JN0-636 Security, Professional (JNCIP-SEC) Questions and Answers

The security feature that bypasses routing or switching lookup is transparent mode. The other options are incorrect because:

• B. Secure wire is a feature that allows you to connect two interfaces on the same device and forward traffic between them without any processing. Secure wire does not bypass routing or switching lookup, but rather eliminates them altogether1.
• C. Mixed mode is a mode of operation for SRX Series devices that allows you to configure both transparent mode and switching mode on the same device. Mixed mode does not bypass routing or switching lookup, but rather uses them depending on the interface type2.
• D. MACsec (Media Access Control Security) is a feature that provides encryption and authentication for Layer 2 traffic. MACsec does not bypass routing or switching lookup, but rather operates at a lower layer3.

Therefore, the correct answer is A. Transparent mode is a mode of operation for SRX Series devices that provides Layer 2 bridging capabilities with full security services. In transparent mode, the SRX Series device acts as a bridge between two network segments and inspects the packets without modifying the source or destination information in the IP packet header. The SRX Series device does not have an IP address in transparent mode, except for the management interface. Transparent mode bypasses routing or switching lookup, because the SRX Series device does not perform any routing or switching functions, but rather forwards the packets based on the MAC addresses4.

References:

• Secure Wire Overview
• Mixed Mode Overview
• MACsec Overview
• Transparent Mode Overview

• The packet is silently discarded because the traceoptions output shows that the packet is dropped with the flag flow_spu_drop, which indicates that the packet is dropped by the SPU without sending any response to the sender. The traceoptions output also shows the reason for the drop as “no session found, start first path. in_tunnel - 0, from_cp_flag - 0” which means that the packet does not match any existing session and is not part of a tunnel or a control plane traffic1.
• The packet is part of a new session because the traceoptions output shows that the packet is the first packet of a TCP connection with the flag flow_tcp_syn, which indicates that the packet has the SYN flag set. The traceoptions output also shows that the packet is processed in the first path packet flow with the message “no session found, start first path” which means that the packet is initiating a new session1.

References:

• traceoptions (Security Flow) | Junos OS | Juniper Networks
• [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting

The flow-session resource is needed in order to ensure adequate and secure communication between the two logical systems.

• The flow-session resource must be defined in the security profile for the interconnect logical system because the interconnect logical system is responsible for forwarding traffic between other logical systems. The flow-session resource determines the maximum number of sessions that the interconnect logical system can create and maintain. If the flow-session resource is not allocated or is insufficient, the interconnect logical system might drop packets or fail to establish sessions1.
• The NAT resources are not needed to be allocated to the interconnect logical system because the interconnect logical system does not perform any NAT operations on the traffic. The NAT resources are only relevant for the logical systems that need to translate the source or destination IP addresses or ports of the traffic1.
• No resources are not needed to be allocated to the interconnect logical system is incorrect because the interconnect logical system still requires some resources to function properly, such as the flow-session resource. The interconnect logical system cannot operate without any resources allocated to it1.
• The resources must be calculated based on the amount of traffic that will flow between the logical systems is partially correct, but not the best answer. The resources must be calculated based on the amount of traffic and the type of traffic that will flow between the logical systems. For example, the flow-session resource depends on the number and duration of sessions, the security-log-stream-number resource depends on the number and size of logs, and the NAT resource depends on the number and type of NAT rules1.

References:

• Security Profiles for Logical Systems | Junos OS | Juniper Networks

The exhibit shows a security policy configuration with a threshold of 1000 policy violations by a source network identifier and a threshold of 10 policy violations to an application within a specified period. If either of these thresholds are exceeded, an alarm will be generated. Therefore, the correct answer is A and D. The other options are incorrect because:

• B. The ratio of policy violation traffic compared to accepted traffic is not a criterion for triggering an alarm. The security policy configuration does not specify any ratio or percentage of policy violation traffic that would cause an alarm.
• C. The number of policy violation by a destination TCP port is also not a criterion for triggering an alarm. The security policy configuration does not specify any threshold or duration for policy violation by a destination TCP port.

