key is not used for generating the SAK, but only for authenticating the MACsec peers. The SAK is generated using the active key, which is the CAK named EEEE in this case.

Juniper MX and SRX series devices support the integration of Seclntel feeds, which provide information about known command and control servers, for the purpose of blocking access to them. These devices can be configured to use the Seclntel feeds without the need for Security Director to manage the feeds.

EX series and QFX series devices are not capable of working in this situation, as they do not support the integration of Seclntel feeds.

According to the Juniper documentation, the two Juniper devices that work in this situation are MX Series devices and SRX Series devices. These devices can use the Juniper SecIntel feeds to block access to known command and control servers without using Security Director to manage the feeds. The Juniper SecIntel feeds are curated and verified threat intelligence data that are continuously collected from Juniper ATP Cloud, Juniper Threat Labs, and other sources.The SecIntel feeds include command and control IPs, URLs, certificate hashes, and domains that are used by attackers to control malware or maintain their connection to the network1.

The MX Series devices and the SRX Series devices can subscribe to the SecIntel feeds by using the following steps:

Configure the SecIntel service on the device by specifying the SecIntel URL, the SecIntel policy, and the SecIntel license2.

Configure the SecIntel policy on the device by specifying the SecIntel feeds, the SecIntel actions, and the SecIntel logging3.

Apply the SecIntel policy to the security zones or the firewall policies on the device by using thesecintel-policyoption4.

Once the SecIntel service is configured and applied, the MX Series devices and the SRX Series devices will receive the SecIntel feeds from Juniper ATP Cloud and use them to block the traffic from or to the command and control servers. The SecIntel service will also send the SecIntel logs to Juniper ATP Cloud or a third-party SIEM solution for further analysis and reporting.

The following devices are not suitable or incorrect for this situation:

EX Series devices: EX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.

QFX Series devices: QFX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.