Juniper Expert

JN0-336

JNCIP-SEC (Security Professional)

The JNCIP-SEC (JN0-336) certification validates expert-level knowledge of security technologies on Juniper Networks SRX Series platforms. This professional-level certification is designed for highly experienced security professionals with advanced knowledge of Juniper security solutions. It builds upon JNCIS-SEC knowledge and requires deep technical expertise in security architecture and troubleshooting.

The exam covers five domains: Advanced SRX Security (20%), Advanced IPsec VPN (20%), Advanced Threat Prevention (20%), Advanced NAT and Policy-Based Routing (20%), and Troubleshooting Security Platforms (20%). Candidates must demonstrate mastery of complex security zone architectures, advanced VPN configurations including multicast VPNs, custom IPS signatures, SSL inspection, carrier-grade NAT, policy-based routing, and systematic troubleshooting methodologies for security platforms.

This certification is ideal for senior security engineers, security architects, and technical leads with 5+ years of experience who design and troubleshoot complex security infrastructures. The JN0-336 exam was last updated in 2024.

Updated 2024 Cybersecurity

Питања

Пробни тестови

60%

Пролазни резултат

Прегледи

Укупно покушаја

Просечан резултат

Стопа пролазности

Дискусије

Пробни тестови Флеш картице Теме испита Шалабахтер

€5.00

JN0-336 Practice Exam 1

Comprehensive 50-question practice exam covering all five JNCIP-SEC domains including advanced SRX, IPsec VPN, ATP, NAT, and troubleshooting.

50 Q 90 минута 65%

Пробна вожња

€5.00

JN0-336 Practice Exam 2

Comprehensive 50-question practice exam covering all five JNCIP-SEC domains including advanced SRX, IPsec VPN, ATP, NAT, and troubleshooting.

50 Q 90 минута 65%

Пробна вожња

€5.00

JN0-336 Practice Exam 3

Comprehensive 50-question practice exam covering all five JNCIP-SEC domains including advanced SRX, IPsec VPN, ATP, NAT, and troubleshooting.

50 Q 90 минута 65%

Пробна вожња

€5.00

JN0-336 Practice Exam 4

Comprehensive 50-question practice exam covering all five JNCIP-SEC domains: advanced SRX security, advanced IPsec VPN, advanced threat prevention, advanced NAT and policy-based routing, and troubleshooting security platforms.

50 Q 90 минута 65%

Пробна вожња

€5.00

JN0-336 Practice Exam 5

50 Q 90 минута 65%

Пробна вожња

€5.00

JN0-336 Practice Exam 6

Comprehensive 50-question practice exam for JNCIP-SEC covering advanced SRX security, advanced IPsec VPN, advanced threat prevention, advanced NAT/PBR, and troubleshooting.

50 Q 90 минута 60%

Пробна вожња

Откључајте сав садржај за JN0-336

6 Пробни тест(ови) + Флеш картице — 3 месеца приступа

€39.99 €26.99 Уштедите 30%

или укључено у месечну претплату / Комплет садржаја

JN0-336 Cheat Sheet

Брзи референтни водич - 6 секција

Бесплатан приступ

SRX Series Platform Overview

The Juniper SRX Series is a family of next-generation firewalls (NGFW) and services gateways running Junos OS. SRX devices combine routing, switching, and advanced security services on a single platform, scaling from small branch offices to large data centers and service provider cores. All SRX platforms share a common Junos code base with consistent CLI and configuration hierarchy.

Branch SRX (SMB & Enterprise Edge)

SRX300 - Desktop form, ~1 Gbps FW, small branch
SRX320 - Desktop with PoE, mini-PIM slot
SRX340 - 1U rack, 3 Gbps FW, medium branch
SRX345 - Enhanced SRX340 with mini-PIM
SRX380 - 1U, 5 Gbps FW, large branch
SRX550 HM - 1U high-memory, 9 Gbps FW
SRX1500 - 1U, 9 Gbps FW, regional HQ

Data Center / Service Provider SRX

SRX4100 / 4200 - 1U, 20-40 Gbps FW
SRX4600 - 2U, 400 Gbps FW, DC edge
SRX5400 - 5U chassis, modular SPCs/IOCs
SRX5600 - 8U, mid-range DC core
SRX5800 - 16U, 2 Tbps FW, SP core
Virtual SRX (vSRX) - KVM/ESXi/Hyper-V/AWS/Azure
Containerized SRX (cSRX) - Docker container, microservices

Control Plane vs Data Plane

Junos separates the Routing Engine (RE - control plane) from the Packet Forwarding Engine (PFE - data plane). On SRX, the data plane is often implemented in Services Processing Units (SPUs) on SPCs (Services Processing Cards). Understanding this split is critical for troubleshooting, resource monitoring, and performance tuning.

Routing Engine (RE)

Runs Junos kernel, daemons (rpd, chassisd, mgd, dcd)
Handles CLI, NETCONF, SNMP, routing protocols
Builds RIB - pushed to PFE as FIB
Junos config commit - validates and applies

Packet Forwarding Engine (PFE/SPU)

Line-rate packet forwarding and lookup
Session table (flow table) lives here
Security policy enforcement, NAT, screens
IPS, AppID, UTM, ATP inspection pipeline

# Check RE and PFE health
show chassis routing-engine
show chassis fpc
show chassis hardware
show security monitoring fpc 0
show security flow session summary

Logical Systems (LSYS) vs Tenant Systems (TSYS)

Multitenancy on high-end SRX is provided through two overlapping technologies: Logical Systems (available on SRX5000/4000 series) and Tenant Systems (lighter weight, higher scale). Both allow administrators to partition a single SRX into multiple virtual firewalls with independent routing, policies, and NAT.

