Juniper Firewall Interview Questions and Answers

Ques 1.         What is latest Firmware version in Juniper SRX110H2, SRX550 and SRX650 Firewall?

As on 26 Sept18, the latest JTAC Recommended Junos Software Platform are – SRX110H2                                – Junos 12.3X48-D75

SRX550                 – Junos 12.3X48-D75

SRX650                 – Junos 12.3X48-D75

Ques 2.         Which models of Juniper SRX as preferred for Branch locations and which for Data Center/Head Office?

Juniper SRX models which can be positioned for Branch locations are –

  • SRX110
  • SRX220
  • SRX300
  • SRX550

Juniper SRX models which can be positioned for Medium/Large Enterprises or Data Centres are –

  • SRX1400
  • SRX1500
  • SRX3400
  • SRX3600
  • SRX4100 and SRX4200
  • SRX4600
  • SRX5400
  • SRX5600
  • SRX5800

Ques 3.         How many FPCs can be installed in

  • SRX1400
    • SRX3400
    • SRX3600
    • SRX5400
    • SRX5600

Maximum FPC slots that can be installed on below SRX models are –

  • SRX1400 – 4
  • SRX3400 – 7
  • SRX3600 – 14
  • SRX5400 – 3
  • SRX5600 – 8

Ques 4.         Which all SRX platforms have dedicated HA ports for cluster?

Following SRX models have dedicated HA ports –

  • SRX1500
  • SRX4600
  • SRX4100 and SRX4200

Ques 5.         Which all SRX platforms support dual control ports?

Dual control ports are supported by following SRX models –

  • SRX1400
  • SRX3000x`
  • SRX5000
  • SRX4600

Ques 6.         What is VR wrt SRX firewall?

VR is abbreviation for Virtual Router. VR refers to separate and independent routing table while management domain remains common across all VR. A security device can divide its routing component into two or more virtual routers. VRs can be categorized into following types –

  • Predefined VRs —Each security device contains two predefined virtual routers:
  • Trust-vr – By default, contains all predefined security zones and any user-defined zones.
  • Untrust-vr – By default, does not contain any security zones.
  • Custom Virtual Routers—we can create and configure additional custom virtual routers.

Ques 7.         What is Cisco ASA equivalent of Context in Juniper SRX?

Logical System

Ques 8.         What is Web interface for SRX called?

The name of SRX product web interface is called J-Web. J-Web tool is automatically installed on the SRX Series. It covers most of the important tasks for configuring a device.

Ques 9.         What application is used in Junos Space to manage SRX policies?

Security Director (Previously called Security Design) is the application that simplifies policy management for the SRX devices.

Ques 10.       What is the key differentiator and core design change that SRX brought over the NetScreen devices?

The SRX is focused on providing services, whereas the NetScreen devices were focused on Stateful inspection.

Ques 11.       What is difference between Stateless and Stateful Firewall?

Below table enumerates difference between Stateless and Stateful Firewalls –

Ques 12. What is Juniper solution of IPSEC VPN for users over internet to access corporate resources like email or application servers called?

The Juniper SRX solution which meets the requirement is called Dynamic VPN. For mobile employees or Telecommuter, who are on Internet and need access to corporate resources like local LAN for desktop maintenance or to securely access applications, Juniper Dynamic VPN is the

solution. It’s a low cost and effective solution and allows for dynamic access to the branch without any preinstalled software on the client station.

Ques 13.       What does a Services Processing Card do?

A Services Processing Card on the Data Center SRX Series enables the processing of traffic for different types of services (such as IDP, VPN, and NAT). There is no need to add additional cards for each type of service. Infact entire flow is processed by SPC.

Ques 14.       Which SRX platforms support the UTM feature set?

Branch end and High end SRX Series devices support UTM. Infact starting in Junos OS Release 12.1X46-D10, Sophos antivirus, antispam, and content filtering features are supported on all SRX Series devices.

Ques 15.       What tool does Juniper make to handle log management?

Statistical Reports Manager (STRM) is the tool for log management and reporting. STRM is not limited to Junos devices only, it can accept logs from non-Juniper devices also.

Ques 16.       What is JFlow?

JFlow is similar to Cisco’s NetFlow and provides the ability to sample packets to an external flow collector, which can receive them and analyze them accordingly.

Ques 17.               What is control plane and data Plane (Forwarding Plane)?

Control plane is simple terms determines what to do with incoming data and accordingly instructs Forwarding Plane to carry out the function. Control plane may be called Brain while forwarding plane will be arms and legs which perform the function. Control Plane makes use of Routing Engine to process a frame when it comes through an interface. It checks the data against the routing table and forwarding table (forwarding table is part of Forwarding plane) decides where the packet or frame needs to be sent and hence passes the instructions to Forwarding Plane for instructions to be carried out .The packet will be either dropped or sent out the outgoing interface. Packet forwarding Engine (PFE) is responsible for maintaining services like stateless firewall and COS etc.

