Not a day that goes by since having passed the JNCIE-SEC exam that I don’t receive an inquiry in one form or another regarding how I prepared for the exam. It seems that there is an incredible amount of interest in this exam, especially from all those die-hard ScreenOS folks that are now converting to Junos. So instead of constantly repeating myself, I figured I’d just put it up on the blog so others can benefit (leaving me more time to do other things, ‘heh).
NOTE: For full disclosure, I must reveal that I am an Technical Trainer and Certification Proctor at Juniper Networks. As such, I take EXTRA responsibility towards protecting the content and integrity of the exam and I take the certification credentials very seriously. Not only that, I worked REALLY, REALLY hard to achieve my JNCIE certifications, and I believe everyone else should too! As such, I kindly ask that candidates refrain from asking me questions which would be considered a violation of the NDA. Also, I should add that although I work for Juniper, the viewpoints expressed in this article are my own and may not necessarily be shared by my employer.
Let’s first start by looking at the exam objectives and then we will move on to the materials I used for preparation and the hardware requirements for building out a lab which would provide for sufficient preparation.
Exam Objectives
Detailed exam objectives are listed on Juniper’s JNCIE-SEC Exam Objectives certification page. Familiarize yourself with these objectives and try to focus your study towards mastering all of these objectives. Learn to read between the lines to identify if additional subject matter might need to be explored for full preparation.
In Junos there are typically more than one way to accomplish a given task so you would be wise to learn all the different ways of accomplishing a goal to achieve complete mastery of the subject matter. For example, can you accomplish bidirectional address translation similar to Static NAT by instead using Source NAT and Destination NAT? What are the benefits and caveats of each approach?
The current Junos software release that is used throughout the exam is Junos 11.1. A quick glance through the release notes may be useful to familiarize yourself with some of the new features introduced in this version.
Study Materials
First and foremost, you are going to want to get your hands on the official Juniper courseware for all the requisite curriculum listed under the Junos Security track. Specifically the following:
- Junos for Security Platforms (JSEC)
- Junos Unified Threat Management (JUTM)
- Advanced Junos Security (AJSEC)
- Junos Intrusion Prevention System Functionality (JIPS)
If you are unable to attend all of these courses in person, one of the cool things is that Juniper now lets you purchase the course materials for self-study purposes. Basically you get access to everything that you would normally receive in the class, minus the instructor and access to the lab gear of course.
NOTE: While it is possible to order the materials for self-study, I strongly advocate taking the actual training if you can do so as the instructors tend to augment the subject matter with additional details, first-hand observations and experience not normally found in the materials. Furthermore, as is the case in classes I normally teach, we tend to reveal tips and techniques which might be useful in certification attempts.
To augment the above, I would highly advise reading the book ‘Junos Security‘ by Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, and James Quinn. I’ll be writing a review of this book in a subsequent post but for now I can’t overemphasize how important this book was in my preparations. In fact, I would advise reading it twice for good measure. There is a lot of good coverage in this book. The majority of what you can expect to see in the exam is covered in this book, and what might be missing is adequately covered in the official courseware material.
I would also suggest making note of the links below. You would be well advised to make use of both of these links during your preparation. The first link is the JumpStation to a wide variety of SRX knowledge base articles and the second link provides detailed coverage on configuring High Availability across a number of different SRX platforms. Familiarize yourself with the subtle differences in HA configuration across all the different platforms as you don’t want your first time to be exposed to these differences to be during an examination attempt.
- SRX Getting Started – Configuration Examples & Troubleshooting (JumpStation)
- SRX Getting Started – Configure Chassis Cluster (High Availability)
Before moving on to the lab setup, I want to mention that we will be offering JNCIE-SEC bootcamps sometime in the future. Although there is currently no committed date for such an offering, when available you will get in-depth coverage of the types of topics you will expect to see on the exam in addition to a simulated lab on the final day of class. Stay tuned for more information regarding our bootcamp offerings on Juniper’s Learning Portal.
Lab Buildout
A common question asked throughout the forums is what type of lab setup is required for adequate preparation. I can tell you that I personally prepared with only two SRX210s and single SRX100 device, but it slowed down my preparations immensely due to constantly having to rearrange and reconfigure the lab setup to accommodate different topologies (hub-and-spoke vs. full-mesh, clustered vs. non-clustered, etc.). If you can spring for it, I would say purchase as many devices as you possibly can so you can build out a clustered SRX while leaving others as standalone and build complex VPN topologies. This way you can spend more of your time learning new features rather than having to rearrange your lab setup.