Logical Systems (LSYS)

Heavy isolation - dedicated RE resources
Max ~32 LSYS per chassis (varies by model)
Own zones, policies, NAT, IDP, routing instances
Master admin vs LSYS admin role separation
Inter-LSYS traffic via interconnect LSYS

Tenant Systems (TSYS)

Lightweight - scales to 500+ tenants
Shared infrastructure (control plane)
Ideal for managed security service providers
Each tenant gets isolated config context
Requires SRX5K with appropriate license

# Create a logical system
set logical-systems TENANT-A security zones security-zone trust interfaces ge-0/0/1.0
set logical-systems TENANT-A security policies from-zone trust to-zone untrust policy ALLOW match source-address any
set logical-systems TENANT-A security policies from-zone trust to-zone untrust policy ALLOW match destination-address any
set logical-systems TENANT-A security policies from-zone trust to-zone untrust policy ALLOW match application any
set logical-systems TENANT-A security policies from-zone trust to-zone untrust policy ALLOW then permit

# Create a tenant system
set tenants CUSTOMER1 routing-instances VR1 instance-type virtual-router
set tenants CUSTOMER1 security zones security-zone trust interfaces ge-0/0/5.0
show tenants CUSTOMER1

High Availability - Chassis Cluster (HA)

SRX HA is delivered via Chassis Cluster - two physical (or virtual) SRX devices joined into a single logical system. Members share configuration, session state, and run active/passive or active/active modes. Dedicated Control Link (fxp1) carries configuration sync, and a Fabric Link (fab0/fab1) carries session state via RTO (Real-Time Object) sync.

Control Plane Cluster (Node 0 / Node 1)

One node is RE primary; configuration commits and routing daemons run there. Failover via priority + preempt settings.

Redundancy Groups (RG0, RG1+)

RG0 = control plane ownership; RG1-128 = data plane interface (reth) groups. Each RG can fail over independently.

# Enable chassis cluster
set chassis cluster cluster-id 1 node 0 reboot
set chassis cluster cluster-id 1 node 1 reboot

# Redundancy Group 0 (RE) and RG1 (data plane)
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 preempt

# Redundant Ethernet (reth) interface
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 gigether-options redundant-parent reth0
set interfaces ge-7/0/1 gigether-options redundant-parent reth0

# Verify
show chassis cluster status
show chassis cluster interfaces
show chassis cluster statistics

vSRX and cSRX - Virtual Form Factors

vSRX is a full virtual machine image of the SRX firewall that runs on KVM, VMware ESXi, Microsoft Hyper-V, and public clouds (AWS, Azure, GCP, OCI). cSRX is a lightweight Docker container variant optimized for Layer 3-7 security in Kubernetes and cloud-native environments where rapid scaling and microservices are needed.

Feature	vSRX	cSRX
Form Factor	Full VM (KVM/ESXi/Cloud)	Docker container
Footprint	2-16 vCPU, 4-32 GB RAM	1 vCPU, 1 GB RAM
Boot Time	~60 seconds	~5 seconds
Data Plane	DPDK, SR-IOV, virtio	Linux kernel / DPDK
Features	Full SRX feature parity	L3-L7 security, no L2 HA
Typical Use	NFV, cloud edge, branch	Kubernetes, CI/CD pipelines

# Launch cSRX with Docker
docker run -d --privileged --name csrx1 \
  -e CSRX_ROOT_PASSWORD='Juniper123' \
  -e CSRX_FORWARDING_MODE=routing \
  --net=mgmt --ip=10.0.0.10 \
  csrx:21.4R1

# vSRX on KVM - verify virtio queues
virsh dumpxml vsrx1 | grep -E 'queues|driver'

Routing on SRX - OSPF, BGP, Static

SRX firewalls run the full Junos routing stack via the rpd daemon. Configuration lives under [edit protocols] (or within a routing-instance). SRX platforms support OSPFv2/v3, IS-IS, BGP (internal and external), RIP, and static routing. Routing adjacencies are formed over Layer 3 interfaces bound to security zones that permit the relevant host-inbound traffic.

# OSPF area 0 adjacency
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0 passive
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols ospf
set security zones security-zone trust host-inbound-traffic system-services ping

# Static default route
set routing-options static route 0.0.0.0/0 next-hop 203.0.113.1

# eBGP peer
set protocols bgp group EXT type external
set protocols bgp group EXT peer-as 65001
set protocols bgp group EXT neighbor 198.51.100.1
set routing-options autonomous-system 65000
set security zones security-zone untrust host-inbound-traffic protocols bgp

# Verify
show ospf neighbor
show bgp summary
show route 0.0.0.0/0 exact

Routing Instances - VR, Forwarding, VRF

Routing instances provide Layer 3 virtualization. Each instance has its own RIB, FIB, and protocol configuration. SRX supports several instance types, each solving a different use case from multi-tenant segmentation to MPLS L3VPN to policy-based routing.

virtual-router

Simple L3 instance with own RIB/FIB. Ideal for multi-tenant isolation. Supports OSPF, BGP, static, RIP. No MPLS import/export policy needed.

vrf (L3VPN)

Full RFC 4364 L3VPN instance with route-distinguisher and vrf-target. Used for MPLS VPN provider edge. Imports and exports routes via VPNv4 BGP.

forwarding

Used with filter-based forwarding (FBF) / policy-based routing. Selected by firewall filter action `routing-instance`. No protocols, only static routes.

mpls-internet-multicast / evpn

Specialized instances for MPLS multicast and EVPN-VXLAN deployments on high-end SRX in data center spine/leaf with EVPN Type-5 prefix routes.

