Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/175

Click to flip

175 Cards in this Set

  • Front
  • Back

Persistent connection was made available in what HTTP version?

HTTP/1.1

SIP can be described as a protocol to allow what?

Communicating between different devices on a company network, whether on the LAN, the WAN, or across the Internet

With FTP, which port is the control port & what is the data port?

Control port: 21, Data Port: 20

Valid definition of a cookie?

A cookie is a piece of text that a web server can store on a user's hard disk. Cookies allow a website to store information on a user's machine and later retrieve it. The piece of information are stored as a name-value pair.

What 3 parts does the URL consist of?

1. Network protocol


2. Host name or address


3. File or resource location IE: http:// or ftp://

What is an iRule?

A script that you write if you want to make use of some of the extended capabilities of the BIG-IP that are unavailable via the CLI or GUI.

Using iRules, you send traffic not only to pools, but to where?

Individual pool members, ports, or URIs

What does UIE stand for?

Universal Inspection Engine

The syntax that you use to write iRules is based on what?

Tool Command Language (Tcl)

iRules are configuration objects, which means they are part of what file?

bigip.conf file - along with your pools, virtual servers, monitors, etc

TCL is an interpreted scripting language, so why do you not need to instantiate the interpreter every time an iRule is executed?

Every time you save your configuration all of your iRule are pre-compiled into byte-code. Byte-code is mostly compiled and has the vast majority of the interpreter tasks already performed, so that TMM can directly interpret the remaining object

What must be done before an iRule is actually effective?

It must be applied to a virtual server before it can affect any traffic. If it's not applied to a virtual server it's effectively disabled

Events are one of the ways in which iRules have been made to be what?

Network aware, as a language

When would it be ideal to use an iRule?

When you're looking to add some form of functionality to your application or app deployment , at the network layer. This functionality is NOT available within the GUI or CLI.

What is an iApp?

A user-customized framework for deploying applications

What three components make up an iApp?

1. Templates


2. Application Services


3. Analytics

What is the definition of iControl?

The first open API that enables applications to work in concert with the underlying network based on true software integration.

What protocol does iControl use to ensure open communications between dissimilar systems?

SOAP/XML

What are two other more common names for a reverse proxy?

1. Load balancer


2. Cache

Reverse proxies are generally HTTP focused, but more recently can be seen used for what other 3 protocols?

1. Streaming audio (RTSP)


2. File transfer (FTP)


3. Any application protocol over UDP or TCP.

How many connections does a full proxy maintain?

A full proxy maintains 2 separate connections:


1. One between itself and the client


2. One between and the destination server



A full proxy maintains how many session tables?

A full proxy maintains 2 separate session:


1. One on the client-side


2. One on the server-side

What is packet-based design?

A network device located in the middle of a stream of communications, but it is not an endpoint for those communications.

Difference between packet-based design & proxy-based design?

A proxy-based design fully understands the protocols, and is itself an endpoint and an originator for the protocol.

A full proxy can have it's own __________ because it is a communication endpoint?

Buffering, retransmits, & TCP options

When running BIG-IP systems as a single device, HA refers to what?

Core services being up and running on that devices, and VLANs being able to send and receive traffic.

When running a BIG-IP system as a unit of a redundant system configuration, HA refers to what?

Core system services being up and running on one of the two BIG-IP systems in the configuration. Connections being available between the BIG-IP system and pool of routers, and VLANs on the system being able to send/receive traffic.

What are the two possible modes of HA?

1. Active/standby


2. Active/Active

When you configure hard-wires failover, you enable failover by using what?

A failover cable to physically connect the two redundant units.

When you configure a network failover, you enable failover by configuring your redundant system to use what?

To use the network to determine the status of the active unit.

To facilitate coordination of the failover process, each unit has what?

Unit ID

What is the process where you replicate one unit's main configuration file on the peer unit

Configuration Synchronization or "ConfigSync"

For active-active systems, you must configure what? What alone is not sufficient?

You must configure network failover. Hard-wired failover alone is not sufficient

What would you use to assign unit ID 1 to the flowing self IP address pertaining to virtual servers A & B?

Configuration utility

What is a static self IP address?

IP address that you assign to a BIG-IP system VLAN

F5 recommends that you setup what on each unit of a redundant system?

Create an additional VLAN on each unit to be used specifically for failover communication.

