The correct answers are A, B, and D. In Security Director, the Shared Objects workspace is used for reusable objects that can be referenced by policies across managed devices. Juniper documentation shows that address objects are created from Configure > Shared Objects > Addresses, and those address objects can be used across devices in firewall, NAT, IPS, and VPN services. This supports option B, because IP address/address objects are classic shared objects.

Option A is correct because Geo IP policies are created from Configure > Shared Objects > Geo IP. Juniper’s procedure explicitly places Geo IP under the Shared Objects path. Option D is also correct because policy enforcement groups are created from Configure > Shared Objects > Policy Enforcement Groups and are used to group endpoints such as IP addresses, subnets, or locations for policy-enforcement workflows.

Option C is wrong because audit logs are monitoring records, not reusable shared objects; Juniper places them under Monitor > Audit Logs, where they track login history and user-initiated tasks. Option E is wrong because policy rules are created and managed inside firewall, NAT, IPS, or threat policies, not as independent Shared Objects. Reference topics: Security Director, Shared Objects, address objects, Geo IP, policy enforcement groups.

The correct answers are C and D. The cSRX is Juniper’s containerized SRX firewall, intended for lightweight virtual and container environments where rapid deployment and high density matter. Juniper’s cSRX documentation lists supported security capabilities including basic firewall policy, NAT, Intrusion Detection and Prevention, content security/UTM functions, ATP Cloud, SSL Proxy, AppID, AppFW, and AppTrack. That supports option C, because cSRX provides SRX security services in a containerized footprint rather than requiring a full VM-based firewall appliance.

Option D is also correct because Juniper identifies the cSRX’s small footprint and minimum resource reservation requirements as key benefits; it is designed to scale more densely than VM-based firewall options. Juniper’s Day One cSRX guide specifically identifies faster deployment, a small footprint, and reduced resource consumption as major benefits. Option A is not the best answer for this exam item because the question asks for cSRX deployment benefits, not merely forwarding-mode support. Option B is wrong because the tested cSRX advantage is not a default three-zone configuration. Reference topics: cSRX container firewall, virtual SRX deployment, firewall/NAT/IPS/UTM services, lightweight resource footprint.

The correct answers are B, D, and E. Security Director device onboarding depends on management reachability and valid administrative access. Juniper’s device discovery documentation states that Junos Space discovers network devices using SSH, with optional ping and SNMP, and connects to the physical device to retrieve running configuration and status information. It also explains that device authentication uses administrator login credentials, SSH credentials, SNMP settings, or keys depending on the discovery method.

Option E is required because Security Director must target a reachable management IP address or hostname. Juniper’s discovery-profile workflow explicitly uses the target IP address, hostname, IP range, or subnet to locate devices. Option D is required because invalid username/password or insufficient privileges prevent discovery and management; Juniper’s device-management guidance identifies credentials as required input for discovering devices. Option B is required because onboarding uses SSH, so the correct SSH service and port must be reachable. Juniper’s device access procedure explicitly includes a Port field for the SSH connection.

Option A is wrong because chassis serial number is not the normal troubleshooting field for Security Director discovery. Option C is wrong because active security policies do not determine whether Security Director can initially discover and onboard the device. Reference topics: Security Director, device discovery, SSH access, management IP reachability, authentication credentials.

The correct answers are A and B. In Security Director-managed environments, Security Director can download the signature database and then install the active signature database update on selected managed devices. Juniper’s Security Director workflow states that after the signature database is downloaded, you install the active database, select the target devices, and Security Director sends the full or incremental signature database update to those devices. That confirms that Security Director stores and manages the signature database package centrally for deployment.

Option B is also correct because the SRX Series device must have the application signature database installed locally for AppID/AppSecure features such as AppFW, AppTrack, AppQoS, and IDP application matching. Juniper’s AppID documentation states that the application package is installed in the application signature database on the device, and that AppID signature updates enable AppSecure features on the SRX.

Option C is wrong because Juniper provides and maintains the predefined AppID database through Juniper’s security download infrastructure, not a third-party host. Juniper explicitly describes the predefined application identification database as provided by Juniper Networks and updated through a subscription service. Option D is wrong because a local storage server can be used only as part of an offline/manual update workflow; it is not where the AppID database normally resides. Reference topics: Security Director, AppID database, application signatures, SRX AppSecure services, signature database installation.

The correct answer is B. LDAP. In Juniper identity-aware firewall deployments, the SRX Series Firewall integrates with Microsoft Active Directory so that user and group information can be used in security policy decisions. Juniper’s Active Directory identity-source documentation states that the LDAP protocol helps identify the groups to which users belong, and that username and group information are queried from the LDAP service running on the Active Directory domain controller. It also explains that the device uses Lightweight Directory Access Protocol to obtain user and group information required for Active Directory identity-source operation.

Option A, SSH, is wrong because SSH is a device management protocol, not the protocol SRX uses to query Active Directory user/group membership. Option C, DNS, is wrong because DNS can resolve names but does not provide Active Directory group mapping to the firewall. Option D, NETCONF, is wrong because NETCONF is used for network device configuration and automation, not Windows domain-controller identity queries. In a complete identity-aware firewall workflow, SRX may also use WMI/DCOM-related mechanisms to read Windows event-log data, but among the available protocol choices, LDAP is the correct answer because it is the directory protocol used to query user and group information. Reference topics: Active Directory identity source, LDAP, domain controller communication, user and group mapping.