References:

• policy (Security Alarms)
• Monitoring Security Policy Violations

To enable inter-tenant communication with tenant system, you need to use an external router or a logical tunnel interface. The other options are incorrect because:

• A. Interconnecting EVPN switch is not a valid solution for inter-tenant communication with tenant system. EVPN (Ethernet VPN) is a technology that provides layer 2 connectivity over an IP network. It can be used to connect different logical systems on the same device, but not tenant systems. Tenant systems are isolated from each other and do not share the same layer 2 domain1.
• B. Interconnecting VPLS switch is also not a valid solution for inter-tenant communication with tenant system. VPLS (Virtual Private LAN Service) is another technology that provides layer 2 connectivity over an IP network. It can also be used to connect different logical systems on the same device, but not tenant systems. Tenant systems are isolated from each other and do not share the same layer 2 domain1.

Therefore, the correct answer is C and D. You need to use an external router or a logical tunnel interface to enable inter-tenant communication with tenant system. To do so, you need to perform the following steps:

• For external router, you need to connect the external router to the interfaces of the tenant systems that you want to communicate with. You also need to configure the routing protocols and policies on the external router and the tenant systems to exchange routes and traffic. The external router acts as a gateway between the tenant systems and provides layer 3 connectivity2.
• For logical tunnel interface, you need to create a logical tunnel interface on the device and assign it to a tenant system. You also need to configure the IP address and routing protocols on the logical tunnel interface and the tenant systems that you want to communicate with. The logical tunnel interface acts as a virtual link between the tenant systems and provides layer 3 connectivity3.

References:

• Tenant Systems Overview
• Example: Configuring Inter-Tenant Communication Using External Router
• Example: Configuring Inter-Tenant Communication Using Logical Tunnel Interface

Certificate RenewalThe renewal of certificates is much the same as initial certificate enrollment except you are just replacing an old certificate(about to expire) on the VPN device with a new certificate. As with the initial certificate request, only manual renewal issupported. SCEP can be used to re-enroll local certificates automatically before they expire. Refer to Appendix D for moredetails.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-pr ofile-logical-system.html

https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/ref/statement/family-ethernet-switching-edit-interfaces-qfx-series.html#statement-name-statement__d26608e73

A logical system is a virtualization feature in SRX Series devices that allows you to create multiple, isolated virtual routers within a single physical device. Each logical system has its own routing table, firewall policies, and interfaces, and it can be managed and configured independently of the other logical systems. Logical systems are an effective way to isolate different administrative domains and to support a large number of virtualized instances.

According to the Juniper documentation, the solution that would best meet the requirements of deploying a virtualization solution with the security devices in the network is logical systems. Logical systems are a feature that allows the SRX Series device to be partitioned into multiple logical devices, each with its own discrete administrative domain, routing table, firewall policies, VPNs, and interfaces1. Each logical system can support up to 100 virtualized instances, depending on the SRX Series model and the available resources2.

The following solutions are not suitable or incorrect for this scenario:

• VRF instances: VRF instances are a type of routing instance that allows the SRX Series device to maintain multiple routing tables for different VPNs or customers. However, VRF instances do not provide separate administrative domains, firewall policies, or interfaces for each instance3.
• Virtual router instances: Virtual router instances are a type of routing instance that allows the SRX Series device to create multiple logical routers, each with its own routing table and interfaces. However, virtual router instances do not provide separate administrative domains or firewall policies for each instance.
• Tenant systems: Tenant systems are a feature that allows the SRX Series device to create multiple logical devices, each with its own discrete administrative domain, routing table, firewall policies, VPNs, and interfaces. However, tenant systems are only supported on the SRX1500, SRX4100, and SRX4200 devices, and each tenant system can only support up to 10 virtualized instances.

References: 1: Understanding Logical Systems 2: SRX Series Logical Systems Feature Guide 3: vrf (Routing Instances) : [virtual-router (Routing Instances)] : [Understanding Tenant Systems]

According to the output shown in the exhibit, which is a security flow session on an SRX Series device, the correct statement is that the local gateway address for the IPsec tunnel is 10.20.20.2. This is indicated by the line In: 10.20.20.2/2060 -> 10.20.20.1/3382, which shows that the source IP address of the incoming packet is 10.20.20.2, which is the local gateway address of the IPsec tunnel. The destination IP address of the incoming packet is 10.20.20.1, which is the remote gateway address of the IPsec tunnel.