Notable is that Forwarding table contains active routes as used to process transit packets. The Forwarding Table is control plane is referred to as primary Forwarding and The PFE gets copy of Forwarding Table from Routing engine through its internal link.

Ques 18.       What is revenue ports?

The ports that are responsible for real production and ultimately lead to money. In other words, the ports where we can connect the –

  • End User LAN ports
  • Servers ports
  • Downstream switches.

Ques 19.       Can we reset root password if we forget one? How?

Below is the step by step process to reset root password of Juniper SRX –

  1. – Press power button on the front panel to power on the router. The POWER LED on the front panel turns green. Also, the console should continuously display the boot message.
  2. – When the auto boot completes, press the Spacebar a few times to access the bootstrap loader prompt.
  3. – Disable the watchdog functionality and enter boot -s to start up the system in single-user mode as below –

loader> watchdog disable loader>boot –s

The SRX Series device will start up in single-user mode.

  • – Enter recovery to start the root password recovery procedure.

System watchdog timer disabled. Enter full pathname of shell or ‘recovery’ for root password recovery or RETURN for /bin/sh: recovery

– Enter configuration mode in the CLI and set the root password –

  • – Enter the new root password.

New password: junipersrx Retype new password: junipersrx

  • – Once configured, commit the configuration.

root@host# commit commit complete

  • – Exit from configuration mode. Then, Exit from operational mode.

– Request system reboot. Then, Enter y to reboot the device.

Reboot the system? [y/n] y

The start up messages display on the screen.

  1. – press the Spacebar a few times to access the bootstrap loader prompt.

– In operational mode, enable the watchdog functionality and enter boot to start up the system.

  1. – The SRX Series device starts up again and prompts to enter a user name and password. Enter the newly configured password:

Ques 20.       What is a cluster and why is it required?

SRX Series devices can be configured to work in cluster mode. In cluster mode where a pair of devices can be connected together and configured to –

  • Operate like a single device to provide high availability
    • The two nodes back up each other, with one node acting as the primary device and the other as the secondary device,
    • Stateful failover of processes and services in the event of system or hardware failure.
    • A single active control plane for the entire cluster and multiple Packet Forwarding Engines.

Ques 21.       Is cluster supported on all SRX platforms?

Yes, Clustering is supported on all SRX platforms.

Ques 22.       How does clustering works?

The High availability technology that Juniper uses is called Chassis Cluster. In case of clustering, one device becomes the “Primary”, and one the “Secondary”. Both the peers of cluster are connected using cables, and each cable has a special purpose.

Fabric Link is 1st type of connectivity between Cluster peers and used by devices to share session information between the Packet Forwarding Engine (PFE). In some scenarios, user traffic also travels across this link.

2nd type of connectivity is called the Control Link and used for all control plane traffic. The control plane is brain of routing device and responsible for functionalities like routing protocols, maintaining the routing table, dealing with telnet/SSH sessions, system configuration, SNMP etc. Only one Routing engine is active out of 2 chassis and will function as master/active RE.

The benefit of clustering is that session table is stored on both devices and in event of Primary SRX going down, the Secondary can take over without dropping any traffic. This results in non-stop communication of user and application traffic hence leading to wonderful customer experience and productive output due to close to zero downtime.

Ques 23.          What is the concept of GARP?

Gratuitous Address Resolution Protocol (GARP) helps to detect issue of duplicate IP address in the network. A gratuitous ARP is a broadcast request for a router’s own IP address. If a Layer 3 device (Like router or switch) sends an ARP request for its own IP address and no ARP replies are received, the L3 device IP address is not being used by other nodes. However, if the device sends an ARP request for its own IP address and an ARP reply is received, then the IP address is already being used by another node.

Ques 24.       Is the Network affected during data plane failover?

Seamless transition to a new active node will occur with data plane failover.

Ques 25.       Is the Network affected during control plane failover?

During the control plane failover between 2 nodes, switchover does not preserve the control plane. Neighboring routers detect that the router has experienced a restart and react to the event and hence network is affected during control plane failover. Henceforth, we can explicitly say that if dynamic routing is running, Network is affected while lesser network impact if no dynamic routing is running.

Ques 26.       What are prerequisites while configuring 2 SRX in HA/cluster mode?

Requirements –

  • A maximum of 2 SRXs is allowed to be clustered at once.
    • Both SRX devices must have same hardware and software. This includes having same modules in the same slots.
    • This configuration requires the two SRXs to be directly connected to each other using two Ethernet links where one link is for control and other one link is for data.
    • A reboot is required whenever putting a device into cluster mode or taking it out of cluster mode.

