F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5
advertisement
F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 LTM Local Traffic Manager Full proxy between users and application servers. Creates a layer o f abstraction to secure, optimize, and load balance application traffi c. GTM Global Traffic Manager Automatically routes connections to the closest or best performing data center in the event of an outage, overload, or other disruption . APM Access Policy Manager Provides secure, context-aware , and policy-based access control. It centralizes and simplifies AAA management directly on the BIG-IP s ystem ASM Advanced web application firewall that protects critical applications and their data by defending against application specific attacks that bypass conventional firewalls Edge Gateway Provides SSL VPN remote access security with applications accelera tion and optimization services at the edge of the network. Link Controller Prevents costly downtime due to ISP problems or other link failures by autmatically switching traffic to alternate ISP connections and en suring use of the fastest available connection WOM WAN optimization Manager Overcomes network and application issues on the WAN to ensure th at application performance, data replication, and disaster recovery requirements are met. WebAccelerator Give your users an instant improvement in web application perform ance ad helps reduce costs. By offloading your network and server s, BIG-IP WEBaccelerator decreases your spending on additional ba ndwidth and new hardware F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 ARX Series Evnable you to dramatically simplify data management and reduce storage costs. File virtualization results in dramatic improvement in cost,agility an d business efficiency FirePass Allows users secure access from anywhere they have an Internet c onnection, while Firepass ensures that connected computers are full y patched and protefcted 4 LTM inital set up steps 1. Setup MGMT port IP address via config utility 2. License the system through web interface 3. Run the setup utility Default ltm MGMT port IP address? 192.168.1.245 To gain a license, you need to use your registration key to generag e what? a Dossier and them present the dossier to the license server Base registration key is how many characters? 27 Systems are shipped with your registration key where? /config/RegKey.license After generating the dossier, what is it names and where is it locat ed? /config/bigip.license F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 Dedicated designed for situations wher eonyl one module is functional on the s ystem, such as GTM Moninal Gives the module its minimun functional resources and distributes a dditional resources to the module if they are available. Minimum Give the module minimum functional resources and distributes addi tional resources to other modules. None Designed for situation where another module need dedicated acces s to resources Lite Available for selected modules granting limited feartures for trials Setup Utility includes the following: Self-IP Addresses and Netmasks for VLANS Assign interfaces to VLANs IP address of the default route root password for cli admin password for gui ip address allowed for ssh Administrative IP access Files: /etc/hsots.allow Interface and configuration files: /config/bigip.conf /config/bigip_base.conf /config/BigDB.dat F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 Default terminal settings for console access.. 8-N-1 19,200 bps File extension for backups *.ucs pool members are? each of the actual servers used for client traffic. includes and IP address and port The devices represented by the IP addreses of pool membera are c alled what? Nodes -- they may represent multiple pool members A pool is what? A group of pool members. system logs /var/log/messages packet filter logs /var/log/pktfilter local traffic logs /var/log/ltm F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 audit logs Displays system configuration chagnes by user ad time. A Full proxy maintains how many session tables? 2 bugger-and-stitch- methodology Proxy buffers a connection, often through the TCP handshake proce ss and potentially into the first few packets of application data, but then stitches a connection to a given server on the back-end using either layer 4 or layer 7 data. DSR Direct Server Return Requests are proxied by the deice, but the responses do not return through the device. Known as a half proxy because only half the co nnection is proxied. what is a proxy-based design A fill proxy completely understand the protocols, and is itself an en dpoint and an originator for the protocols. The connections between a client and the full proxy is fully independent of the connection bet ween the full proxy and the server. iRules scripts created using TCL with custom F5 extensions that enables us ers to create unique functions triggered from TMOS events. Single Device HA -Core services being up and running on that device -VLANs being able to send and receive traffic Redundant system configuration HA Core system services being up and running on one of the two BIP-IP systems Connection being available between the BIP-IP system and a pool of routers, and VLANS on the system being able to send and receive tr affic. F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 Hard-wired failover you enable failover by using a failover cable to physically connect t he two dedundant units default setting Network Failover Enable failover by configuring redundant system to use the network to determine the statuc of the active unit. what is ConfigSync a process where you replicate one units main config file on the peer unit. What does SNAT do? Secure Network Address Translation maps the source client IP in a request to a translation address defin ed on the BIG-IP device what is Intelligent SNAT the mapping of one or more original client IP address to a translatio n address. However, you impliment this type of SNAT mapping withi n an iRule Can be based on any piece of packet data you specifiy how to monitor the number of concurrent connections going throug h the SNAT? tmsh show /ltm snat Auto Last Hop Is a global setting that is used to track the source MAC address of i ncoming connections. Allows the BIG-IP system to send return traffic from pools to the MA C address that transmitted the request, even though the routing tab le points to a different network or interface. what is a node? the physical server itself that will receive traffic from the load balan cer F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 How is a member different