JN0-636 VCE Exam Download

&id=TN326&cat=&actp=LIST&showDraft=false

According to the Juniper documentation, the best VPN type for connecting two remote sites to the corporate headquarters site while ensuring that all traffic is secured and sent directly between sites is IPsec ADVPN. ADVPN stands for Auto Discovery VPN, which is a feature that allows the SRX Series devices to dynamically establish IPsec tunnels between remote sites without requiring a full mesh configuration1. IPsec ADVPN uses NHRP (Next Hop Resolution Protocol) to discover the optimal path between two remote sites and create a shortcut tunnel that bypasses the hub device2. This reduces the latency and bandwidth consumption of the traffic and improves the performance and scalability of the VPN.

To configure IPsec ADVPN on the SRX Series devices, the following steps are required:

• Configure the hub device as an NHRP server and assign it a unique NHRP network ID and a public IP address3.
• Configure the spoke devices as NHRP clients and register them with the hub device using the same NHRP network ID and the hub’s public IP address3.
• Configure the IPsec VPN parameters on the hub and spoke devices, such as the IKE and IPsec proposals, policies, and gateways4.
• Configure the routing protocols on the hub and spoke devices, such as OSPF or BGP, to advertise the routes between the sites.

Once the IPsec ADVPN is configured, the hub and spoke devices will establish IPsec tunnels with each other and exchange NHRP information. When a spoke device needs to send traffic to another spoke device, it will send an NHRP resolution request to the hub device, which will reply with the public IP address of the destination spoke device. The source spoke device will then initiate a shortcut IPsec tunnel with the destination spoke device and send the traffic directly to it2.

The following VPN types are not suitable for this scenario:

• Hub-and-spoke IPsec VPN: This type of VPN requires that all traffic between the remote sites go through the hub device, which adds latency and consumes bandwidth. It also does not scale well as the number of remote sites increases.
• Layer 2 VPN: This type of VPN allows the remote sites to extend their Layer 2 networks over a Layer 3 network, such as the internet. It is typically used for data center interconnection or service provider networks. However, it does not provide any security or encryption for the traffic, and it may not be compatible with the existing network infrastructure.
• Full mesh Layer 3 VPN with EBGP: This type of VPN allows the remote sites to exchange Layer 3 routing information over a Layer 3 network, such as the internet, using EBGP (External Border Gateway Protocol). It is typically used for enterprise networks or service provider networks. However, it requires that each remote site has a unique AS (Autonomous System) number and a public IP address, and that each remote site establishes a BGP session with every other remote site. This can be complex and cumbersome to configure and maintain, and it may not provide any security or encryption for the traffic.

References: 1: Auto Discovery VPN Overview 2: Understanding Auto Discovery VPN 3: Configuring NHRP on the Hub and Spoke Devices 4: Configuring IPsec VPN on the Hub and Spoke Devices : [Configuring Routing Protocols on the Hub and Spoke Devices] : [Hub-and-Spoke VPNs Overview] : [Layer 2 VPNs Feature Guide for Security Devices] : [Layer 3 VPNs Feature Guide for Security Devices]

Proxy ARP is a technique used by routers to answer ARP requests on one network segment on behalf of hosts on another network segment. This is useful in situations where a host on one network segment needs to communicate with a host on another network segment, but the two hosts are not directly connected. In this case, the router acts as a proxy, answering ARP requests on behalf of the other host. In the exhibit, the vSRX device is configured to use a pool of addresses that are in the same subnet as the external interface ge-0/0/0 for source NAT. This means that the vSRX device will translate the source IP address of the internal hosts to one of the addresses in the pool before sending the packets to the external network. However, the external hosts will not know how to reach the NATed addresses, since they are not directly connected to the vSRX device. They will send ARP requests for the NATed addresses, expecting to receive a MAC address from the vSRX device. If proxy ARP is not enabled on the vSRX device, it will not respond to these ARP requests, since it does not have the NATed addresses configured on its interface. The ARP requests will time out and the packets will be dropped by the external hosts or the service provider router. To solve this problem, proxy ARP must be enabled on the vSRX device for the NATed addresses. This will allow the vSRX device to respond to the ARP requests from the external hosts, providing its own MAC address as the destination. The external hosts will then send the packets to the vSRX device, which will reverse the NAT and forward the packets to the internal hosts. References:

• Configuring Proxy ARP (CLI Procedure)
• [SRX] When and how to configure Proxy ARP (https://supportportal.juniper.net/s/article/SRX-Dynamic-VPN-scenario-for-configuring-Proxy-ARP-on-SRX?language=en_US)

According to the Juniper documentation, the steps to detect domain generation algorithms (DGA) on an SRX Series firewall are as follows:

• Define a security-metadata-streaming policy under [edit services]. A security-metadata-streaming policy is a configuration that enables the SRX Series firewall to collect and stream security metadata, such as DNS queries and responses, to Juniper ATP Cloud for analysis. Juniper ATP Cloud uses machine learning models and known pre-computed DGA domain names to provide domain verdicts, which helps in-line blocking and sinkholing of DNS queries on SRX Series firewalls1. You can define a security-metadata-streaming policy by using the following command:

set services security-metadata-streaming policy

• Attach the security-metadata-streaming policy to a security zone. A security zone is a logical grouping of interfaces that have similar security requirements. You can attach the security-metadata-streaming policy to a security zone by using the following command:

set security zones security-zone services security-metadata-streaming policy

The following steps are not required or incorrect:

• Define an advanced-anti-malware policy under [edit services]. An advanced-anti-malware policy is a configuration that enables the SRX Series firewall to scan files for malware using Juniper ATP Cloud. It is not related to DGA detection2.
• Attach the advanced-anti-malware policy to a security policy. A security policy is a configuration that defines the rules for permitting or denying traffic between security zones. It is not related to DGA detection3.

References: 1: Configuring Security Metadata Streaming 2: Configuring Advanced Anti-Malware Policies 3: Configuring Security Policies