Ques 27.       Cisco IOS feature set of “IP SLA” is a method of monitoring and reliably reporting on network performance. What is the Juniper equivalent feature name called?

The real-time performance monitoring (RPM) feature of Junos is equivalent of “IP SLA” of Cisco IOS. With the RPM tool, we can monitor and determine packet loss, round-trip time, and jitter to any host.

Ques 28.       If FAB link goes down, what happens to cluster?

If the Fabric link fails, it will cause the passive node to go into disabled state. We should reboot the node to remove the disabled state.

Ques 29.       If Control link goes down, what happens to cluster?

On a cluster (SRX branch) if the control link goes down for some reason, secondary node goes into disabled state and remains like this until you manually reboot or have control link recovery configured.

Ques 30.       What is Active-Active Cluster vs Active-Passive cluster?

The SRX supports both Clustering options –

  • Active/Active high availability mode
  • Active/Passive high availability mode

In the Active/Active deployment, only the dataplane is in Active/Active, while the control plane is actually in Active/Passive. This allows 1 control plane to control both chassis members as a single logical device, and in case of control plane failure, the control plane can fail over to the other unit. Active/Active also allows for ingress interfaces to be on one cluster member, with the egress interface on the other.

Active/Passive High Availability is the most common and consists of two firewall members of a cluster; one of which actively provides routing, firewall, NAT, VPN, and security services, along with maintaining control of the chassis cluster and the other firewall passively maintaining its state for cluster failover capabilities should the active firewall become inactive. Below table enumerates difference between Active-Active and Active-Passive HA deployment modes –

Ques 31.       What type of interfaces need to be configured in clustering?

  • Reth (Redundant Ethernet Interfaces)
    • FAB Link
    • Control Link

Ques 32.       What is use of “Configuration GROUP” Hierarchy in cluster?

Configuration group helps and simplify configuration while also reducing its size and complexity. When we use Configuration groups we don’t have to configure the same set of configuration statements multiple times, when they are needed in several places.

Below are key benefits that can be reaped out from “Configuration Group” –

  • Configuration becomes smaller and easy
    • Configuration becomes more consistent
    • Less manual mistakes happen when configuring the same set of commands in different sections.

Ques 33.       Which config portion controls the permissions for traffic flow (sec policies)?

Security Policies

Ques 34.       What is a security Zone?

Zone is group of Interfaces with similar security needs. In other words, Security zones are logical entities to which one or more interfaces are bound. All interfaces by default are part of null Zone. All traffic going to and from this zone is dropped. There are two factory default zones called Trust and Untrust on the SRX branch series devices. They can be deleted however.

Below is an example where Users/LAN subnets are structured under TRUST Zone while Internet connected interfaces are configured under UNTRUST Zone.

Ques 35.                  Is the traffic by default permitted for Inter Zone or Intra Zone?

No, in SRX intra-zone or inter-zone traffic is not allowed by default. If you want to allow this, you need a security policy with from-zone INTERNAL to-zone INTERNAL.

Ques 36.       How would you troubleshoot high CPU?

Below are some of steps and related commands used in troubleshooting high CPU –

Step 1 –

Check the routing engine (control plane) by issuing “show chassis routing-engine” command. A High value of “CPU utilization” output may validates High CPU.

Step 2 –

Issue the command “show system processes extensive” to see what processes are running high.

Step 3 –

Once we know from previous step which process is running high, we can resolve is following ways – For process “httpd”, issue command to restart the process by “restart web-management” command.

For process “eventd”, turning off traceoptions or sampling can bring back CPU to normal utilization. If not, changing syslog mode to stream may reduce the utilization.

For process “flowd_octeon”, issue the command “show chassis forwarding”. If the values are high, further troubleshooting on interface utilization and number of sessions may be verified by commands “show interfaces detail” and “show security flow statistics” respectively.

Ques 37.       Name few types of screen options?

On all SRX Series devices, the screens are divided into two categories:

  • Statistics-based screens
    • Signature-based screens

Some of Statistics-based screen Options are –

  • ICMP flood
    • UDP flood
    • TCP SYN flood source
    • TCP SYN flood destination
    • TCP SYN flood
    • TCP port scan
    • TCP SYN-ACK-ACK proxy
    • ICMP IP sweep
    • TCP SYN flood attack
    • UDP udp sweep

Some of Signature-based screen Options are

  • TCP Winnuke
    • TCP SYN fragment
    • TCP no flag
    • TCP SYN FIN
    • TCP land
    • TCP FIN no ACK
    • ICMP ping of death
  • ICMP fragment
  • ICMP large
  • IP unknown protocol

Ques 38.       What are stateless Firewall filters?

A stateless firewall filter enables you to manipulate any packet of a particular protocol family, including fragmented packets, based on evaluation of Layer 3 and Layer 4 header fields. You can apply a stateless firewall filter to an ingress interface, an egress interface, or both.

