Tuesday, September 13, 2011

How i prepared myself for JNCIE-SEC

Hi All,

How I prepared myself for the JNCIE-SEC Beta lab Exams.


I have been working with ScreenOs from 1999, so I know the security features and flow very well. Which is a plus, because they re use a lot of these in Junos for security.
2 a 3 years ago I started to play with Junos because they released a special version Junos-es (enhanced services) for the J-series routers that had some of the security features there.
Then they came with the EX devices and SRX devices and worked more with Junos then ScreenOs.

From then on I wanted to know as much as I can about this OS and all there features (EX/SRX/MX/etc).

In the beginning of my career I did Cisco and worked up to CCNP and almost started to do the CCIE, but never went there because a move from switching/routing to Security.

That day I stated “whenever there is a netscreen CCIE like certificate I want to get it”

And this certificate is there now (not on ScreenOs, but on Junos) JNCIE-SEC.

What I want to tell with above information is that you first need extensive practical experience to start with the JNCIE-SEC journey.


To prepare myself for the lab I first did all the other written exams (JNCIS-SEC/JNCIP-SEC). The first was no problem, but the JNCIP-Sec wasn’t that easy, my first attempt I didn’t pass (I didn’t study for it because I was pretty sure I would pass based on my hands-on experience. (Which wasn’t the fact)

There was a topic that I never heard of …. Group vpn!
The second time I order the 2 juniper courses to prepare myself. After reading them I did it again and passed. (courses: Advanced Junos Security (AJSEC) ,Junos Intrusion Prevention System Functionality (JIPS) )

So this exam was good to see which topics I never did in real life and needed to do in lab environment.

Lab setup:

Then I build a lab setup, where I could test most of the topic that were listed in the lab topic:

• Complex policy implementations, including anti-virus scanning, and URL filtering
• IPS, IPSec VPNs, including PKI, hub-and-spoke, transparent mode, dynamic, and overlapping address designs;
• HA
• Troubleshooting of policy, routing, and IPSec VPNs
• Traffic management
• Advanced management configurations
• Aggregated Ethernet.

This is the lab schema:

2 x SRX100: (HA, IPS, UTM, VPN, OSPF)
1 x SRX100: Remote Sites (VPN, OSPF)

With this setup I tested the following things:

• Complex policy implementations, including anti-virus scanning, and URL filtering
• IPS, IPSec VPNs, hub-and-spoke, dynamic, and overlapping address designs.
• HA
• Troubleshooting of policy, routing, and IPSec VPNs
• Traffic management

I didn’t test following things:

• PKI, transparent mode
• Advanced management configurations
• Aggregated Ethernet

I didn’t test these because i know how these work (hands-on experience)

Be aware: this doesn’t mean it is not in the lab exams!

To give some more details on the things I tested:

With the srx100 we made a cluster. This device did all the IPS and UTM stuff.

We connected 2 srx100 with vpn(one fixed ip and one with a dynamic ip (so we both had dynamic and static vpn peer). We enabled OSPF between the 2 devices.

We also tested the “Group VPN”, because we never did this before and wanted to see what I could do and how you needed to build it.

One of the last tests was to ask a college of mine to change some stuff and try to find what the problem was. (Test some advanced troubleshooting )

The day before I did my exams I also configure some Dynamic VPN (remote ipsec client feature) on the srx. (This was in the bar of my hotel, with I nice beer)


- Read all your questions in the beginning and make a L3 drawing of the setup
- Know your configuration commands (you don’t have much time)
- The whole exam is in CLI (no web or nsm)
- Be sure you can configure all the topics that are in the exam description!

That’s all good luck all.