The following statements are incorrect or not supported by the output:

• The remote gateway address for the IPsec tunnel is 10.20.20.2. This is false, as explained above. The remote gateway address for the IPsec tunnel is 10.20.20.1, not 10.20.20.2.
• The session information indicates that the IPsec tunnel has not been established. This is false, as the output shows that there are two active sessions with the communication tag IPSec VPN: vpn1, which indicates that the IPsec tunnel has been established and is named vpn11.
• NAT is being used to change the source address of outgoing packets. This is not supported by the output, as there is no indication of NAT being applied to the outgoing packets. The source IP address of the outgoing packet is 192.168.1.1, which is the same as the source IP address of the original packet. If NAT was being used, the source IP address of the outgoing packet would be different from the source IP address of the original packet.

References: 1: show security flow session - Technical Documentation - Support - Juniper Networks

According to the Juniper documentation, filter-based forwarding (FBF) is a technique that allows the SRX Series device to forward packets based on firewall filter rules, rather than the default routing table1. FBF can be used to implement policy-based routing, load balancing, or traffic engineering2. To deploy FBF on the SRX Series device for incoming traffic sourced from the 10.10.100.0/24 network, the following steps are required:

• You must create a forwarding-type routing instance. A forwarding-type routing instance is a special type of routing instance that is used for FBF. It does not have any interfaces or routing protocols associated with it, but it has its own routing table that can be populated by static routes, RIB groups, or routing policies3. You can create a forwarding-type routing instance by using the following command:

set routing-instances instance-type forwarding

• You must create and apply a firewall filter that matches on the source address 10.10.100.0/24 and then sends this traffic to your routing instance. A firewall filter is a set of rules that can match on various packet attributes, such as source and destination addresses, ports, protocols, and so on. You can use the then routing-instance action to specify the routing instance that the packet should be forwarded to4. You can create and apply a firewall filter by using the following commands:

set firewall family inet filter <filter-name> term from source-address 10.10.100.0/24 set firewall family inet filter <filter-name> term then routing-instance  set interfaces unit family inet filter input <filter-name>

• You must create a RIB group that adds interface routes to your routing instance. A RIB group is a mechanism that allows you to import routes from one routing table to another. You can use a RIB group to add the interface routes of the ingress interface to the routing table of the forwarding-type routing instance. This will ensure that the SRX device can forward the packets to the correct next hop based on the destination address5. You can create a RIB group by using the following commands:

set routing-options rib-groups import-rib inet.0 set routing-options rib-groups import-rib .inet.0 set routing-instances routing-options instance-import

The following steps are not required or incorrect:

• You do not need to create a VRF-type routing instance. A VRF-type routing instance is a type of routing instance that is used for virtual routing and forwarding. It allows you to create multiple logical routers on the same physical device, each with its own interfaces, routing protocols, and routing tables. VRF-type routing instances are typically used for VPNs, MPLS, or network segmentation. However, they are not necessary for FBF, which can be achieved with a forwarding-type routing instance.
• You do not need to create and apply a firewall filter that matches on the destination address 10.10.100.0/24 and then sends this traffic to your routing instance. This would be redundant and unnecessary, as the destination address of the incoming traffic is already determined by the routing table of the forwarding-type routing instance. Moreover, this would create a loop, as the traffic would be sent back to the same routing instance that it came from.

References: 1: Filter-Based Forwarding Overview 2: Configuring Filter-Based Forwarding 3: forwarding (Routing Instances) 4: routing-instance (Firewall Filter Action) 5: Configuring RIB Groups : [vrf (Routing Instances)]

According to the Juniper documentation, the infected host score is a global setting that determines the minimum threat level required for a host to be considered infected and blocked by Juniper ATP Cloud. The infected host score can be configured from 1 to 10, where 1 is the lowest and 10 is the highest. The default infected host score is 5, which means that any host with a threat level of 5 or higher will be automatically blocked by Juniper ATP Cloud. However, the infected host score can be changed to a higher value, such as 6 or 7, to reduce the number of false positives and allow more traffic to pass through. In the exhibit, the host has a threat level of 5, which indicates that it is infected with malware and has attempted to contact command-and-control servers. However, some of the events have not been automatically mitigated, which means that the host has not been blocked by Juniper ATP Cloud. A possible reason for this behavior is that the infected host score is globally set above a threat level of 5, such as 6 or 7, which means that the host does not meet the minimum threshold for blocking. Therefore, the correct answer is C. The infected host score is globally set above a threat level of 5. References: [Configuring the Infected Host Score] 1, [Compromised Hosts: More Information] 2

1: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/task/sky-atp-infected-host-score.html  2: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/concept/sky-atp-infected-host-overview.html

The SRX Series device in transparent mode uses packet flooding to learn about unknown devices in a network. Packet flooding is a process wherein the device sends out packets to every device it knows about or suspects in the network. When the packets are returned, the device can identify and classify the unknown devices in the network.

