JN0-335 Reviews Questions

• Cluster failovers occur when one node in a chassis cluster becomes inactive or unreachable, and the other node takes over the processing of traffic and services. To control when cluster failovers occur, you can configure two specific parameters on an SRX Series device: heartbeat-interval and heartbeat-threshold12.
• Heartbeat-interval is the time interval, in milliseconds, between heartbeat messages sent by each node to the other node. The default value is 1000 ms. You can configure the heartbeat-interval value from 100 through 3000 ms1.
• Heartbeat-threshold is the number of consecutive heartbeat messages that can be missed before a node is considered to be down. The default value is 3. You can configure the heartbeat-threshold value from 2 through 2551.
• The combination of heartbeat-interval and heartbeat-threshold determines the failover time, which is the maximum time it takes for a node to detect the failure of the other node and initiate a failover. The failover time is calculated as follows: failover time = heartbeat-interval x heartbeat-threshold1.
• For example, if the heartbeat-interval is 1000 ms and the heartbeat-threshold is 3, the failover time is 3000 ms. This means that if a node does not receive three consecutive heartbeat messages from the other node within 3000 ms, it will assume that the other node is down and initiate a failover1.
• You can configure the heartbeat-interval and heartbeat-threshold parameters using the set chassis cluster redundancy-group group-id node node-id priority priority heartbeat-interval interval heartbeat-threshold threshold command1.

References:

• 1: Configuring Chassis Cluster Redundancy Group Properties | Junos OS | Juniper Networks
• 2: Example: Configuring an Active/Passive Cluster Deployment | Junos OS | Juniper Networks

• JSA Rules
• Custom Rules
• Creating a Custom Rule
• JSA Rules - TechLibrary

Juniper Secure Analytics (JSA) is a security information and event management (SIEM) system that consolidates, analyzes, and manages surveillance data from network devices, endpoints, and applications. JSA uses two types of data collectors: Event Collector and Flow Collector1

The Event Collector collects and parses logs from various log sources, such as firewalls, routers, servers, and intrusion detection or prevention systems. The Event Collector normalizes the log data into a common format and sends it to the JSA console for further analysis and correlation. The Event Collector supports different protocols for log collection, such as syslog, SNMP, JDBC, and SDEE12

The Flow Collector collects and processes network traffic data from various flow sources, such as Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer. The Flow Collector enriches the flow data with additional information, such as application identification, geolocation, and threat intelligence. The Flow Collector sends the flow data to the JSA console for further analysis and correlation. The Flow Collector can use statistical sampling to reduce the amount of flow data that is collected and processed, which can improve the performance and scalability of the system12

The Event Collector does not collect information using BGP FlowSpec, which is a protocol that allows the distribution of traffic flow specification rules among BGP peers. BGP FlowSpec is not a supported flow source for JSA3

The Flow Collector does not parse logs, which are textual records of network activity generated by log sources. The Flow Collector only handles flow data, which are binary records of network traffic generated by flow sources12

References: 1: Data Collection | JSA 7.5.0 | Juniper Networks 2: Data Collection - TechLibrary - Juniper Networks 3: Understanding BGP FlowSpec - TechLibrary - Juniper Networks

SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design. References: Chassis Cluster Overview, Connecting SRX Series Firewalls to Create a Chassis Cluster