One of the benefits of having the smaller branch devices is that they are fairly portable. In fact, as seen in the picture to the left, I was able to set up my lab during a trip from DC to New York on an Amtrak train in business class (although others did give me funny looks). As you can see, even during a 3 hour trip, I was able to make use of this time for study preparations.
I would also strongly advise purchasing at least one device with the High Memory option as this will let you run the full gamut of IPS and UTM capabilities, assuming you’ve got the licenses. Speaking of licenses, you can acquire trial licenses from Juniper which are valid for a period of 4 weeks, so I would advise holding off on activating these until you are completely ready. Trial licenses are tied to a devices serial number, and although they are only valid for a period of 4 weeks, you can fetch a trial license once per year for each device serial number.
You can find SRX devices on eBay for as little as a few hundred dollars a piece, so building out a lab doesn’t have to break the bank. And the cool thing is that when you are done you can resell them for a fair market value so in the long term you really shouldn’t have to spend that much getting a decent lab built out.
Once you have your lab completely set up, I would strongly advise going through all the labs in the official courseware as these are indicative of the types of things you will likely see on the exam. Unlike JNCIE-ENT and JNCIE-SP, in this lab it really helps to have incorporated some type of client and server throughout the topology so that various features such as NAT and Stateful Firewall Policy can be properly tested. In lieu of this, and with a bit of creative license, you could actually use one of your SRX platforms with a few Virtual Routers configured to simulate both clients and servers, connected to the Trust ports on the other devices throughout your topology. This won’t give you the same parity as having access to real Clients and Servers, but the idea is to be able to generate sufficient flows to properly trigger things like NAT rules or firewall policy. A lot can be simulated by simply using ‘telnet’ and specifying the destination-port required to trigger a particular rule on a downstream device.
Final Notes
A question most often asked is how long should it take to prepare. The answer to that question really depends on your Junos experience level and background. If you already have previous working experience with Junos or a JNCIE, I would expect about 4-6 months should be sufficient for adequate preparation. Otherwise if you are new to Junos or transitioning over from ScreenOS, I wouldn’t even suggest starting exam preparations until you’ve had at least 1-2 years experience working with Junos and the SRX platforms.
Overall, this might seem like a long time but you’d be amazed at how quickly a few months can go by – if you can carve out even just an hour each day over the course of several months you will be infinitely better served than having to do a bunch of cramming in the last few weeks before your exam. Remember, slow and steady wins the race here… it’s a marathon, not a 100-meter dash.
Last but not least, and this may seem a bit silly but it is really important to try to get to bed early on the night of the exam and get a decent nights rest. If you’re not adequately prepared the night before the exam, cramming all night isn’t going to do you any good. Also, wake up early enough to ensure you can get a good breakfast. Based on personal experience I can tell you that this makes a big difference. I strongly advise oatmeal since it’s low on the Glycemic Index and will give you a slow steady release of energy throughout the morning – the perfect way to ensure your mind is focused and you don’t have any of those mid-morning dips in energy levels or mental acuity.
A little tidbit that not many folks are aware of – you can bring your own keyboards when you sit the exam as you might find the keyboards we provide to be difficult to use. This is one of those little things that can really make a difference when you are used to running all those EMACS command sequences on a keyboard you are familiar with.
I will be proctoring this exam so for those of you attempting to sit the exam in our Herndon office, I look forward to meeting you and wish you the best in your upcoming attempt. With a little bit of luck and a lot of preparation, you may find success and achieve the highly sought-after JNCIE-SEC designation. Good luck and may the force be with you!!!
Thanks Stefan really value able and nice post.
Thanks for the post! I am taking mine in Sunnyvale this week!
Thanks all. Good luck Metacortex, let us know how you did when you’re finished!
Thanks Stefan. Long awaited share from you. Though you didn’t answer on forum but I got all answers from you post But I’ll pinging you for while 🙂
Keep rolling..
Thanks Afan. I know you were waiting as many others were… but sometime life (and the job) gets in the way of my writing… Anyway, hope you find it useful and do keep us posted as you continue down the JNCIE-SEC path…
Excellent! Thank you very much Stefan, another great post.
Hello Stefan
Thanks for the great post, the following J-Net post mentions that the lab might run SRX 240s, can you confirm the same (if this is not an NDA violation)?
http://forums.juniper.net/t5/Training-Certification-and/Hardware-and-Version-for-JNCIE-SEC-Test/td-p/87834
Regards
fh
Hi stefan, great post and great tips. I hope disclosing exam cost will not violate any rules. Thanks in advance.
