What are two system-defined zones created on the SRX Series Firewalls? (Choose two.)

1. A. null
2. B. junos-host
3. C. management
4. D. DMZ

Correct Answer: AB
On SRX Series Firewalls, Junos OS automatically createssystem-defined zonesthat have special functions:
Null zone (Option A):A predefined discard zone. By default, all interfaces belong to the null zone until assigned to a user-defined zone. Traffic destined to the null zone is dropped.
Junos-host zone (Option B):A predefined functional zone that allows security policies to control traffic directed to the SRX device itself (management traffic, such as SSH, HTTP, SNMP).
Management zone (Option C):There is a predefinedmanagement functional zone, but it is not called "management" as a system-defined security zone.
DMZ (Option D):A DMZ zone must be explicitly created by the administrator, it is not system-defined.
Correct Zones:null, junos-host
[Reference:Juniper Networks –Security Zones and Functional Zones, Junos OS Security Fundamentals., ]

You have created a series of security policies permitting access to a variety of services. You now want to create a policy that blocks access to all other services for all user groups.
What should you create in this scenario?

1. A. global security policy
2. B. Juniper ATP policy
3. C. IDP policy
4. D. integrated user firewall policy

Correct Answer: A

You are asked to create a security policy that controls traffic allowed to pass between the Internet and private security zones. You must ensure that this policy is evaluated before all other policy types on your SRX Series device.
In this scenario, which type of security policy should you create?

1. A. routing policy
2. B. default policy
3. C. zone policy
4. D. global policy

Correct Answer: D

When does screening occur in the flow module?

1. A. before session lookup
2. B. during policy lookup
3. C. during route lookup
4. D. after session lookup

Correct Answer: A
In Juniper SRX flow-based packet processing, theflow moduleis responsible for security functions such as screening, session management, NAT, and policy enforcement. The processing order is critical:
Screens are applied before any session lookup.This ensures that packets are inspected for anomalies, floods, or protocol violations before consuming resources for session management. Examples of these screens include TCP SYN flood protection, ICMP flood protection, and port scanning protection.
After screening, thesession lookupoccurs. At this point, the firewall checks whether the packet belongs to an existing session in the session table. If a matching session is found, the packet bypasses policy evaluation and is forwarded according to the session state.
If no existing session is found, the packet continues throughroute lookup, NAT processing, and security policy evaluationbefore a new session is created.
Thus,screening occurs before the session lookup, protecting the system early in the flow process. This design ensures efficiency by dropping malicious or malformed traffic before allocating session resources.
[Reference:Juniper Networks –SRX Series Services Gateways Security Processing (Flow Module Sequence), Junos OS Security Fundamentals, Official Course Guide., , ]

Which two characteristics of destination NAT and static NAT are correct? (Choose two.)

1. A. Static NAT automatically creates a matching rule for the opposite direction.
2. B. Destination NAT requires address range sizes that match the devices being translated.
3. C. Static NAT uses Port Address Translation.
4. D. Destination NAT supports port forwarding.

Correct Answer: AD