JN0-333 Security, Specialist (JNCIS-SEC)

This list provides a general view of the skill set required to successfully complete the specified certification exam. Topics listed are subject to change.

Junos Security Overview
Zones
Security Policies
NAT
IPSec VPNs
High Availability (HA) Clustering
Virtual SRX

Junos Security Overview
Identify concepts, general features, and functionality of Junos OS security
Junos security architecture
Branch vs. high-end platforms
Major hardware components of SRX Series services gateways
Packet flow
Packet-based vs. session-based forwarding

Zones
Identify the concepts, benefits, or operation of zones
Zone types
Dependencies
Host inbound packet behavior
Screens
Transit packet behavior
Demonstrate knowledge of how to configure, monitor, or troubleshoot zones
Zone configuration steps
Hierarchy priority (Inheritance)
Screens
Monitoring and troubleshooting

Security Policies
Identify the concepts, benefits, or operation of security policies
Policy types
Policy components
Policy ordering
Host inbound traffic examination
Transit traffic examination
Scheduling
Rematching
ALGs
Address books
Junos Space Security Director policy management
Applications
Demonstrate knowledge of how to configure, monitor, or troubleshoot security policies
Policies
ALGs
Address books
Junos Space Security Director policy management
Custom applications
Monitoring and troubleshooting

NAT
Identify the concepts, benefits, or operation of NAT
NAT types
NAT/PAT processing
DNS Doctoring
Cone NAT
IPv4 to IPv6
Address persistence
NAT with Junos Space Security Director
NAT proxy ARP
Demonstrate knowledge of how to configure, monitor, or troubleshoot NAT
NAT configuration steps
Monitoring and troubleshooting

IPSec VPNs
Identify the concepts, benefits, or operation of IPsec VPNs
Secure VPN characteristics and components
IPSec tunnel establishment
IPSec traffic processing
Group VPN
ADVPN
IPsec with Junos Space Security Director
PKI
Dynamic VPN
Junos OS IPsec implementation options
Demonstrate knowledge of how to configure, monitor, or troubleshoot IPsec VPNs
IPSec VPN configuration steps
Monitoring and troubleshooting

High Availability (HA) Clustering
Identify the concepts, benefits, or operation of HA
HA features and characteristics
Deployment requirements and considerations
Chassis cluster characteristics and operation
Cluster modes
Cluster and node IDs
Redundancy groups
Cluster interfaces
Real-time objects
State synchronization
Ethernet switching considerations
IPSec considerations
Manual failover
Demonstrate knowledge of how to configure, monitor, or troubleshoot clustering
Cluster preparation
Cluster configuration steps
Monitoring and troubleshooting

Virtual SRX
Identify concepts, general features or functionality of virtualized security using SRX
Installation
Clustering with vSRX
Deployment scenarios
Troubleshooting

QUESTION 1 – (Topic 1)
Which two statements about static NAT are true? (Choose two.)

A. Static NAT can only be used with destination NAT.
B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.

Answer: B,D

QUESTION 2 – (Topic 1)
Your task is to provision the Junos security platform to permit transit packets from the Private zone to the External zone by using an IPsec VPN and log information at the time of session close. Which configuration meets this requirement?

A. [edit security policies from-zone Private to-zone External] user@host# show
policy allowTransit { match {
source-address PrivateHosts; destination-address ExtServers; application ExtApps;
}
then { permit { tunnel {
ipsec-vpn VPN;
}
}
log { session-init;
}
}
}
B. [edit security policies from-zone Private to-zone External] user@host# show
policy allowTransit {
match {
source-address PrivateHosts; destination-address ExtServers; application ExtApps;
}
then { permit { tunnel {
ipsec-vpn VPN;
}
}
count { session-close;
}
}
}
C. [edit security policies from-zone Private to-zone External] user@host#
showpolicy allowTransit { match {
source-address PrivateHosts; destination-address ExtServers; application ExtApps;
}
then { permit { tunnel {
ipsec-vpn VPN;
}
}
log { session-close;
}
}
}
D. [edit security policies from-zone Private to-zone External] user@host# show
policy allowTransit { match {
source-address PrivateHosts; destination-address ExtServers; application ExtApps;
}
then { permit { tunnel {
ipsec-vpn VPN; log;
count session-close;
}
}
}
}

Answer: C

QUESTION 3 – (Topic 1)
What are two rule base types within an IPS policy on an SRX Series device? (Choose two.)

A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt

Answer: A,D

QUESTION 4 – (Topic 1)
Which two statements about the use of SCREEN options are correct? (Choose two.)

A. SCREEN options offer protection against various attacks.
B. SCREEN options are deployed prior to route and policy processing in first path packet processing.
C. SCREEN options are deployed at the ingress and egress sides of a packet flow.
D. When you deploy SCREEN options, you must take special care to protect OSPF.

Answer: A,B

QUESTION 5 – (Topic 1)
Which two statements regarding external authentication servers for firewall user authentication are true? (Choose two.)

A. Up to three external authentication server types can be used simultaneously.
B. Only one external authentication server type can be used simultaneously.
C. If the local password database is not configured in the authentication order, and the configured authentication server is unreachable, authentication is bypassed.
D. If the local password database is not configured in the authentication order, and the configured authentication server rejects the authentication request, authentication is rejected.

Answer: B,D

Click here to view complete Q&A of JN0-333 exam
Certkingdom Review, Certkingdom PDF