than a node? What is a basic load balancing transaction... a member includes the TCP port of the actual application that will b e receiving the traffic 1. Client attempts to connect with the service on the load balancer 2. LB accepts the connection, and changes the destination IP to mat ch the service of the selected host 3. Host accepts the connection and responds back to the original so urce, the client, via its default route 4. The LB intercepts the return packet from the host and now chang es the source IP to match the virtual server IP and port, and forwar ds packet 5. Clients receives the return packet, believing that it came from th e virtual server. Random Algorithm randomly distributes load across the servers availables. Round Robin Algorithm passes each new connection request to the next server in line, eve ntually distributing connection evenly across the array of machines being load balanced. Weighted Route Robin Algorithm(Ratio) Algorithm the number of connections that each machine receives over time is proportionate to a ratio weight you define for each machine Dynamic Round Robin (dynamic ratio) Algorithm Weights are based on continuous monitoring of the servers and are therefore continually changing. Distributed based on real-time serve r performance analysis. Fastest Algorithm Passes a new connection based on the fastest response time of all server. Least Connections Algorithm The system passes a new connection to the server that has the lea st number of current connections. Works best with equipment all h as similar capabilities. F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 Observed Algorithm Uses a combination of the logic used in the Least Connections and F astest Algorithms to load balance connections to servers. Servers a re ranked based on current connections and response time. Predictive Algorithm The system analyzes the trend of the ranking over time, determinin g whether a servers performance is currently improving or declinin g. What is the primary reason for tracking and storing session data? To ensure that client requests are directed to the same pool memb er throughout the life of a session, or during subsequent sessions. what is a Persistence Profile? a pre-configured obect that automatically enables persistence when you assign the profile to a VS Cookie persistence Cookie persistence uses an HTTP cookie stored on a clients comput er to allow the client to reconnect to the same server previously vis ited at a web site. Destination address affinity persistence Also known as sticky persistence, destination address affinity persis tence supports TCP and UDP protocols, and directs session requests to the same server based solely on the destination IP address of a packet. hash persistence Hash persistence allows you to create a persistence hash based on an existing iRule Microsoft® Remote Desktop Protocol persistence Microsoft® Remote Desktop Protocol (MSRDP) persistence tracks se ssions between clients and servers running the Microsoft® Remote Desktop Protocol (RDP) service. F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 SIP Persistence SIP persistence is a type of persistence used for servers that receiv e Session Initiation Protocol (SIP) messages sent through UDP, SCTP , or TCP. Source address affinity persistence Also known as simple persistence, source address affinity persisten ce supports TCP and UDP protocols, and directs session requests to the same server based solely on the source IP address of a packet. SSL Persistence SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID. Univresal persistence Universal persistence allows you to write an expression that defines what to persist on in a packet. The expression, written using the sa me expression syntax that you use in iRulesTM, defines some sequ ence of bytes to use as a session identifier. What is the Positive Security Model One that defines what is allowed, and rejects everything else. What is the Negative Security Model Defines what is disallowed, while implicitly allowing everything else. Benefit of the Positive Security Model Reset on Timeout Is that new attacks, not anticipated by the admin/deveoper, will be prevented. The system sends a reset (RST) and deletes the TCP connection wh en the connection exceeds the idle timeout value. If disabled, the s ystem will delete the TCP connection when it exceeds the idle timeo ut value, but will not send an RST to the client. F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 SIP Session Initiated Protocol Application layer protocol that can establish, modify, and terminate multimedia sessions such as Internet telephony calls. HTTP Header Methods? GET POST PUT DELETE HEAD With the get method, all query parameters are mart of what? URI 200 OK This indicates a success 304 Not Modified This shows that the resource in question has not changed and the b rowser should load it from its cache instead. This is used only when the browser performs a conditional GET request 404 Not Found This suggests that the resource requested cannot be found on the s erver 401 Authorization Required This indcates that the resource is protected and requires valid cred entials before the server can grant access 500 Internal Error This signifies that the server had a problem processing the request F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 most important browser headers? HTTP Version Accept-Encoding: gzip, deflate Connection: Keep-Alive If-* headers Cache-Control or Pragma no cache Most important web server headers? HTTP Version connection: Keep-Alive/Close Encoding: gzip, deflate Cach-strong headers (max-age) Content-Type: Date: Accept-Ranges: bytes no-cache meta tag instructs the browser to not cache the object that contain the meta tag Forces the browser to always get a full download of that object refresh meta tag often used to mimic an HTTP 302 redirect response. Tells the browser to override the browser's cache settings and reval idate every object referenced by the refresh tag. IPSEC IP layer protocol that enables the sending and receiving of cryptogr aphically protected pachets of any times (TCP, UDP, ICMP) without a ny modification What two cryptographic services does IPSec provide? 