# Virtual router instance
set routing-instances CUSTOMER-A instance-type virtual-router
set routing-instances CUSTOMER-A interface ge-0/0/3.0
set routing-instances CUSTOMER-A routing-options static route 10.10.0.0/16 next-hop 192.168.1.1

# VRF with RD/RT
set routing-instances VPN-BLUE instance-type vrf
set routing-instances VPN-BLUE route-distinguisher 65000:100
set routing-instances VPN-BLUE vrf-target target:65000:100
set routing-instances VPN-BLUE interface ge-0/0/4.0

# Filter-based forwarding
set firewall family inet filter FBF term VOIP from dscp ef
set firewall family inet filter FBF term VOIP then routing-instance VOIP-RI
set firewall family inet filter FBF term DEFAULT then accept
set interfaces ge-0/0/5 unit 0 family inet filter input FBF

Transparent Mode & Mixed Mode

SRX supports operating as a Layer 2 transparent firewall (bump-in-the-wire) in addition to routed Layer 3 mode. Transparent mode allows dropping a firewall into an existing L2 segment without IP re-addressing. Mixed mode (introduced in Junos 15.1+) lets different interfaces on the same SRX operate in L2 or L3 simultaneously.

# Transparent (L2) mode
set protocols l2-learning global-mode transparent-bridge
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/2 unit 0 family ethernet-switching
set bridge-domains BD1 vlan-id 100
set bridge-domains BD1 interface ge-0/0/1.0
set bridge-domains BD1 interface ge-0/0/2.0
set security zones security-zone L2-TRUST interfaces ge-0/0/1.0
set security zones security-zone L2-UNTRUST interfaces ge-0/0/2.0

# Mixed mode (L2 + L3 on same device)
set protocols l2-learning global-mode switching
set interfaces ge-0/0/3 unit 0 family inet address 10.1.1.1/24   # L3
set interfaces ge-0/0/4 unit 0 family ethernet-switching          # L2

# Reboot required when switching global-mode
request system reboot

Route Leaking & rib-groups

Junos uses rib-groups to leak routes from one routing table into another (e.g., inet.0 to VR-CUSTOMER.inet.0). This is essential in multi-tenant designs where certain shared services (DNS, internet egress) must be accessible from all tenant routing instances.

# Leak default route from master to VR-CUSTOMER
set routing-options rib-groups INET-TO-CUST import-rib inet.0
set routing-options rib-groups INET-TO-CUST import-rib VR-CUSTOMER.inet.0
set routing-options rib-groups INET-TO-CUST import-policy LEAK-DEFAULT

set policy-options policy-statement LEAK-DEFAULT term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement LEAK-DEFAULT term 1 then accept
set policy-options policy-statement LEAK-DEFAULT then reject

set routing-options static route 0.0.0.0/0 next-hop 203.0.113.1
set routing-options static rib-group INET-TO-CUST

show route table VR-CUSTOMER.inet.0

Bridge Domains & Q-in-Q

Bridge domains on SRX group multiple Layer 2 interfaces into a broadcast domain. Q-in-Q (IEEE 802.1ad) tunneling allows customer VLAN tags (C-VLAN) to be carried inside a service-provider outer tag (S-VLAN), useful for data center tenant isolation or service provider metro ethernet.

# Q-in-Q on trunk interface
set interfaces ge-0/0/6 flexible-vlan-tagging
set interfaces ge-0/0/6 encapsulation flexible-ethernet-services
set interfaces ge-0/0/6 unit 100 encapsulation vlan-bridge
set interfaces ge-0/0/6 unit 100 vlan-tags outer 1000 inner 100
set bridge-domains CUST-A-VLAN100 interface ge-0/0/6.100

# Integrated Routing and Bridging (IRB)
set bridge-domains BD-DMZ vlan-id 200
set bridge-domains BD-DMZ routing-interface irb.200
set interfaces irb unit 200 family inet address 10.200.0.1/24
set security zones security-zone DMZ interfaces irb.200

Unified Policies - Application-Based Match

Junos 18.2 introduced Unified Policies which allow Layer 7 application signatures (AppID) and URL categories to be used as match conditions directly in security policies - eliminating the need for separate application-firewall (AppFW) profiles. The firewall performs initial match on 5-tuple, then refines the decision after application identification completes.

# Unified policy with dynamic-application match
set security policies from-zone trust to-zone untrust policy BLOCK-FACEBOOK match source-address any
set security policies from-zone trust to-zone untrust policy BLOCK-FACEBOOK match destination-address any
set security policies from-zone trust to-zone untrust policy BLOCK-FACEBOOK match application any
set security policies from-zone trust to-zone untrust policy BLOCK-FACEBOOK match dynamic-application junos:FACEBOOK-ACCESS
set security policies from-zone trust to-zone untrust policy BLOCK-FACEBOOK then deny

# URL category match (requires Enhanced Web Filtering / SecIntel)
set security policies from-zone trust to-zone untrust policy BLOCK-MALWARE match url-category Enhanced_Malware_Sites
set security policies from-zone trust to-zone untrust policy BLOCK-MALWARE then deny log session-close

# Check AppID engine
show services application-identification version
show services application-identification application detail junos:FACEBOOK-ACCESS
show security flow session application facebook-access

Pre-ID Default Policy: Before AppID finishes, Junos uses the pre-id-default-policy to decide whether to permit the first few packets through the inspection pipeline. Configure it explicitly in production to avoid relying on the implicit permit.

