This is a guest blog post. Views expressed in this post are original thoughts posted by Wim De Smet, Operations Manager at Securelink. These views are his own and in no way do they represent the views of the company he works for.

For years I was an active member on the ScreenOS forum www.juniperforum.com, a forum for Netscreen before J-NET, some of you may remember me as “frac” in this community. I also spent a lot of time with the local Juniper Networks team and worked on some very interesting projects.

In 2008 and 2011 I was rewarded by Juniper with the title “Master of System Engineering of Juniper Networks”, which was a major accomplishment in my career.

I think this was one of the reasons why I was selected for the JNCIE-SEC beta exams. My journey to getting JNCIE-SEC, started 12 years ago. I had been working with ScreenOS since 1999, so I knew the security features and flow very well, which was a major benefit because they are used a lot in Junos for security.

At the start of my career I was heavily involved with Cisco products and I worked up to CCNP and almost started to do CCIE, but never went there because I moved from switching/routing to security. The day I started this route I thought whenever there was a Netscreen equivalent of the CCIE certification I wanted to get it.

About two or three years ago I started to play with Junos as Juniper released a special version Junos-es (enhanced services) for the J-Series routers that had some of the security features there in. Then they came with the EX devices and SRX devices and I then started to work more with Junos rather than ScreenOS. From then on I wanted to know as much as I could about this OS and all the features (EX/SRX/MX/etc).

Before embarking on the expert level certification I would thoroughly recommend that you gain as much extensive practical experience you can before starting your JNCIE-SEC journey. And I would also recommend it for the JNCIP-SEC exams it makes doing the lab work much easier. Here are some tips I would like to share with you:

My Preparation

To prepare myself for the lab I first completed all the other written exams (JNCIS-SEC/JNCIP-SEC). The first was no problem, but the JNCIP-SEC wasn’t that easy, my first attempt I didn’t pass. The reason being was I didn’t study for it because I was pretty sure I would pass based on my hands-on experience, maybe I was over confident.

For my second attempt I ordered the two Juniper courses to prepare myself, these were Advanced Junos Security (AJSEC)  and Junos Intrusion Prevention System Functionality (JIPS). After reading them I retook the exam and passed, I guess second time lucky for me!

So, this exam was good experience, it highlighted which topics I never did in real life and needed to do in lab environment.

My Lab Setup

I built a lab, where I could test most of the topics that were listed in the lab topics covered:

• Complex policy implementations, including anti-virus scanning, and URL filtering
• IPS, IPSec VPNs, including PKI, hub-and-spoke, transparent mode, dynamic, and overlapping address designs
• HA (high availability)
• Troubleshooting of policy, routing, and IPSec VPNs
• Traffic management
• Advanced management configurations
• VLANs
• Aggregated Ethernet
  
  My Lab Schema
  
  2 x SRX100: (HA, IPS, UTM, VPN, OSPF)
  1 x SRX100: Remote Sites (VPN, OSPF)
  
  With this setup I tested the following things:

• Complex policy implementations, including anti-virus scanning, and URL filtering
• IPS, IPSec VPNs, hub-and-spoke, dynamic, and overlapping address designs.
• HA (high availability)
• Troubleshooting of policy, routing, and IPSec VPNs
• Traffic management

I didn’t test the following things:

• PKI, transparent mode
• Advanced management configurations
• VLANs
• Aggregated Ethernet

because I already knew how these worked from my hands-on experience previously gained.

To give some more details on the things I did test:

• With 2 SRX100 we made a cluster. On this cluster we did all the IPS and UTM stuff.
• We connected 1 SRX100 with vpn (one time with fixed IP and other time with a dynamic IP (so we both had dynamic and static VPN peer tested).
• With this setup we could test all the above.
• We also tested the “Group VPN”, because we never did this before and wanted to see what it could do and how you needed to build it.
• One of the last tests was to ask someone from work to change some stuff and try to find what the problem was. (Test some advanced troubleshooting)
• The day before I did my exams I also configured a dynamic VPN (remote IPSEC client feature) on the SRX.

Tips:

• Read all your questions in the beginning and make a L3 drawing of the setup
• Know your configuration commands (you don’t have much time)
• The whole exam is in CLI (no web or nsm)
• Be sure you can configure all the topics that are in the exam description!

This is how I prepared and I hope this will guide you all in your Journey to JNCIE-SEC. Do share your journey in the comments, so we can help others to be prepared for their exams. And receive this nice gift.

Finally, please keep in mind not to post things that will break the exam NDA! For the latest certification specifications go to.