According to the Juniper documentation, the steps to detect domain generation algorithms (DGA) on an SRX Series firewall are as follows:

Define a security-metadata-streaming policy under [edit services]. A security-metadata-streaming policy is a configuration that enables the SRX Series firewall to collect and stream security metadata, such as DNS queries and responses, to Juniper ATP Cloud for analysis.Juniper ATP Cloud uses machine learning models and known pre-computed DGA domain names to provide domain verdicts, which helps in-line blocking and sinkholing of DNS queries on SRX Series firewalls1. You can define a security-metadata-streaming policy by using the following command:

set services security-metadata-streaming policy

Attach the security-metadata-streaming policy to a security zone. A security zone is a logical grouping of interfaces that have similar security requirements. You can attach the security-metadata-streaming policy to a security zone by using the following command:

set security zones security-zone <zone-name> services security-metadata-streaming policy

The following steps are not required or incorrect:

Define an advanced-anti-malware policy under [edit services]. An advanced-anti-malware policy is a configuration that enables the SRX Series firewall to scan files for malware using Juniper ATP Cloud.It is not related to DGA detection2.

Attach the advanced-anti-malware policy to a security policy. A security policy is a configuration that defines the rules for permitting or denying traffic between security zones.It is not related to DGA detection3.

To modify the configuration to fulfill the requirements, you need to modify the log-all term to add the next term action. The other options are incorrect because:

B) Deleting the log-all term would prevent logging all traffic, which is one of the requirements.The log-all term matches all traffic from any source address and logs it to the system log file1.

C) Adding a term before the log-all term that blocks Telnet would also prevent logging all traffic, because the log-all term would never be reached. The firewall filter evaluates the terms in sequential order and applies the first matching term.If a term before the log-all term blocks Telnet, then the log-all term would not match any traffic and no logging would occur2.

D) Applying a firewall filter to the loopback interface that blocks Telnet traffic would not block inbound Telnet traffic on interface ge-0/0/3, which is another requirement. The loopback interface is a logical interface that is always up and reachable.It is used for routing and management purposes, not for filtering traffic on physical interfaces3.

Therefore, the correct answer is A. You need to modify the log-all term to add the next term action. The next term action instructs the firewall filter to continue evaluating the subsequent terms after matching the current term.This way, the log-all term would log all traffic and then proceed to the block-telnet term, which would block only inbound Telnet traffic on interface ge-0/0/34. To modify the log-all term to add the next term action, you need to perform the following steps:

Enter the configuration mode: user@host> configure

Navigate to the firewall filter hierarchy: user@host# edit firewall family inet filter block-telnet

Add the next term action to the log-all term: user@host# set term log-all then next term

Commit the changes: user@host# commit

log (Firewall Filter Action)

Firewall Filter Configuration Overview

loopback (Interfaces)

next term (Firewall Filter Action)

Juniper ATP Cloud provides zero-day malware protection for non-Juniper firewalls. It's a cloud-based service that analyzes files and network traffic to detect and prevent known and unknown (zero-day) threats. It uses a combination of static and dynamic analysis techniques, as well as machine learning, to detect and block malicious files, even if they are not known to traditional anti-virus software. It also provides real-time visibility and detailed forensics for incident response and remediation.

The source address is translated because the traceoptions output shows that the source IP address 192.168.5.2 is translated to 192.168.100.1 and the source port 0 is translated to 14777. The traceoptions output also shows the flag flow_first_src_xlate, which indicates that this is the first time that source NAT is applied to this session.

The packet is an SSH packet because the traceoptions output shows that the application protocol is tcp/22, which is the default port for SSH. The traceoptions output also shows the flag flow_tcp_syn, which indicates that this is the first packet of a TCP connection.

traceoptions (Security NAT) | Junos OS | Juniper Networks

[SRX] How to interpret Flow TraceOptions output for NAT troubleshooting

To share threat intelligence from your environment with third party tools, you need to enable Juniper ATP Cloud to share threat intelligence and configure application tokens in the Juniper ATP Cloud to limit who has access. The other options are incorrect because:

A) Configuring application tokens in the SRX Series firewalls is not necessary or sufficient to share threat intelligence with third party tools.Application tokens are used to authenticate and authorize requests to the Juniper ATP Cloud API, which can be used to perform various operations such as submitting files, querying C&C feeds, and managing allowlists and blocklists1.However, to share threat intelligence with third party tools, you need to enable the TAXII service in the Juniper ATP Cloud, which is a different protocol for exchanging threat information2.

D) Enabling SRX Series firewalls to share threat intelligence with third party tools is not possible or supported.SRX Series firewalls can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic3. However, SRX Series firewalls cannot directly share threat intelligence with third party tools. You need to use the Juniper ATP Cloud as the intermediary for threat intelligence sharing.

Therefore, the correct answer is B and C. You need to enable Juniper ATP Cloud to share threat intelligence and configure application tokens in the Juniper ATP Cloud to limit who has access. To do so, you need to perform the following steps:

Enable and configure the TAXII service in the Juniper ATP Cloud. TAXII (Trusted Automated eXchange of Indicator Information) is a protocol for communication over HTTPS of threat information between parties. STIX (Structured Threat Information eXpression) is a language used for reporting and sharing threat information using TAXII. Juniper ATP Cloud can contribute to STIX reports by sharing the threat intelligence it gathers from file scanning.Juniper ATP Cloud also uses threat information from STIX reports as well as other sources for threat prevention2.To enable and configure the TAXII service, you need to select Configure > Threat Intelligence Sharing in the Juniper ATP Cloud WebUI, move the knob to the right to Enable TAXII, and move the slidebar to designate a file sharing threshold2.

Configure application tokens in the Juniper ATP Cloud. Application tokens are used to authenticate and authorize requests to the Juniper ATP Cloud API and the TAXII service. You can create and manage application tokens in the Juniper ATP Cloud WebUI by selecting Configure > Application Tokens. You can specify the name, description, expiration date, and permissions of each token. You can also revoke or delete tokens as needed.You can use the application tokens to limit who has access to your shared threat intelligence by granting or denying permissions to the TAXII service1.

Threat Intelligence Open API Setup Guide

Configure Threat Intelligence Sharing

About Juniper Advanced Threat Prevention Cloud