Global Policies & Policy Sets

Global policies match traffic regardless of source/destination zone and are evaluated after zone-pair policies. They are useful for catch-all logging, deny-by-default rules, or environment-wide application controls. Policy Sets (via Junos Space Security Director) allow policy grouping and reuse across multiple SRX devices.

# Global policy (no from-zone/to-zone)
set security policies global policy LOG-ALL-DENY match source-address any
set security policies global policy LOG-ALL-DENY match destination-address any
set security policies global policy LOG-ALL-DENY match application any
set security policies global policy LOG-ALL-DENY then deny
set security policies global policy LOG-ALL-DENY then log session-init session-close

# Default-deny: place at end
set security policies default-policy deny-all

# Policy ordering and rename
insert security policies from-zone trust to-zone untrust policy ALLOW-DNS before policy DENY-ALL
show security policies hit-count from-zone trust to-zone untrust

Policy Scheduling

Schedulers attach a time window to security policies - useful for contractor access, after-hours lockdowns, or maintenance windows. Schedulers support daily, weekly, start-date/stop-date, and exclude modes. A policy without a scheduler is always active.

# Business-hours-only access
set schedulers scheduler BUSINESS-HOURS daily start-time 08:00 stop-time 18:00
set schedulers scheduler BUSINESS-HOURS monday exclude
set schedulers scheduler BUSINESS-HOURS sunday exclude

# Apply to policy
set security policies from-zone contractor to-zone internal policy CONTRACTOR-ACCESS scheduler-name BUSINESS-HOURS
set security policies from-zone contractor to-zone internal policy CONTRACTOR-ACCESS match source-address any
set security policies from-zone contractor to-zone internal policy CONTRACTOR-ACCESS match destination-address internal-apps
set security policies from-zone contractor to-zone internal policy CONTRACTOR-ACCESS match application junos-ssh
set security policies from-zone contractor to-zone internal policy CONTRACTOR-ACCESS then permit

# Verify
show schedulers
show security policies policy-name CONTRACTOR-ACCESS detail

Logging - session-init, session-close, syslog

Security logs on SRX can be emitted at two points in a session lifecycle: session-init (when the session starts, traffic accepted/denied) and session-close (when the session ends, with byte/packet counters and close reason). Stream-mode logging sends structured syslog directly from the PFE to an external collector (Junos Space, JSA, Splunk).

# Enable stream logging to SIEM
set security log mode stream
set security log format sd-syslog
set security log source-address 10.0.0.5
set security log stream SIEM category all
set security log stream SIEM host 10.1.1.100
set security log stream SIEM host port 514

# Log both init and close on a policy
set security policies from-zone trust to-zone untrust policy ALLOW-WEB then log session-init session-close

# Verify
show security log stream
show security log

session-init

Emitted when the first packet matches the policy. Good for real-time alerting on deny events. No byte counts yet.

session-close

Emitted on TCP FIN/RST, UDP age-out, or timeout. Contains bytes-in/out, packets, duration, close reason.

Advanced NAT - Source, Destination, Static, Twice

Junos NAT is configured under [edit security nat]. Source NAT translates the source address (typical internet egress with interface or pool), destination NAT translates destination (server publishing), static NAT provides 1:1 bidirectional mapping, and twice NAT translates both src and dst simultaneously (useful for overlapping subnets between merged networks).

# Interface-based source NAT (PAT overload)
set security nat source rule-set EGRESS from zone trust
set security nat source rule-set EGRESS to zone untrust
set security nat source rule-set EGRESS rule SNAT match source-address 10.0.0.0/8
set security nat source rule-set EGRESS rule SNAT then source-nat interface

# Destination NAT for web server publishing
set security nat destination pool WEB-POOL address 10.100.0.10/32 port 80
set security nat destination rule-set INBOUND from zone untrust
set security nat destination rule-set INBOUND rule WEB-DNAT match destination-address 203.0.113.50
set security nat destination rule-set INBOUND rule WEB-DNAT match destination-port 80
set security nat destination rule-set INBOUND rule WEB-DNAT then destination-nat pool WEB-POOL

# Static NAT (bidirectional 1:1)
set security nat static rule-set STATIC from zone untrust
set security nat static rule-set STATIC rule MAIL match destination-address 203.0.113.51/32
set security nat static rule-set STATIC rule MAIL then static-nat prefix 10.100.0.11/32

# Persistent NAT for VoIP / STUN
set security nat source rule-set EGRESS rule SNAT then source-nat pool PAT-POOL persistent-nat permit any-remote-host

show security nat source summary
show security nat destination rule all

Screens - DoS & Reconnaissance Protection

Security Screens are per-zone DoS/anomaly protections applied before session lookup. They detect scans, SYN floods, ICMP sweeps, spoofed source addresses, and malformed packets. Screens live in ids-option sets and are bound to zones.

set security screen ids-option UNTRUST-SCREEN icmp ping-death
set security screen ids-option UNTRUST-SCREEN ip source-route-option
set security screen ids-option UNTRUST-SCREEN ip tear-drop
set security screen ids-option UNTRUST-SCREEN tcp syn-flood alarm-threshold 1024
set security screen ids-option UNTRUST-SCREEN tcp syn-flood attack-threshold 2000
set security screen ids-option UNTRUST-SCREEN tcp land
set security screen ids-option UNTRUST-SCREEN tcp port-scan threshold 5000
set security screen ids-option UNTRUST-SCREEN udp flood threshold 5000
set security zones security-zone untrust screen UNTRUST-SCREEN

show security screen statistics zone untrust

Junos Space Security Director

Junos Space Security Director is Juniper's centralized policy management platform. It provides a single pane of glass for managing SRX policies, NAT, IPS, UTM, VPN, and SecIntel feeds across hundreds of devices. Policy changes are modeled, validated, and pushed via NETCONF.

