The correct answer is B. ESP. In IPsec, the security protocol responsible for encrypting protected traffic is Encapsulating Security Payload (ESP). Juniper defines ESP as the IPsec protocol used for encrypting the IP packet and authenticating its contents. In practical SRX VPN design, ESP is the normal protocol selected when confidentiality is required because it can provide encryption, packet integrity, authentication, and anti-replay protection depending on the configured IPsec proposal.

Option A, SHA-1, is incorrect because SHA-1 is an authentication/hash algorithm, not an IPsec security protocol and not a payload encryption mechanism. Option C, AH, is incorrect because Authentication Header validates packet source and integrity but does not encrypt payload data. AH is therefore unsuitable when the requirement explicitly says payload data must be encrypted. Option D, PFS, is incorrect because Perfect Forward Secrecy is a key-exchange property used during Phase 2 rekeying; it strengthens key independence but does not itself encrypt packets. In Junos IPsec configuration logic, the security protocol decision is between ESP and AH, and encryption requires ESP. Reference topics: IPsec VPN, ESP, AH, IPsec security protocols, payload confidentiality, IPsec proposal design.

The correct answers are A and B. In SRX chassis clustering, the fab interface is the fabric data-plane link between cluster nodes. Juniper explains that data-plane software synchronizes session state using runtime objects, or RTOs, across the fabric data link, and this fabric link also supports forwarding traffic between nodes when ingress and egress processing occur on different chassis members.

swfab is also a chassis-cluster data-plane-related interface used for Layer 2 switching fabric functionality. Juniper’s Ethernet switching on chassis cluster documentation describes swfab0 and swfab1 as pseudointerfaces created for Layer 2 fabric functionality, enabling switching across the nodes. Option C, fxp1, is wrong because fxp1 is the control link interface used for cluster control-plane communication, heartbeats, and synchronization signaling, not a data-plane fabric interface. Option D, fxp0, is wrong because fxp0 is the out-of-band management interface. The clean separation is: fxp0 = management, fxp1 = control link, fab = routed/data fabric, and swfab = Layer 2 switching fabric. Reference topics: HA Clustering, fab interfaces, swfab interfaces, control link, management interface, data-plane synchronization.

The correct answer is A. Manually configure and apply an SSL proxy profile. HTTPS traffic is encrypted, so ATP Cloud cannot extract and submit downloaded files for malware analysis unless the SRX can decrypt the SSL/TLS session first. Juniper’s ATP Cloud documentation states that to detect malware in HTTPS traffic, you must configure the SSL inspection CA used for SSL forward proxy, and the ATP Cloud policy workflow specifically includes configuring an SSL proxy profile to inspect HTTPS traffic. Juniper’s example shows the SSL proxy profile being created with a root CA and then applied so HTTPS sessions can be inspected before advanced anti-malware processing occurs.

Option B is wrong because lowering the threat score only changes the enforcement threshold after a file verdict is returned; it does not solve the inability to inspect encrypted payloads. Option C is wrong because changing the ATP device profile alone does not decrypt HTTPS traffic. The exhibit already shows a malware profile and HTTP file-download configuration, but HTTPS malware detection still requires SSL proxy. Option D is wrong because Junos ATP Cloud integration does not require redirecting encrypted traffic to a separate decryption appliance for this task. The SRX performs SSL forward proxy locally, then advanced anti-malware can inspect extracted content. Reference topics: ATP Cloud, HTTPS malware inspection, SSL forward proxy, SSL inspection CA, advanced anti-malware policy.

The correct answers are A and B. In an SRX chassis cluster, the cluster ID identifies the chassis cluster, and valid operational cluster IDs are nonzero values. Juniper’s chassis cluster command documentation states that the system uses the chassis cluster ID and node ID to apply the correct node-specific configuration, and the command writes the chassis cluster ID and node ID to EPROM. When the cluster ID is set to 0, clustering is disabled; therefore, the HA cluster configuration is effectively ignored because the device is no longer operating as a chassis-cluster member.

Option B is also correct because Juniper states that chassis cluster ID and node ID changes take effect only after the system is rebooted. That is why the operational command format includes the reboot behavior when setting cluster-id and node. Option C is wrong because node ID 0 is valid; it identifies node0 in the two-node cluster. Option D is wrong because SRX chassis clusters use node IDs 0 and 1 only; the 1–255 range applies to cluster IDs, not node IDs. Reference topics: HA Clustering, cluster ID, node ID, EPROM, chassis cluster enablement, node-specific configuration.

The correct answers are B and C. Juniper IDP uses attack objects as match conditions inside IDP policy rules. Juniper states that IDP attack objects represent known and unknown attacks and that the predefined attack object database is periodically updated by Juniper Networks. The main IDP attack object types include signature attack objects, protocol anomaly attack objects, and compound attack objects.