What is the ability of a BIG-IP system to monitor certain aspects of the system or network, detect, interruptions, and consequently take some action, such as rebooting or initiating failover to the peer unit?

Fail-Safe

It is essential that each unit shares, or synchronizes it's current configuration data with its peer unit in what deployment?

Redundant System Configuration

With respect to configuration synchronization, you can use the configuration utility to do what 4 things?

1. View or specify the peer IP address to user for sync.


2. Enable or disable encryption of config data prior to sync.


3. Enable or disable the global display of sync status.


4. Specify sync direction

What are 2 examples of load balancing algorithms?

1. Round-Robin


2. Ratio

What are two examples of dynamic load balancing algorithms?

1. Least Connections


2. Fastest

How does least connections algorithm work?

Looks at current connection counts at layer 4 to the server and chooses the server with the least connections

How does fastest algorithm work?

Looks at the outstanding Layer 7 request and chooses the server with the lowest amount.

What are persistent connections?

Connections that are kept opened and reused. Most commonly in HTTP.

What is persistence?

It is related to the ability of the load-balancer or other traffic management solution to maintain a virtual connection between a client and a specific server

Positive security moves away from "blocked" to a more what?

"Allow what I know and expect" methodology

Negative security moves towards what sort of policy?

"Block what I know is bad", or deny access based on what has previously identified as content to be blocked

A digital signature is basically a way to ensure that an electronic document is what?

Authentic. Authentic means you know who created the document and you know it has not been altered in any way since the person created it.

What is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode?

Encryption

What is the process of verifying that information is coming from the trusted source?

Authentication

What does SAML stand for?

Security Assertion Markup Lanuage

What is SAML used for?

Used for exchanging user authentication, entitlement, and attribute information. It is a derivative of XML.

What are the 2 types of hardware platforms that F5 builds?

Application delivery switches & chassis

A chassis gives the customer what?

The ability to purchase additional blades that can be inserted into the chassis when needed.

What is the world's first on-demand ADC?

VIPRION

BIG-IP 1600

1. Allows one additional module beyond BIG-IP LTM


2. Capable of running BIG-IP protocol security Manager, Global Traffic Manager, WAN Optimization Module, & Access Policy Manager

BIG-IP 3600

1. Allows one additional module beyond BIG-IP LTM


2. Capable of running BIG-IP protocol security Manager, Global Traffic Manager, WAN Optimization Module, & Access Policy Manager, WebAccelerator, Application Security Manager

BIG-IP 3900

1. Allows one additional module beyond BIG-IP LTM


2. Capable of running BIG-IP protocol security Manager, Global Traffic Manager, WAN Optimization Module, & Access Policy Manager, WebAccelerator, Application Security Manager

The unified application delivery series includes what models?

6900, 8900, 8950, & 11050

What is the unified application Delivery series built for?

High throughput, multiple modules, 6 to 12 gigabytes per second of throughput on Layer 7.

What is the BIG-IP virtual Edition

1. Allows customers to run BIG-IP products on a virtual machine


2. Provides more flexibility to customers


3. ADC deployment can vary with the application

What are the 4 type of licenses for BIG-IP LTM VE?

1. Trial


2. Lab edition


3. Production 200 mega-byte throughput


4. Production 1 gigabyte throughput

HTTP pipelining is what?

Opening a connection to the server and then sending multiple requests to the server without waiting for a response.

What is the problem with pipelining?

The server doesn't actually treat the request any different. HTTP/1.1 specification requires that a "server MUST send its response to those requests in the same order that the requests were received"

What is a certificate Chain?

A list of certificates used to authenticate an entity

SSO?

Sign Sign-on Authentication.




The ability to reduce the number of ID's and passwords the user has to remember.

What is SAML used for?

It is an XML-based framework for exchanging user authentication, entitlement, and attribute information.




Its purpose is to enable Single Sign-On for web applications across various domains.

Browser cookies are not transferred between what?

DNS domains

IPsec is limited because it was not built with what in mind?

IPsec solutions were designed for trusted site-to-site connectivity and NOT with a highly-mobile workforce in mind.

When compared to IPsec, SSL VPNs are typically what?