Device Discovery: NETCONF-based onboarding of SRX fleet
Policy Groups: Hierarchical policy reuse across sites/regions
Change Management: Pre-view, schedule, and rollback policy pushes
Log Director: Collects SRX stream logs for analytics and reporting
Threat Analytics: Correlates ATP Cloud + SecIntel events per host
REST API: Full automation for DevSecOps pipelines

IPsec VPN Fundamentals on SRX

SRX supports route-based and policy-based IPsec VPNs. Route-based VPNs use a secure tunnel interface (st0.x) and static/dynamic routing to direct traffic into the tunnel - this is the preferred model for scalability, supports OSPF/BGP over the tunnel, and is required for AutoVPN and ADVPN. Policy-based VPNs tie encryption to specific security policies.

# Route-based site-to-site VPN (IKEv2, PSK)
set security ike proposal IKE-P2 authentication-method pre-shared-keys
set security ike proposal IKE-P2 dh-group group19
set security ike proposal IKE-P2 authentication-algorithm sha-256
set security ike proposal IKE-P2 encryption-algorithm aes-256-cbc
set security ike proposal IKE-P2 lifetime-seconds 28800

set security ike policy IKE-POL version v2-only
set security ike policy IKE-POL proposals IKE-P2
set security ike policy IKE-POL pre-shared-key ascii-text "SuperSecret123!"

set security ike gateway GW-BRANCH ike-policy IKE-POL
set security ike gateway GW-BRANCH address 203.0.113.10
set security ike gateway GW-BRANCH external-interface ge-0/0/0.0
set security ike gateway GW-BRANCH dead-peer-detection always-send
set security ike gateway GW-BRANCH dead-peer-detection interval 10 threshold 3

set security ipsec proposal IPSEC-P2 protocol esp
set security ipsec proposal IPSEC-P2 authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC-P2 encryption-algorithm aes-256-gcm
set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group19
set security ipsec policy IPSEC-POL proposals IPSEC-P2

set security ipsec vpn VPN-BRANCH bind-interface st0.0
set security ipsec vpn VPN-BRANCH ike gateway GW-BRANCH
set security ipsec vpn VPN-BRANCH ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-BRANCH establish-tunnels immediately

set interfaces st0 unit 0 family inet address 169.254.1.1/30
set routing-options static route 10.20.0.0/16 next-hop st0.0
set security zones security-zone vpn interfaces st0.0

AutoVPN - Hub-and-Spoke On-Demand

AutoVPN scales traditional hub-and-spoke IPsec by allowing dynamic spoke onboarding without hub-side reconfiguration. The hub has a single IKE gateway with a wildcard peer identity - spokes authenticate using PKI certificates. New branch sites can be added simply by issuing a certificate; no hub changes required.

# AutoVPN Hub (PKI-based, wildcard peer)
set security pki ca-profile JUNIPER-CA ca-identity juniper-ca
set security pki ca-profile JUNIPER-CA enrollment url http://ca.example.com/cgi-bin/pkiclient.exe

set security ike gateway HUB-GW ike-policy PKI-POL
set security ike gateway HUB-GW dynamic hostname "*.branch.example.com"
set security ike gateway HUB-GW dynamic ike-user-type group-ike-id
set security ike gateway HUB-GW external-interface ge-0/0/0.0

set security ipsec vpn AUTOVPN-HUB bind-interface st0.0
set security ipsec vpn AUTOVPN-HUB ike gateway HUB-GW
set security ipsec vpn AUTOVPN-HUB ike ipsec-policy IPSEC-POL

# Enable OSPF or BGP over st0 to learn spoke prefixes dynamically
set protocols ospf area 0 interface st0.0 interface-type p2mp

ADVPN - Auto Discovery VPN (Shortcut Paths)

ADVPN (RFC 7018) extends AutoVPN with dynamic spoke-to-spoke shortcut tunnels. When two spokes need to talk, the hub mediates IKEv2 exchange and triggers direct shortcut SA establishment. This offloads traffic from the hub and reduces latency - ideal for VoIP or large file transfers between branches.

Shortcut Suggester (Hub)

Observes spoke-to-spoke flows traversing the hub and signals both spokes to establish a direct shortcut.

Shortcut Partner (Spokes)

Responds to hub's suggestion, initiates or accepts IKEv2 with the peer spoke, and installs a direct SA.