Option C is correct because signature attack objects detect known attacks using stateful attack signatures. Juniper defines a signature as a pattern that exists within a specific section of an attack and includes protocol, service, direction, flow, and context information to reduce false positives.

Option B is correct because protocol anomaly attack objects detect abnormal protocol behavior. Juniper explains that protocol anomaly objects identify unusual or ambiguous traffic that violates protocol specifications, RFCs, or common RFC extensions.

Option A is wrong because “statistic-based” is not one of the IDP attack object database types being tested here. Option D is wrong because “vector-based” is not a Juniper IDP attack object type. Reference topics: IDP, attack object database, signature-based attack objects, protocol anomaly attack objects, predefined attack objects.

The correct answer is A. The same cluster ID was used on both clusters. In an SRX chassis cluster, a redundant Ethernet interface, or reth, uses a cluster-derived virtual MAC address. When two separate chassis clusters are placed in the same Layer 2 domain and use the same cluster ID, their corresponding reth interfaces can generate the same virtual MAC address. That is exactly why the network team sees the same MAC address for reth0 from both clusters on VLAN 1042. Juniper community guidance states bluntly that the reth interface MAC address is derived from the cluster ID and that two clusters using the same ID produce identical MAC addresses.

Option B is wrong because split-brain would describe both nodes inside the same cluster thinking they are primary, not two separate chassis clusters producing the same reth MAC address. Option C is wrong because multiple SRX clusters can exist on the same VLAN if their cluster IDs are unique. Option D is wrong because LACP synchronization affects bundled link operation, not the generation of the reth virtual MAC address. The correction is to assign unique cluster IDs to clusters sharing the same Layer 2 segment. Reference topics: HA Clustering, chassis cluster ID, reth virtual MAC address, duplicate MAC prevention, Layer 2 cluster design.

The correct answer is C. device policy rules. In Junos Space Security Director, policy scope matters. A rule intended for one specific SRX Series device must be placed in a device policy, because Juniper defines a device policy as a firewall policy created per device and used when you want to push a unique firewall policy configuration per device. Security Director also distinguishes this from group policies, which are shared with multiple devices, and from all-devices policy rules, which are global in scope rather than device-specific.

Option A is wrong because all-devices prerules are global rules evaluated before device-specific rules; they are not intended for a unique single-device exception. Option B is wrong because group policy prerules apply to devices within a group, not to one individually targeted SRX firewall. Option D is wrong because all-devices postrules are still globally scoped, even though they occur later in policy order. The clean Security Director design is to use device policy rules when the policy must apply only to one SRX device. Reference topics: Security Director, firewall policy hierarchy, device policy, group policy, all-devices prerules/postrules.

The correct answers are B and C. Adaptive Threat Profiling allows SRX Series Firewalls to act either as inline enforcement devices or as tap-based sensors. In an inline deployment, the SRX is directly in the traffic path and can enforce policy actions such as blocking, denying, or adding threat indicators to Security Intelligence feeds for real-time mitigation. In a tap deployment, the SRX observes copied traffic from a TAP/SPAN-style feed and contributes intelligence without being the active forwarding device. Juniper’s ATP Cloud documentation states that Adaptive Threat Profiling enables SRX devices to be deployed as sensors on Tap ports, identifying and sharing intelligence to inline devices for real-time enforcement. It also describes a “Tap-based SRX Series Firewall sensor” and contrasts it with an inline device.

Option A, bridge, is not the deployment mode being tested here. Bridge/transparent forwarding is a firewall deployment style, not the named Adaptive Threat Profiling mode. Option D, promiscuous, is also wrong; promiscuous mode is an interface behavior, not the ATP Adaptive Threat Profiling deployment model. Reference topics: ATP Cloud, Adaptive Threat Profiling, tap sensors, inline enforcement, Security Intelligence feeds.

The correct answer is B. count. In Junos security policy configuration, count is the policy parameter used for accounting and tabular operational visibility. Juniper’s security policy configuration rules state that accounting and auditing elements can be specified with count and log, while logging itself is enabled at either session-init or session-close.

The operational result is visible through commands such as show security policies hit-count, which displays a table of policy hit counters, including fields such as index, from-zone, to-zone, policy name, policy count, and action. Juniper defines this command as displaying the number of times a security policy rule matches traffic, and the sample output is explicitly tabular. Option A, permit, is an action, not a counter or logging/accounting parameter. Option C, session-init, logs at the beginning of a session, and option D, session-close, logs at session teardown. Those two parameters generate logs, but they do not provide the tabular policy-count view being asked about. Reference topics: security policy accounting, count parameter, hit-count, operational-mode policy monitoring, session-init/session-close logging.