SSL-VPNs are typically:


1. Less costly to manage


2. Eliminate concerns related to open-by-default tunnels


3. Offer flexible experience for employees and business partners using untrusted end point environments

By operating at the application layer, SSL-VPN can provide what?

High granular policy and access control required for secure remote access.

Because SSL is pair of any web browser, SSL-VPN solutions provide what?

Client-less and web-delivered thin client access that significantly increases the number of points from which employees, partners, and customers can access network data

BIG-IP VE can be used with what?

LTM & APM

To overcome packet loss, the acceleration device can implement what?

Selective TCP acknowledgements (SACK) and advanced congestion control algorithms to prevent TCP from reducing throughput.

One way a BIG-IP reduces server side TCP connections?

It aggregates, or pools, TCP server-side connections by combining many separate transactions, potentially from many users, through fewer TCP connections.

HTTP compression is done on acceleration devices for what 2 reason?

1. Offload compression overhead from web servers


2. Enable the acceleration device to perform other optimization that improves performance

Caching?

Storing the data close to users and re-using the data during subsequent requests

3 forms of caching?

1. Web application instructs a browser to cache an object marked as static for a specific time period.


2. Deploy acceleration device in a data center to offload requests for web application content from the server.


3. Symmetric acceleration device caches and serves content to users at the remote site.

2 Caching Limitations

1. Client side acceleration device MUST implement access control to prevent unauthorized access to an object.


2. Client-side device may serve older, stale version of content

What do http request and response headers consist of?

1. An initial line


2. Zero or more header lines


3. a blank line


4. an optional message body

In an HTTP header, what does an initial request line consist of?

1. A method name (GET, POST, HEAD)


2. Local path of the requested resource


3. HTTP version being used (HTTP/x.x)

What other name does the initial response line go by?

status line

What part does the status line consist of?

1. The HTTP version (HTTP/x.x)


2. A response status code (200, 404)
3. English Reason Phrase (OK, Not Found)

HTTP status code: 1xx

Indicates informational messages only

HTTP status code: 2xx

Indicates success of some kind

HTTP status code: 3xx

Redirects the client to another URL

HTTP status code: 4xx

Indicates an error on the client's part

HTTP status code: 5xx

Indicates an error on the server's part

What is the HEAD method and what does it request?

Similar to GET, except it asks the server to return the response headers ONLY, and not the actual resource

What is the post method and what does it request?

Used to send data to the server to be processed in some way

In what 3 ways does the POST method differ from the GET method?

1. There is a block of data sent with the request. Usually there are extra headers to describe this message body like Content-Type & Content-Length.


2. The request URI is not a resource to retrieve; its usually a program to handle the data you're sending


3. HTTP response is normally program output, not a static file

What is multi-homed?

The ability for multiple domains to live on the same server.

Multi-homed in HTTP/1.1 requests what line to be added to the header?

Host line


Get /path/file.html HTTP/1.1


Host: www.host1.com:80

What is the term for sending several HTTP requests in a series?

HTTP pipelining

What must the client include in the header to close the connection after the corresponding response?

Connection: close

LTM

Local Traffic Manager




Full proxy between users and application servers. Creates a layer of abstraction to secure, optimize, and load balance application traffic.

GTM

Global Traffic Manager




Automatically routes connections to the closest or best performing data center in the event of an outage, overload, or other distruption

APM

Access Policy Manager




Provides secure, context-aware, and policy-based access control. It centralizes and simplifies AAA management directly on the BIG-IP system

ASM

Application Security Manager




Advanced web application firewall that protects critical applications and their data by defending against application specific attack that bypass conventional firewalls

Edge Gateway

Provides SSL VPN remote access security with applications acceleration and optimization services at the edge of the network

Link Controller

prevents costly downtime due to ISP problems or other link failures by automatically switching traffic to alternate ISP connections and ensuring use of the fastest available connection

WOM

WAN Optimization Manager




Overcomes network and application issues on the WAN to ensure that application performance data replication, and disaster recovery requirements are met

WebAccelerator

Gives your users an instant improvement in web application performance and helps reduce costs.

ARX series

Enable you to dramatically simplify data management and reduce storage costs.

FirePass

Allows users secure access from anywhere they have an internet connection, while Firepass ensures that connected computers are fully patches and protected

3 LTM initial setup steps

1. Setup MGMT port IP address via config utility


2. License the system through web interface


3. Run the setup utility

Default LTM Management port IP address?