# ADVPN on hub
set security ike gateway HUB-GW advpn suggester disable
set security ike gateway HUB-GW advpn partner

# ADVPN on spoke
set security ike gateway SPOKE-GW advpn suggester
set security ike gateway SPOKE-GW advpn partner connection-limit 10
set security ike gateway SPOKE-GW advpn partner idle-time 300

show security ike active-peer
show security ipsec security-associations

Group VPN - Any-to-Any with Shared SA

Group VPN (based on GDOI - RFC 6407) distributes a shared IPsec SA to all group members via a Key Server. Members then encrypt/decrypt any-to-any without per-peer IKE negotiations. Useful in MPLS backbones where you need encryption but want full any-to-any reachability preserved.

# Group VPN Member config
set security group-vpn member ike gateway KS-GW address 10.0.0.1
set security group-vpn member ike gateway KS-GW ike-policy KS-POL
set security group-vpn member ipsec vpn GROUP1 ike-gateway KS-GW
set security group-vpn member ipsec vpn GROUP1 group-vpn-external-interface ge-0/0/0.0

# Apply group VPN to policy
set security policies from-zone trust to-zone trust policy GROUP-ENC then permit tunnel ipsec-group-vpn GROUP1

Dead Peer Detection & Traffic Selectors

DPD detects when an IKE peer has become unreachable by sending R_U_THERE messages when traffic is present or always. Traffic Selectors (TS) in IKEv2 narrow the IPsec SA to specific subnets - useful when interoperating with firewalls that expect proxy-IDs to match exactly.

# DPD
set security ike gateway GW-BRANCH dead-peer-detection always-send
set security ike gateway GW-BRANCH dead-peer-detection interval 10
set security ike gateway GW-BRANCH dead-peer-detection threshold 3

# IKEv2 traffic selectors (proxy-id replacement)
set security ipsec vpn VPN-BRANCH traffic-selector TS1 local-ip 10.1.0.0/16
set security ipsec vpn VPN-BRANCH traffic-selector TS1 remote-ip 10.2.0.0/16
set security ipsec vpn VPN-BRANCH traffic-selector TS2 local-ip 10.3.0.0/24
set security ipsec vpn VPN-BRANCH traffic-selector TS2 remote-ip 10.4.0.0/24

show security ike security-associations detail
show security ipsec statistics

Juniper ATP Cloud (formerly Sky ATP)

Juniper Advanced Threat Prevention (ATP) Cloud is a SaaS service that integrates with SRX to detect advanced malware, zero-days, and C&C communications. When SRX encounters an unknown file, it submits it to ATP Cloud's sandbox for static and dynamic analysis. A verdict (benign, suspicious, malicious) is returned with a threat score of 0-10, and infected hosts are added to the SecIntel feed.

# Enroll SRX to ATP Cloud
request services advanced-anti-malware enroll

# Advanced Anti-Malware profile
set services advanced-anti-malware policy ATP-POLICY http inspection-profile default_profile
set services advanced-anti-malware policy ATP-POLICY http action permit
set services advanced-anti-malware policy ATP-POLICY verdict-threshold 7
set services advanced-anti-malware policy ATP-POLICY fallback-options action permit
set services advanced-anti-malware policy ATP-POLICY default-notification log

# Apply in security policy
set security policies from-zone trust to-zone untrust policy WEB-OUT then permit application-services advanced-anti-malware-policy ATP-POLICY

# Verify
show services advanced-anti-malware status
show services advanced-anti-malware statistics

ATP Appliance (On-Premises)

For air-gapped or regulated environments, Juniper ATP Appliance provides the same sandbox analysis capability on-premises. It integrates via API with SRX, SIEM platforms, and ingests traffic via SPAN or inline deployments for east-west inspection.

Core Appliance: Central analytics and UI
Traffic Collector: Distributed sensors for lateral movement detection
Mac + Windows + Linux sandbox VMs
YARA rule import/export for custom malware signatures
Integrates with SRX, MX (for sFlow), Junos Space, SIEM via syslog/REST

SecIntel Feeds - C&C, IPFilter, GeoIP

SecIntel is Juniper's curated threat intelligence platform. Feeds are delivered via HTTPS from the ATP Cloud or Security Director and can be enforced on SRX as dynamic address groups. Default feeds include C&C (command-and-control IPs), IPFilter (known bad actors), GeoIP (country-based), and custom internal allowlists/denylists.

# Enable SecIntel feeds
set services security-intelligence profile CC-PROFILE category CC
set services security-intelligence profile CC-PROFILE rule RULE-1 match threat-level 8 9 10
set services security-intelligence profile CC-PROFILE rule RULE-1 then action block drop
set services security-intelligence profile CC-PROFILE rule RULE-1 then log

set services security-intelligence policy SEC-POLICY CC CC-PROFILE
set services security-intelligence policy SEC-POLICY Infected-Hosts IH-PROFILE

# Apply to security policy
set security policies from-zone trust to-zone untrust policy WEB-OUT then permit application-services security-intelligence-policy SEC-POLICY

# GeoIP block from specific countries
set security address-book global dynamic-address BLOCK-COUNTRIES profile geoip country KP IR

show services security-intelligence category summary
show services security-intelligence update status

File Analysis Sandbox & Threat Scoring

The ATP sandbox performs multi-stage analysis on files extracted from HTTP, HTTPS, SMTP, IMAP, and SMB flows. Results are expressed as a threat score from 0 to 10, with configurable action thresholds. Scores below 4 are generally benign; 5-6 suspicious; 7-10 malicious.

