JNCIS-FWV (Juniper Networks Certified Internetwork Specialist-Firewall and VPN)
Course Details
System Setup and Initial Configuration
– Security architecture components
– Packet flow and decision process
– IPv6 packet handling
– ScreenOS firewall/VPN product lines
– System components
– Interfaces
– Zones
– Management access and services
– User accounts and authentication
– Administrative lockout
– DNS
– NTP
– VLANs, aggregated
– Management
– Bridge
– Tunnel
– Loopback
– Interface
– Redundant
– vsys interfaces and zones
– Inter-vsys routing
– Profiles
– CPU resource management
Layer 3 Operations
– Routing lookup
– Virtual
– Static and default
– Dynamic routing – RIP, OSPF,
– Considerations for routing over
– Route optimization and
– Route redistribution; access lists and route
– Source-based vs. policy-based
– IPv6
– Interfaces
– IP addressing
– Virtual router
– Static/default routes, including floating static routes
– RIP
– OSPF
– BGP
– Redistribution
– Access lists and route maps
– Source-based and policy-based routing
– Layer 3 verification
– Layer 3 troubleshooting – get vrouter, debug, flow filter, session table
Security Policies
– Zones and policies
– Policy components
– Policy options
– Policy ordering
– Policy scheduling
– Global policies
– Multicell policies
– Address books
– Policing and guaranteed bandwidth
– Services
– Address books and address groups
– Services and service groups
– Policy verification
– Policy troubleshooting – debug, get session
NAT
– Interface-based vs. policy-based NAT
– NAT type usage
– Source NAT (NAT-src)
– Dynamic IP addresses (DIP)
– Destination NAT (NAT-dst)
– Virtual IP addresses (VIP)
– Mapped IP addresses (MIP)
– Precedence
– Policy-based NAT
– Dynamic IP addresses (DIP)
– Reachability/Routing
– VIP and MIP
– NAT verification
– NAT troubleshooting – debug, get session, and traffic logs
IPsec VPNs
– Secure VPN characteristics and components
– Encapsulating Security Payload (ESP)
– Authentication Header (AH)
– IPsec tunnel establishment – Internet Key Exchange (IKE)
– Hub-and-spoke IPsec VPNs
– Policy-based vs. route-based IPsec VPNs
– Next-hop tunnel binding (NHTB)
– Next Hop Resolution Protocol (NHRP)
– Fixed vs. dynamic peers
– Tunnel interfaces
– Preshared
– VPN
– Objects
– IKE
– Policy
– Routing
– VPN Monitor
– IPsec VPN verification
– IPsec VPN troubleshooting – system/event log, debug, get ike, get sa
High Availability
– NetScreen Redundancy Protocol (NSRP) characteristics
– NSRP modes; usage guidelines
– Links, ports and
– Virtual security device (VSD), virtual security interfaces (VSI) and VSD
– VSD
– Run-time objects (RTOs)
– HA probes
– Failover tuning
– IP tracking
– Virtual Router Redundancy Protocol (VRRP)
– Redundant interfaces
– Links between the firewalls
– Redundant VPN gateways
– HA link
– Cluster settings
– Interfaces
– VSD settings
– RTO synchronization
– Tracking and monitoring
– Redundant interface
– HA verification
– HA monitoring for VPNs – IKE heartbeats, dead peer detection
– HA troubleshooting – debug, get interface, get nsrp stats Attack Prevention
– Attack types and phases
– Screen options
– Best practices
– Configuration, verification and troubleshooting
– Describe the purpose, configuration and operation of deep inspection (DI)
– Attack object database
– Custom attack objects
– Signature database update methods
– DI policies and actions
– Licensing
– Configuration, verification and troubleshooting
– Antispam profiles
– Actions
– Spam block list (SBL)
– Antivirus scanning methods and options
– Antivirus flow
– Web filtering features and
– Data flow
– Search order
– White lists, black lists and
– Configuration, verification and troubleshooting
System Administration, Management and
– File
– Password
– Logs
– Syslog
– SNMP
– Alarms
– Counters