JN0-335 Exam Dumps : Security, Specialist (JNCIS-SEC)

• Cluster failovers occur when one node in a chassis cluster becomes inactive or unreachable, and the other node takes over the processing of traffic and services. To control when cluster failovers occur, you can configure two specific parameters on an SRX Series device: heartbeat-interval and heartbeat-threshold12.
• Heartbeat-interval is the time interval, in milliseconds, between heartbeat messages sent by each node to the other node. The default value is 1000 ms. You can configure the heartbeat-interval value from 100 through 3000 ms1.
• Heartbeat-threshold is the number of consecutive heartbeat messages that can be missed before a node is considered to be down. The default value is 3. You can configure the heartbeat-threshold value from 2 through 2551.
• The combination of heartbeat-interval and heartbeat-threshold determines the failover time, which is the maximum time it takes for a node to detect the failure of the other node and initiate a failover. The failover time is calculated as follows: failover time = heartbeat-interval x heartbeat-threshold1.
• For example, if the heartbeat-interval is 1000 ms and the heartbeat-threshold is 3, the failover time is 3000 ms. This means that if a node does not receive three consecutive heartbeat messages from the other node within 3000 ms, it will assume that the other node is down and initiate a failover1.
• You can configure the heartbeat-interval and heartbeat-threshold parameters using the set chassis cluster redundancy-group group-id node node-id priority priority heartbeat-interval interval heartbeat-threshold threshold command1.

References:

• 1: Configuring Chassis Cluster Redundancy Group Properties | Junos OS | Juniper Networks
• 2: Example: Configuring an Active/Passive Cluster Deployment | Junos OS | Juniper Networks

Policy Enforcer is a Junos Space Security Director component that allows updated security policies to be deployed across Juniper SRX Series firewalls, MX Series 5G Universal Routing Platforms, EX Series Ethernet Switches, QFX Series Switches, and third-party network devices1. Policy Enforcer can leverage the DDoS protection feature of Juniper devices to detect and mitigate DDoS attacks on the network. The DDoS protection feature is based on two main components: the classification of host-bound control plane traffic and a hierarchical set of individual- and aggregate-level policers that cap the volume of control plane traffic that each protocol type is able to send to the Routing Engine (RE) for processing2. The DDoS protection feature is supported on MX Series routers and QFX Series switches, among other devices3. Therefore, the correct devices to use for DDoS protection with Policy Enforcer are MX and QFX.

The other options are not correct for the following reasons:

• vQFX is a virtual switch that emulates the QFX Series switches for testing and development purposes. It does not support the DDoS protection feature4.
• vMX is a virtual router that emulates the MX Series routers for testing and development purposes. It does not support the DDoS protection feature.

References: Policy Enforcer DDoS Protection Case Study Protection against distributed denial of service (DDoS) attacks vQFX10000 Overview [vMX Overview]

 The show security policies policy-name detail command shows policy counters for a configured policy. Policy counters display the number of packets and bytes that match the policy, as well as the number of sessions that are created, denied, or closed by the policy. Policy counters can help monitor and troubleshoot the traffic flow and security policy enforcement on the SRX firewall1.

The show security policies policy-name detail command does not display details about the default security policy, which is the implicit policy that is applied when no other policy matches the traffic. The default security policy can be viewed by using the show security policies default-policy command2.

The show security policies policy-name detail command does not identify the different custom policies enabled, which are the user-defined policies that specify the action and conditions for the traffic between zones. The custom policies can be viewed by using the show security policies command without any options1.

The show security policies policy-name detail command does not show the system log files for the local SRX Series device, which are the files that record the events and messages generated by the device. The system log files can be viewed by using the show log command with the name of the file3. References:

• 1: show security policies | Junos OS | Juniper Networks
• 2: Understanding Default Security Policies | Junos OS | Juniper Networks
• 3: show log | Junos OS | Juniper Networks