Stage	Description
Cache Lookup	Hash matched against prior verdicts (SHA-256)
Antivirus Engines	Multi-engine AV scan
Static Analysis	File structure, imports, strings, entropy
Dynamic Sandbox	Detonate in Windows/Mac/Linux VM, observe behavior
ML Classification	Final verdict and threat score

# Allowed file types for inspection
set services advanced-anti-malware policy ATP-POLICY http file-extension executable
set services advanced-anti-malware policy ATP-POLICY http file-extension archive
set services advanced-anti-malware policy ATP-POLICY http file-extension document

show services advanced-anti-malware policy ATP-POLICY
show services advanced-anti-malware statistics mime-type

Encrypted Traffic Insights (ETI)

ETI inspects metadata of TLS flows (JA3 fingerprint, SNI, certificate issuer, connection patterns) without decryption to detect malware hiding in encrypted traffic. ETI complements SSL Forward Proxy decryption for cases where decryption is legally or technically unavailable. Combined with ATP Cloud, ETI classifies >90% of encrypted malware C&C traffic.

# Enable Encrypted Traffic Insights
set services advanced-anti-malware policy ATP-POLICY http inspection-profile default_profile
set services advanced-anti-malware policy ATP-POLICY http action permit
set services advanced-anti-malware traceoptions flag encrypted-traffic-insights

# SSL Forward Proxy (full decryption alternative)
set services ssl proxy profile SSL-FWD root-ca SRX-CA
set services ssl proxy profile SSL-FWD trusted-ca all
set security policies from-zone trust to-zone untrust policy SSL-DEC then permit application-services ssl-proxy profile-name SSL-FWD

show services ssl proxy counters

Junos Automation Stack Overview

Junos offers a rich automation ecosystem: PyEZ (Python library for NETCONF), JSNAPy (snapshot testing), Ansible modules, OpenConfig data models, and on-box scripts (op, event, commit). All mechanisms build on NETCONF/YANG for programmability - you can write the same config via CLI, REST API, NETCONF RPC, or PyEZ helper.

NETCONF / YANG

SSH-based RPC protocol, XML payloads, structured data models. Port 830.

OpenConfig

Vendor-neutral YANG models for interfaces, BGP, system. Supported on Junos 17+.

gRPC / gNMI

Streaming telemetry and config via gRPC Network Management Interface.

# Enable NETCONF over SSH
set system services netconf ssh port 830
set system services ssh

# Enable gRPC telemetry
set system services extension-service request-response grpc clear-text port 9339

PyEZ - Python for Junos Automation

Juniper PyEZ (jnpr.junos) is the official Python library for managing Junos devices over NETCONF. It abstracts low-level RPCs into Pythonic objects - Device, Table, View, and Config - making it ideal for scripts, test harnesses, and CI/CD pipelines. Install via pip install junos-eznc.

from jnpr.junos import Device
from jnpr.junos.utils.config import Config
from jnpr.junos.exception import CommitError, LockError

# Connect and audit a policy
with Device(host='srx1.example.com', user='admin', passwd='Juniper123') as dev:
    facts = dev.facts
    print(f"Model: {facts['model']}, Version: {facts['version']}")

    # Retrieve running config
    cfg = dev.rpc.get_config(filter_xml='')

    # Operational RPC - count IPsec tunnels
    ipsec = dev.rpc.get_ipsec_security_associations_information()
    tunnels = ipsec.findall('ipsec-security-associations-block')
    print(f"Active IPsec SAs: {len(tunnels)}")

# Push a config change (atomic load-merge + commit)
config_snippet = '''
security {
    policies {
        from-zone trust to-zone untrust {
            policy ALLOW-NEW {
                match {
                    source-address any;
                    destination-address any;
                    application junos-https;
                }
                then { permit; log { session-close; } }
            }
        }
    }
}
'''

with Device(host='srx1.example.com', user='admin', passwd='Juniper123') as dev:
    with Config(dev, mode='exclusive') as cu:
        cu.load(config_snippet, format='text', merge=True)
        cu.commit_check()
        cu.commit(comment='Add HTTPS allow via PyEZ')

JSNAPy - Pre/Post Change Validation

JSNAPy (Junos SNAPshot administrator in Python) captures operational state snapshots before and after a change and diffs them. Use it to assert that OSPF neighbors are still up, tunnel counts are unchanged, interface errors have not increased - turning manual verification into automated test suites.

# JSNAPy test file: check_ospf.yml
tests_include:
  - test_ospf_neighbors
test_ospf_neighbors:
  - command: show ospf neighbor
  - iterate:
      xpath: '//ospf-neighbor'
      tests:
        - is-equal: ospf-neighbor-state, Full
          err: "OSPF neighbor {{post['neighbor-address']}} is {{post['ospf-neighbor-state']}}"
          info: "OSPF neighbor {{post['neighbor-address']}} is Full"

# Run pre-snap, make change, run post-snap + diff
jsnapy --snap pre -f config.yml
jsnapy --snap post -f config.yml
jsnapy --check pre post -f config.yml

On-Box Scripts: Op, Event, Commit

Junos runs SLAX, XSLT, or Python scripts directly on the device. Op scripts are invoked manually to simplify operations. Event scripts trigger on syslog patterns (e.g., interface down). Commit scripts validate or transform candidate configs before commit - blocking non-compliant changes.