To modify the configuration to fulfill the requirements, you need to modify the log-all term to add the next term action. The other options are incorrect because:

• B. Deleting the log-all term would prevent logging all traffic, which is one of the requirements. The log-all term matches all traffic from any source address and logs it to the system log file1.
• C. Adding a term before the log-all term that blocks Telnet would also prevent logging all traffic, because the log-all term would never be reached. The firewall filter evaluates the terms in sequential order and applies the first matching term. If a term before the log-all term blocks Telnet, then the log-all term would not match any traffic and no logging would occur2.
• D. Applying a firewall filter to the loopback interface that blocks Telnet traffic would not block inbound Telnet traffic on interface ge-0/0/3, which is another requirement. The loopback interface is a logical interface that is always up and reachable. It is used for routing and management purposes, not for filtering traffic on physical interfaces3.

Therefore, the correct answer is A. You need to modify the log-all term to add the next term action. The next term action instructs the firewall filter to continue evaluating the subsequent terms after matching the current term. This way, the log-all term would log all traffic and then proceed to the block-telnet term, which would block only inbound Telnet traffic on interface ge-0/0/34. To modify the log-all term to add the next term action, you need to perform the following steps:

• Enter the configuration mode: user@host> configure
• Navigate to the firewall filter hierarchy: user@host# edit firewall family inet filter block-telnet
• Add the next term action to the log-all term: user@host# set term log-all then next term
• Commit the changes: user@host# commit

References:

• log (Firewall Filter Action)
• Firewall Filter Configuration Overview
• loopback (Interfaces)
• next term (Firewall Filter Action)

According to the Juniper documentation, the steps to detect domain generation algorithms (DGA) on an SRX Series firewall are as follows:

• Define a security-metadata-streaming policy under [edit services]. A security-metadata-streaming policy is a configuration that enables the SRX Series firewall to collect and stream security metadata, such as DNS queries and responses, to Juniper ATP Cloud for analysis. Juniper ATP Cloud uses machine learning models and known pre-computed DGA domain names to provide domain verdicts, which helps in-line blocking and sinkholing of DNS queries on SRX Series firewalls1. You can define a security-metadata-streaming policy by using the following command:

set services security-metadata-streaming policy

• Attach the security-metadata-streaming policy to a security zone. A security zone is a logical grouping of interfaces that have similar security requirements. You can attach the security-metadata-streaming policy to a security zone by using the following command:

set security zones security-zone services security-metadata-streaming policy

The following steps are not required or incorrect:

• Define an advanced-anti-malware policy under [edit services]. An advanced-anti-malware policy is a configuration that enables the SRX Series firewall to scan files for malware using Juniper ATP Cloud. It is not related to DGA detection2.
• Attach the advanced-anti-malware policy to a security policy. A security policy is a configuration that defines the rules for permitting or denying traffic between security zones. It is not related to DGA detection3.

References: 1: Configuring Security Metadata Streaming 2: Configuring Advanced Anti-Malware Policies 3: Configuring Security Policies

Referring to the exhibit, the following statements are correct:

• B. All of the entries are command and control entries. Command and control entries are dynamic addresses that represent the IP addresses of servers that are used by malware to communicate with infected hosts. The SRX Series device can block or log the traffic to or from these IP addresses based on the security policies. The exhibit shows that all of the entries have the category DC/1, which stands for command and control1.
• C. All of the entries are Dshield entries. Dshield is a feed source that provides a list of IP addresses that are associated with malicious activities, such as scanning, spamming, or attacking. The SRX Series device can download the Dshield feed and use it to populate the dynamic address entries. The exhibit shows that all of the entries have the feed dshield, which indicates that they are from the Dshield feed source2.

The other statements are incorrect because:

• A. All of the entries are not a threat level 8, but a threat level 10. The threat level is a numeric value that indicates the severity of the threat associated with a dynamic address entry. The higher the threat level, the more dangerous the threat. The SRX Series device can use the threat level to prioritize the actions for the dynamic address entries. The exhibit shows that all of the entries have the cc CN, which stands for country code China. According to the Juniper documentation, the country code China has a threat level of 10, which is the highest.
• D. All of the entries are not a threat level 10, but they are. See the explanation for option A.