The correct answers are A and B. In an SRX chassis cluster, the cluster ID identifies the chassis cluster itself, while the node ID identifies the individual SRX device inside that two-node cluster. Juniper states that a cluster is identified by a cluster-id value from 1 through 255, and that setting the cluster ID to 0 is equivalent to disabling clustering. Therefore, option A is correct and option C is wrong.

Option B is also correct because Juniper states that a cluster node is identified by a node ID specified as a number from 0 through 1. A normal SRX chassis cluster has two nodes: node0 and node1. The two devices must use the same nonzero cluster ID so they belong to the same cluster, but each device must use a different node ID so Junos can apply node-specific configuration, interface numbering, redundancy-group ownership, and management settings correctly. Option D is wrong because node IDs do not range from 1 through 255; that range applies to cluster IDs, not node IDs. Reference topics: HA Clustering, cluster ID, node ID, chassis cluster formation, node0/node1 identification.

The correct answers are B and D. In Junos SSL proxy terminology, client protection maps to SSL forward proxy. In a forward-proxy deployment, the SRX sits between internal clients and external SSL/TLS servers. The firewall intercepts the server certificate, generates a substitute certificate, signs it with the configured root CA, decrypts the SSL session for inspection, and then re-encrypts traffic toward the destination server. Juniper’s SSL proxy configuration table shows that a forward-proxy profile uses root-ca configured = Yes and server-certificate configured = No. It also states that configuring neither certificate type fails commit validation, while configuring both root-ca and server-certificate in the same profile is unsupported.

Option A is wrong because a server certificate is required for reverse proxy/server protection, not for client-protection forward proxy. Option C is wrong because without a trusted root CA, client browsers would not trust the certificates generated by the SRX during interception. Juniper separately notes that the root CA certificate is required for client browsers to trust certificates signed by the firewall. Reference topics: SSL Proxy, client protection, SSL forward proxy, root CA, server protection, SSL reverse proxy.

The correct answers are B and C. Juniper Secure Connect uses route-based VPN connectivity, not policy-based VPN connectivity. Juniper’s Secure Connect user guide contrasts Dynamic VPN and Juniper Secure Connect and identifies Juniper Secure Connect as using route-based VPN connectivity, with a tunnel interface selected or created to bind the VPN. This is why SRX configurations for Juniper Secure Connect use an st0 tunnel interface and routing/security policy logic, rather than policy-based encryption tied directly to individual firewall policies.

Option B is also correct because Juniper Secure Connect can use a self-signed certificate. Juniper’s certificate deployment guidance states that before deploying Juniper Secure Connect, the SRX should use an appropriate certificate, which can be a signed certificate, a self-signed certificate, or a Let’s Encrypt-signed certificate. The documentation also shows generating a self-signed certificate and binding it to the SRX for Secure Connect use.

Option A is wrong because policy-based VPN describes older Dynamic VPN behavior, not Juniper Secure Connect. Option D is directly contradicted by Juniper’s certificate guidance. Reference topics: Juniper Secure Connect, route-based VPN, st0 tunnel interface, certificate deployment, self-signed certificate support.

The correct answer is A. It supports a maximum of two domains. Juniper’s Active Directory identity-source configuration guidance states that an SRX Series Firewall using the integrated user firewall/Active Directory identity source can be configured for a maximum of two domains. That is the exact limit relevant to this question. The same Juniper configuration page separately states that a maximum of 10 domain controllers can be configured, which directly eliminates option C because the supported figure is not 20 Active Directory servers per domain.

Option B is wrong because Active Directory identity source is not presented as a logical-systems feature in the JNCIS-SEC identity-aware firewall context. Option D is wrong because the primary Active Directory mechanism reads Windows domain controller event logs and uses WMI/DCOM plus LDAP to build IP-to-user and group mappings. Juniper describes the SRX as reading and monitoring the Windows event log on the domain controller, then using LDAP to obtain user/group information. Non-domain or non-Windows cases typically require alternate authentication behavior such as captive portal, not native Active Directory event-log tracking.

Reference topics: Identity-Aware Security Policies, Active Directory identity source, integrated user firewall, domain limits, domain controllers, WMIC, LDAP mapping.

The correct answer is B. Add custom-attack Custom-FTP-Attack to the attacks section and change the action to drop-packet. In the exhibit, the IDP rule is built under rulebase-ips with a match block and a then block. Attack objects belong inside the match attacks hierarchy because they define what malicious pattern the IDP rule is trying to detect. Juniper’s IDP documentation states that attack objects are specified in rules to identify malicious activity and that the rule’s attack objects/groups are the attacks the device matches in monitored traffic.

The enforcement behavior belongs in the then action hierarchy. The current rule uses close-client; to meet the requirement, it must be changed to drop-packet. Juniper defines Drop Packet as an IDP action that drops a matching packet before it reaches its destination without closing the connection. Option A keeps the wrong action. Option C is structurally wrong because a custom attack object is not configured under the action section. Option D is also wrong because the notification section controls logging/alert behavior, not attack matching. Reference topics: IDP rulebase, custom attack objects, match attacks hierarchy, IDP actions, drop-packet behavior.