# Enable Python scripts
set system scripts language python3
set system scripts op file show_tunnels.py
set system scripts commit file enforce_logging.py

# Event script on OSPF adjacency loss
set event-options policy OSPF-DOWN events ospf_neighbor_down
set event-options policy OSPF-DOWN then event-script ospf_recover.py

# Commit script example (Python) - enforce session-close logging on all policies
from junos import Junos_Context
import jcs

def main():
    conf = jcs.get_config()
    for policy in conf.xpath('//security/policies/policy'):
        if not policy.xpath('.//log/session-close'):
            jcs.emit_error(f"Policy {policy.find('name').text} missing session-close log")

if __name__ == '__main__':
    main()

Ansible & Junos Space Workflows

The juniper.device Ansible collection provides modules (config, facts, rpc, software) for Junos automation. Combined with Junos Space Security Director REST APIs, entire policy change workflows - from ticket ingestion to multi-device push to rollback - can be automated.

# Ansible playbook snippet - push policy to all SRX
- name: Deploy security policy
  hosts: srx_fleet
  connection: local
  gather_facts: no
  collections:
    - juniper.device
  tasks:
    - name: Load config
      juniper.device.config:
        config_mode: exclusive
        load: merge
        src: "policies/{{ inventory_hostname }}.conf"
        comment: "Automated push via Ansible"
        commit: true
        check: true

# Junos Space REST API - publish policy
curl -k -X POST \
  -H "Content-Type: application/vnd.juniper.sd.fwpolicy-management.firewall-policy+json;version=1" \
  -u super:juniper123 \
  -d @policy.json \
  https://space.example.com/api/juniper/sd/fwpolicy-management/firewall/policies

Monitoring & Telemetry

SRX supports multiple monitoring methods: classic SNMPv2/v3, syslog, sFlow (for flow visibility), and modern streaming telemetry via gRPC/gNMI with Junos Telemetry Interface (JTI). JTI pushes counters, session metrics, and BGP state at sub-second intervals to time-series databases like Prometheus or Kafka.

# SNMP v3
set snmp v3 usm local-engine user monitoruser authentication-sha authentication-password "Monitor!123"
set snmp v3 usm local-engine user monitoruser privacy-aes128 privacy-password "Privacy!123"

# Streaming telemetry (JTI via gRPC)
set services analytics streaming-server NMS remote-address 10.1.1.50 remote-port 50051
set services analytics export-profile PROF reporting-rate 60
set services analytics sensor INTF-STATS server-name NMS export-name PROF resource /junos/system/linecard/interface/

# sFlow for flow export
set protocols sflow collector 10.1.1.60 udp-port 6343
set protocols sflow interfaces ge-0/0/0
set protocols sflow sample-rate 1000

show services analytics streaming-server
show snmp v3

Troubleshooting Quick Reference

Scenario	Command
Check session for a flow	`show security flow session source-prefix 10.1.1.10`
Policy hit counts	`show security policies hit-count`
Live flow debug	`set security flow traceoptions flag all`
IPsec SA state	`show security ipsec security-associations detail`
IKE phase 1 debug	`show security ike security-associations`
CPU and memory	`show chassis routing-engine`
Data plane sessions/CPU	`show security monitoring fpc 0`
ATP Cloud status	`show services advanced-anti-malware status`
Commit history	`show system commit`

JN0-336

JNCIP-SEC (Security Professional)

JN0-336 Practice Exam 1

JN0-336 Practice Exam 2

JN0-336 Practice Exam 3

JN0-336 Practice Exam 4

JN0-336 Practice Exam 5

JN0-336 Practice Exam 6

Откључајте сав садржај за JN0-336

Преглед (10 / 120)

Флеш картице

Доступни језици

Теме испита

JN0-336 Cheat Sheet

SRX Series Platform Overview

Branch SRX (SMB & Enterprise Edge)

Data Center / Service Provider SRX

Control Plane vs Data Plane

Routing Engine (RE)

Packet Forwarding Engine (PFE/SPU)

Logical Systems (LSYS) vs Tenant Systems (TSYS)

Logical Systems (LSYS)

Tenant Systems (TSYS)

High Availability - Chassis Cluster (HA)

Control Plane Cluster (Node 0 / Node 1)

Redundancy Groups (RG0, RG1+)

vSRX and cSRX - Virtual Form Factors

Routing on SRX - OSPF, BGP, Static

Routing Instances - VR, Forwarding, VRF

virtual-router

vrf (L3VPN)

forwarding

mpls-internet-multicast / evpn

Transparent Mode & Mixed Mode

Route Leaking & rib-groups

Bridge Domains & Q-in-Q

Unified Policies - Application-Based Match

Global Policies & Policy Sets

Policy Scheduling

Logging - session-init, session-close, syslog

session-init

session-close

Advanced NAT - Source, Destination, Static, Twice

Screens - DoS & Reconnaissance Protection

Junos Space Security Director

IPsec VPN Fundamentals on SRX

AutoVPN - Hub-and-Spoke On-Demand

ADVPN - Auto Discovery VPN (Shortcut Paths)

Shortcut Suggester (Hub)

Shortcut Partner (Spokes)

Group VPN - Any-to-Any with Shared SA

Dead Peer Detection & Traffic Selectors

Juniper ATP Cloud (formerly Sky ATP)

ATP Appliance (On-Premises)

SecIntel Feeds - C&C, IPFilter, GeoIP

File Analysis Sandbox & Threat Scoring

Encrypted Traffic Insights (ETI)

Junos Automation Stack Overview

NETCONF / YANG

OpenConfig

gRPC / gNMI

PyEZ - Python for Junos Automation

JSNAPy - Pre/Post Change Validation

On-Box Scripts: Op, Event, Commit

Ansible & Junos Space Workflows

Monitoring & Telemetry

Troubleshooting Quick Reference