References:

• Understanding Dynamic Address Categories
• Understanding Dynamic Address Feed Sources
• [Understanding Dynamic Address Threat Levels]

You must set up a DDoS solution for your ISP. The solution must be agile and not block legitimate traffic. The two products that will accomplish this task are:

• B. MX Series device. MX Series devices are high-performance routers that can provide DDoS protection at the network edge by integrating with Corero SmartWall Threat Defense Director (TDD) software. MX Series devices can leverage the packet processing capabilities of the MX-SPC3 Services Card to perform real-time DDoS detection and mitigation at line rate, scaling from 50 Gbps to 40 Tbps. MX Series devices can also use Juniper Networks Security Intelligence (SecIntel) to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies. MX Series devices can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic12.
• C. Corero SmartWall TDD. Corero SmartWall TDD is a software solution that runs on MX Series devices and PTX Series devices to provide DDoS protection at the network edge. Corero SmartWall TDD uses behavioral analytics and detailed network visibility to detect and block DDoS attacks in seconds, without affecting the normal traffic. Corero SmartWall TDD can also provide advanced protection from “carpet bombing” attacks, 5G DDoS visibility, and multi-tenant portal for as-a-service offerings or views by department within an enterprise. Corero SmartWall TDD can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic34.

The other options are incorrect because:

• A. Contrail Insights. Contrail Insights is a software solution that provides network analytics and visibility for cloud and data center environments. Contrail Insights can help you monitor, troubleshoot, and optimize the performance and security of your network, but it does not provide DDoS protection by itself. Contrail Insights can integrate with other Juniper products, such as Contrail Enterprise Multicloud, Contrail Service Orchestration, and AppFormix, to provide a comprehensive network management solution, but it is not a DDoS solution for your ISP5.
• D. SRX Series device. SRX Series devices are high-performance firewalls that can provide DDoS protection at the network perimeter by integrating with Juniper ATP Cloud and Juniper Threat Labs. SRX Series devices can use SecIntel to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies. SRX Series devices can also use IDP to detect and prevent application-level attacks, such as SQL injection, cross-site scripting, and buffer overflow. SRX Series devices can provide a robust and effective DDoS solution for your network, but they are not designed to handle high-volume DDoS attacks at the network edge, as MX Series devices and Corero SmartWall TDD are .

References:

• Juniper and Corero Joint DDoS Protection Solution
• MX-SPC3 Services Card Overview
• Corero SmartWall Threat Defense Director (TDD)
• Juniper Networks and Corero: A Modern Approach to DDoS Protection at Scale
• Contrail Insights Overview
• [SRX Series Services Gateways]
• [Juniper Networks Security Intelligence (SecIntel)]

According to the output of the traceoptions file called radius, the source of the problem is that the RADIUS server IP address is unreachable. This is indicated by the line FAILURE: sendto: No route to host, which shows that the SRX device cannot send the authentication request to the RADIUS server. This could be due to a network issue, such as a misconfigured route, a firewall blocking the traffic, or a physical link failure.

To troubleshoot this issue, the user should check the following:

• The RADIUS server IP address and port are correctly configured on the SRX device. The user can verify this by using the command show configuration access radius-server1.
• The SRX device can ping the RADIUS server IP address. The user can use the command ping  to test the connectivity2.
• The SRX device has a valid route to the RADIUS server IP address. The user can use the command show route  to check the routing table3.
• The SRX device and the RADIUS server are using the same shared secret key. The user can verify this by using the command show configuration access radius-server secret1.
• The SRX device and the RADIUS server are using the same authentication protocol. The user can verify this by using the command show configuration access profile 4.
• The firewall policies on the SRX device and any intermediate devices are allowing the RADIUS traffic. The user can use the command show security policies from-zone to-zone  to check the firewall policies5.

References: 1: Configuring RADIUS Server Parameters 2: ping - Technical Documentation - Support - Juniper Networks 3: show route - Technical Documentation - Support - Juniper Networks 4: Configuring Authentication Profiles 5: show security policies - Technical Documentation - Support - Juniper Networks

DNS doctoring is a feature that allows the SRX Series firewall to modify the IP address in a DNS response based on a static NAT rule. This can be useful when the DNS server returns an IP address that is not reachable by the client, such as a private IP address or an IP address from a different network. To use DNS doctoring, the following requirements must be met:

• The DNS ALG must be enabled. The DNS ALG is responsible for parsing the DNS messages and performing the IP address translation. The DNS ALG can be enabled globally or per security policy. To enable the DNS ALG globally, use the command set security alg dns enable. To enable the DNS ALG per security policy, use the command set security policies from-zone zone1 to-zone zone2 policy policy1 then permit application-services application-firewall rule-set rule-set-name application junos-dns.
• Static NAT must be configured for the IP address that needs to be translated. Static NAT is a type of NAT that maps a fixed IP address to another fixed IP address. Static NAT can be configured using the command set security nat static rule-set rule-set-name rule rule-name match destination-address address and set security nat static rule-set rule-set-name rule rule-name then static-nat prefix prefix. References:
• DNS ALG and Doctoring Support
• Understanding DNS ALG and NAT Doctoring
• Disabling DNS ALG and NAT Doctoring
• SRX Getting Started - Configure DNS

The solution to this problem is to enable address persistence. This will ensure that the same external IP address is used for multiple sessions between an internal host and an external host. This will result in only one authentication being required, as the same external IP address will be used for all sessions.

According to the exhibit, which is a configuration snippet of the SRX Series device, the global mode for the device is set to switching mode. This means that the device is operating as a Layer 2 switch and does not apply any security policies to the traffic between hosts in the same broadcast domain1. Therefore, the traffic between two hosts in the same broadcast domain are not matching any security policies.

To solve this problem, the user should change the global mode to transparent bridge mode. This means that the device will operate as a Layer 2 transparent bridge and apply security policies to the traffic between hosts in the same broadcast domain2. This will allow the user to enforce security policies based on the source and destination IP addresses, ports, and protocols of the traffic.

To change the global mode to transparent bridge mode, the user should use the following command:

set protocols l2-learning global-mode transparent-bridge

This command will set the global mode for the SRX Series device as Layer 2 transparent bridge mode. After changing the mode, the user must reboot the device for the configuration to take effect2.

References: 1: global-mode (Protocols) 2: Configuring Layer 2 Transparent Mode

https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/topic-map/jatp-custom-log-ingestion.html

• The source address is translated because the traceoptions output shows that the source IP address 192.168.5.2 is translated to 192.168.100.1 and the source port 0 is translated to 14777. The traceoptions output also shows the flag flow_first_src_xlate, which indicates that this is the first time that source NAT is applied to this session.
• The packet is an SSH packet because the traceoptions output shows that the application protocol is tcp/22, which is the default port for SSH. The traceoptions output also shows the flag flow_tcp_syn, which indicates that this is the first packet of a TCP connection.

References:

• traceoptions (Security NAT) | Junos OS | Juniper Networks
• [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting

The security feature that achieves the objective of identifying potential threats within SSL-encrypted sessions without requiring SSL proxy to decrypt the session contents is encrypted traffic insights. Encrypted traffic insights (ETI) is a feature of Juniper ATP Cloud that helps you to detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. ETI uses machine learning and behavioral analysis to identify anomalies and suspicious patterns in the encrypted traffic metadata, such as the SSL/TLS handshake, the certificate, the cipher suite, and the session duration. ETI can also leverage third-party feeds and threat intelligence from Juniper ATP Cloud to correlate the encrypted traffic with known indicators of compromise (IoCs). ETI can provide insights into the risk level, the threat category, the threat location, and the threat time of the encrypted traffic. ETI can also trigger mitigation actions, such as blocking, quarantining, or alerting, based on the threat severity and the policy configuration. ETI can help you to improve your security posture and visibility without compromising the privacy and performance of the encrypted traffic. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud-encrypted-traffic-insights-overview.html

The purpose of the Switch Microservice of Policy Enforcer is to isolate infected hosts. The Switch Microservice is a component of Policy Enforcer that runs on EX Series and QFX Series switches. It communicates with Policy Enforcer and Juniper ATP Cloud to receive threat intelligence and quarantine commands. When an infected host is detected by Juniper ATP Cloud, Policy Enforcer sends a command to the Switch Microservice to isolate the host by applying an access control list (ACL) on the switch port where the host is connected. The ACL blocks all traffic from or to the host except for the traffic that is required for remediation. The Switch Microservice also tracks the MAC address of the infected host and updates Policy Enforcer if the host moves to a different switch port or a different switch. This way, the Switch Microservice ensures that the infected host is isolated until it is remediated and no longer poses a threat to the network. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-enforcer-switch-microservice-overview.html

https://kb.juniper.net/InfoCenter/index?page=content &id=TN326&cat=&actp=LIST&showDraft=false