Stateless Packet filtering enables us to inspect the components of incoming or outgoing packets and then perform the actions we specify on packets that match the criteria. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.

Ques 39.       What are 3 types of VPN tunnels?

We can configure three types of VPN tunnels detailed as below –

  • Policy-based VPNs – The VPN tunnel is created and maintained only during the transfer of network traffic that matches a VPN rule, and it is torn down when the connection ends. Policy-based VPNs should be used when we want to encrypt and authenticate certain types of traffic between two VPN members.
    • Route-based VPNs – In this case VPN tunnel is created when the route is defined and is maintained continuously. Route-based VPNs should be used when we want to encrypt and authenticate all traffic between two VPN members. We can’t add RAS users in a routing- mode VPN.
    • Mixed-mode VPNs—Policy-based VPNs are connected to route-based VPNs in a mixed- mode VPN. RAS users can’t be included in a mixed-mode VPN.

Ques 40.               Arrange the below list as per order in which they are processed –

  • Route lookup
    • Source NAT rules
    • Destination NAT rules
    • Security policy lookup
    • Static NAT rules
    • Reverse mapping of static NAT rules

The correct order in which NAT rules are applied is –

  • Static NAT rules
    • Destination NAT rules
    • Route lookup
    • Security policy lookup
    • Reverse mapping of static NAT rules
    • Source NAT rules

Ques 41.               Name few VPN proposal sets that can be configured on SRX? Some of common VPN proposals that can be configured on SRX are –

  • Basic – includes basic set of 2 IKE proposals.
    • Compatible – Includes 4 commonly used IKE proposals
    • Prime-128 – Includes one proposal set with encryption algorithm being AES128.
    • Prime-256 – Includes one proposal set with encryption algorithm being AES256
  • Standard – Includes a standard set of two IKE proposals
    • Suiteb-gcm-128 and suiteb-gcm-256 – Provides the Suite B proposal set

Ques 42.               Is SSL VPN Supported on SRX Firewall? No

Ques 43.               What is the best interface to use for network management on the SRX?

Typically, fxp0, which is the out-of-band control plane interface, is the best interface to use on the SRX.This is because it does not need to rely on the data plane availability and can be put on its own private network for ideal out-of-band management versus the transit traffic on the network.

Ques 44.               What are components of the security policies? Components of security policy are –

  • Zones
    • Address objects
    • Application objects
    • User objects
    • Scheduler objects
    • Action profiles

Ques 45.               What is an ALG and how does it function?

ALG is abbreviation for Application Layer Gateway and responsible for managing application protocols like SIP (Session Initiation Protocol) and FTP (File Transfer Protocol). ALGs act as intermediary between the Internet and an application server that can understand the application protocol. It controls whether to allow or deny traffic to the application server by intercepting and analysing the specified traffic and allowing traffic to pass or deny through the gateway.

Ques 46.               What are NAT types in Juniper SRX?

  • Static NAT
    • Source NAT
    • Destination NAT

Ques 47.               What is difference between Virtual Router and Logical System?

Below table details on difference between Virtual Router and Logical System in Juniper SRX platform

Ques 48.               Why would you use no-NAT rules in your NAT policy, and which NAT types support them?

Source and destination NAT both support no-NAT as an option when making a match. This is useful if you want to exclude certain conditions from being processed by NAT. Particularly with source NAT where you might have a consider all at the bottom of the ruleset, we might want to not match on any rule that might trigger NAT, so use this rule first and specify no-Nat for your action.no-NAT This option can be regarded as a kind of exception rule.

Ques 49.               What is the difference between DPD and VPN monitoring

DPD is abbreviation for Dead Peer Detection. DPD is standard IKE capability to detect if the peer gateway is up by sending IKE pings. It is negotiated in Phase 1.

VPN monitoring is not a standard IKE capability and relies on sending peers from the gateway through the IPsec tunnel to determine if it is up. It is a more reliable mechanism since it not only considers peer is up, but also whether the VPN is up. VPN monitoring and DPD results can then be used by the SRX to consider the VPN up or down, and make alternative arrangements if available to send the traffic over another VPN.

Ques 50.               What is NAT-T and when must it be used?

NAT-T is a technique for encapsulating IPsec traffic in UDP traffic so that it can pass through a NAT device (most commonly used for remote clients that are behind a NAT gateway).

If a packet is encapsulated by ESP or AH header (due to IPsec), PAT/NAT device will not have port information to translate source port and resulting IPSEC traffic will not pass through the PAT/NAT device. However, if we use NAT-T Feature, IPSEC traffic will be encapsulated using UDP header with source and destination port number as 4500 and provides port information for the NAT device to do Port Address Translation.