Hi fh,
I cannot confirm the existence of any such devices as this would violate the NDA. As an expert you should be prepared to understand the behavior across all of our SRX product portfolio, however as I mentioned, the devices I used throughout my preparations were sufficient to pass the exam.
Hi Misha,
I believe the cost is currently $1,400 but you should check with the certification team on our J-Net Certification forum at http://forums.juniper.net/t5/Training-Certification-and/bd-p/Training_and_Certification for more information. This is an excellent repository for those preparing for the exam.
Thanks for this article. A big help for customers and partners.
Congratulations on your JNCIE-SEC. I’ll be up in Herndon soon to take the exam. Would you mind posting a pic of the new JNCIE-SEC plaque? 🙂
Hi Mysterx, I am hoping to get my plaque in the mail in the next few days and then I’ll be happy to post a pic of it up. Let me know when you are in Herndon for the exam – I will likely be your proctor! Cheers…
Regarding simulating connections there are small tools like apache benchmark (ab), Nping – from Nmap, and Nmap itself of course to simulate portscans. Nping is a must when testing connections through firewalls.
Stefan, are there configuration guides (offline version) available during an exam?
Thanks
Hi Misha,
Yes, we provide a copy of the 10.4 and 11.1 Junos Security Configuration Guides on each candidate PC for reference during the exam…
Hello Stefan, do you think that 3 x SRX100 (with IPS and UTM trial licenses) would sufficient for the JNCIE-SEC preparation?
As you know there is no information like how many devices involve during actual lab (perhaps 8 – 10 SRXs??).
Anyway, thanks for the great post, and indeed i will follow your footsteps to achieve the title!
Could also provide detail guidance like this for JNCIP-SEC
Hi Stefan can you also provide same guideline for JNICP-SEC
Thank you very much for providing all of this information. Very well written and quite helpful.
Hi Stefan,
First of all, let me thank you for writing this article. This is by far the most credible source of information on JNCIE-SEC exam out there. I’d like to thank you in person if I do meet you during my lab attempt, though that may be a while from now.
I have one question for you:
What kind of Layer 2 troubleshooting/configuration can I expect there? I am not expecting a very precise answer, what I’m really interested in knowing is that how much JUNOS switching should I know to pass this exam? Is there other (FR/MPLS) layer 2 configuration/troubleshooting that I should worry about?
Thank you!
Hi Stefan its a really really very good post by you, and it is very informational for getting knowledge and good understanding about JNCIE-SEC Certification.
Nice information, it will definitely help me prepare. Thank you so much!
Hi Stefan
Could you please confirm when Juniper is launching JNCIE-Security Bootcamp? Or could you redirect me to right person in Juniper?
Thanls
Hi Stefan, thanks for sharing, great post!
I”ve bought an SRX210H (running junos 9.3 🙁 ), and I’m trying to build a small mpls lab environment, interconnecting 4 VRs through tagged fe subinterfaces. I’d be glad if you could clarify two doubts I have:
1- is it possible to activate MPLS in the VRs? If yes, where do I have to configure it? It seems the “mpls” statement it’s only supported in the master RI.
2- is it possible to configure family MPLS under a subinterface?
Thanks in advance for your kind help!
Hi Stefan,
After quite some hurdle got my hands on 2 SRX100H, can you please share some ideas how to utilize both and Olive routers for practice?
Hi Stefan, thanks for these tips. They are quite useful. Just a question regarding hardware for the JNCIE-SEC lab. If I use an SRX3600, running Junos 11.2 release I would be able to just configure multiple logical systems to simulate the various firewalls using back-to-back connections couldn’t I? I understand that the exam is base on Junos 11.1 release, but I should be OK just practising with 11.2?
Hi Stefan,
I posted a question yesterday and it was displayed on this page, but now it’s gone. Has it been deleted? If yes, why was it deleted? Was the question inappropriate?
Hi Stefan, my apology. I see that the comment was awaiting moderation.
Hi Stefan
I have exposure with Juniper SRX only , so would like to know the level of expertise needed on Juniper Routing & Switching to pursue with my JNCIE security journey .
Regards
AET
Hi Stefan,
It is really informative post and a guide for all pursuing Junos experties. I believe you will be very busy, but I will really appreicate if you can help me building my own LAB similar to one that is for JSEC course. I have already took a training classes and possess all the required printed material and 2 SRX and 2 Netscreen Firewalls. Kindly let me know if any thing else is also required to make a exact lab consisting only one POD.
Enjoyed every bit of your article post. Fantastic.