1. confidentiality and authenticity (Encapsulated Security Payload) 2. Or authenticity only. (Authentication Header) Main Mode exchanges Aggressive Mode Exchanges -> HDR, SA <- HDR, SA <- HDr, KE, Ni -> HDR, KE, Nr <- HDY*, ID_I, [CERT], SIG_I -> HDR*, ID_R[CERT], SIG_R HDR ISAKMP header SA Security Association KE HDR, Diffie-Hellman exchanged public value -> SA, KE, Ni, ID_I Ni Nr theSA, nonce <HDR, KE, Nr, ID_R, [CERT], SIG_R ID IHDR, ID R [CERT], the Initiator Responder -> SIG_R CERTISAKMP the certicate HDR header SIG Security I SIG R the signature for the Initiator Re SA Association sponder respectively KE Diffie-Hellman exchanged public value Ni Nr the nonce ID I ID R the Initiator Responder CERT the certicate F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 What does Phase 2 do? Negotiates the cipher and authentication algorithm required to prote ct further transactions. What does Phase 1 do? Performs mutual authentication and produces the encryption key re quired to protect Phase 2. What is SSL? an application layer protocol. Mostly utilized to protect HTTP transac tions, and has been used for other purposed like IMAP and POP3 Only compatible with applications running over TCP SSL is composed of what 4 protocols? Handshake protocol Change Cipher Spec protocol Alert protocol Application Data protocol What is the handshake protocol used for? To perform authentication and key exchanges What is the Change Cipher Spec Protocol used for? To indicate that the chosen keys will now be used What is the Alert protocol used for? Signaling errors and session closure What is the application data protocol used for? to transmist and receive encrypted data F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 Hash algoritms used in SSL "Client Authentication"? ND5 and SHA-1 IPSec supports the use of Digital Signature ad the use of a Secret K Ey Alforithm, where SSL supports only the use of what? Digital Signature MAC Message Authentication Code Used for authentication the exchanged messages after the connecti on is established. What two connection modes what IPSec have? Tunnel Mode Transport Mode What is Tunnel mode? Established between gateway-to-gateway, gateway-to-host, and hos t-to-host. It established a tunnel between the endpoint and it requir es adding a new IP header to the original packet What is Transport mode? Host-to-host connection. The data between the two entities are encr ypted. PFS Perfect Forward Secrecy Exchanges new DH values each time a session is resumed 100 Continue This means that the server has received the request headers, and that the client should proceed to send the request body F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 101 Switching Protocols This means the requester has asked the server to switch protocols and the server is acknowledging that it will do so. 200 OK Standard response for successful HTTP requests. 201 Created The request has been fulfilled and resulted in a new resource being created. 202 Accepted The request has been accepted for processing, but the processing has not been completed. The request might or might not eventuall y be acted upon, as it might be disallowed when processing actuall y takes place. 203 Non-Authoritative Information (since HTTP/1.1) The server successfully processed the request, but is returning info rmation that may be from another source. 204 No Content The server successfully processed the request, but is not returning any content. Usually used as a response to a successful delete requ est. 205 Reset Content The server successfully processed the request, but is not returning any content. Unlike a 204 response, this response requires that the requester reset the document view. 206 Partial Content The server is delivering only part of the resource due to a range he ader sent by the client. The range header is used by tools like wget to enable resuming of interrupted downloads, or split a download in to multiple simultaneous streams. F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 207 Multi-Status The message body that follows is an XML message and can contain a number of separate response codes, depending on how many su b-requests were made. 208 Already Reported The members of a DAV binding have already been enumerated in a previous reply to this request, and are not being included again. 226 IM Used (RFC 3229) The server has fulfilled a GET request for the resource, and the res ponse is a representation of the result of one or more instance-ma nipulations applied to the current instance. SNAT Security Network Address Translation Maps the source client IP address in a request to a translation addr ess defined on the BIG-IP device 300 Multiple Choices Indicates multiple options for the resource that the client may follo w. It, for instance, could be used to present different format options for video, list files with different extensions, or word sense disambi guation. 301 Moved Permanently This and all future requests should be directed to the given URI. 302 Found This is an example of industry practice contradicting the standard. The HTTP/1.0 specification (RFC 1945) required the client to perfor m a temporary redirect (the original describing phrase was "Moved Temporarily"),[5] but popular browsers implemented 302 with the fu nctionality of a 303 See Other. Therefore, HTTP/1.1 added status co des 303 and 307 to distinguish between the two behaviours.[6] How ever, some Web applications and frameworks use the 302 status co de as if it were the 303.[7] 303 See Other The response to the request can be found under another URI using a GET method. When received in response to a POST (or PUT/DELET E), it should be assumed that the server has received the data and the redirect should be issued with a separate GET message. F5 101(2) Study this set online at: http://www.cram.com/flashcards/f5-1012-4973187 304 Not Modified Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-Match. This means that there is no need to retransmit the resource, since the cl ient still has a previously-downloaded copy. 305 Use Proxy The requested resource is only available through a proxy, whose a ddress is provided in the response. Many HTTP clients (such as Mozi lla[8] and Internet Explorer) do not correctly handle responses with this status code, primarily for security reasons 306 Switch Proxy No longer used. Originally meant "Subsequent requests should use the specified proxy 307 Temporary Redirect the request should be repeated with another URI; however, future r equests should still use the original URI. In contrast to how 302 was historically implemented, the request method is not allowed to be c hanged when reissuing the original request. For instance, a POST re quest should be repeated using another POST request 308 Permanent Redirect The request, and all future requests should be repeated using anoth er URI. 307 and 308 (as proposed) parallel the behaviours of 302 a nd 301, but do not allow the HTTP method to change. So, for exam ple, submitting a form to a permanently redirected resource may c ontinue smoothly.