192.168.1.245

To gain a license, you need to use your registration key to generate what?

A dossier and then present the dossier to the license server

Base registration key is how many characters?

27

Systems are shipped with your registration key where?

/config/RegKey.license

After generating the dossier, where is it located?

/config/bigip.license

Dedicated?

Designed for situations where only one module is functional on the system such as GTM

Nominal

A module gets the least amount of resources required. After all modules are enabled the modules gets additional resources from the portion of remaining resources

Minimum

Given the module minimum functional resources. No additional resources are ever allocated to the module

None

Specifies that a module is not provisioned

Lite

Available for selected modules granting limited features for trials

setup utility includes the following:

1. Self-IP addressing and Netmasks for VLANs


2. Assign interfaces to VLANs


3. IP address of the default route


4. Root password for CLI


5. admin password for GUI


6. IP address allowed for SSH

Administrative IP access file:

/etc/hosts.allow

Interface and configuration files

/config/bigip.conf


/config/bigip_base.conf


/config/BigDB.dat

Default terminal settings for console settings?

Bits per second: 19200


Data bits: 8


Parity: None


Stop bit: 1


Flow control: None

File extension for backups

*.ucs

pool members are?

Each of the actual servers used for client traffic. Includes IP address & port.

The devices represented by the IP address of pool members are called what?

Nodes - They may represent multiple pool members

A pool is what?

A group of pool members

System logs

/var/log/messages

Packet filter logs

/var/log/pktfilter

local traffic logs

/var/log/ltm

Audit logs

Display system configuration changes by user and time

A full proxy maintains how many session tables?

2

DSR

Direct Server Return




Requests are proxied by the device, but the responses do not return through the device. Known as a half proxy because only half the connection is proxied.

What is proxy-based design

A full proxy completely understands the protocols, and is itself and endpoint and an originator for the protocols.

iRules

Scripts created using TCL with custom F5 extensions that enables users to create unique functions triggered from TMOS events

Single device HA

1. Core services being up and running on that device


2. VLANs being able to send and receive traffic

Redundant system configuration HA

Core system services being up and running on one of the two BIG-IP systems. Connections being available between the BIG-IP system and a pool of routers, and VLANs on the system being able to send/receive traffic.

Hard-wired failover

Enable failover by using a failover cable to physically connect the two redundant units. This is the default setting.

Network failover

Enable failover by configuring redundant system to use the network to determine the status of the active unit.

What is ConfigSys

A process where you replicate one units main config file on the peer unit

What does SNAT do?

Secure Network Address Translation




Maps the source client IP address in a request to a translated address defined on the BIG-IP device

What is intelligent SNAT

Mapping of one or more original client IP address to a translated address

Auto Last Hop

Global setting that is used to track the source MAC address of incoming connections

What is a node?

The physical server itself that will receive traffic from the load balancer.

How is a member different than a node?

A member includes the TCP port of the actual application that will receive the traffic

Random Algorithm

Randomly distributes load across the servers available

Round Robin Algorithm

Passes each new connection request to the next server in line, eventually distributing connection evenly across the array of machines being load balanced

Weighted Round Robin Algorithm

The number of connections that each machine receives over time is proportionate to a ratio weight you define for each machine

Dynamic round robin (dynamic ratio) algorithm

Weights are based on continuous monitoring of the servers and are therefore continually changing. Distributed based on real-time server performance analysis

Fastest Algorithm

Passes a new connection based on the fastest response time of all servers

Least connections algorithm

The system passes a new connection to the server that has the least number of current connections. Works best with equipment that all has similar capabilities

Observed Algorithm

uses a combination of the logic used in the Least connections and fastest algorithms to load balance connections to servers. Servers are ranked based on current connections and response time

Predictive Algorithm

The system analyzes the trend of the ranking over time, determining whether a servers performance is currently improving or declining

What is the primary reason for tracking & storing session data?

The ensure the client requests are directed to the same pool member throughout the life of a session, or during subsequent sessions

What is persistence profile?

A pre-configured object that automatically enables persistence when you assign the profile to a Virtual system

Destination address affinity persistence

Also known as sticky persistence, destination address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the destination IP address of a packet

Source address affinity persistence

Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the source IP address of the packet

What is positive security model?

One that defines what is allowed and rejects everything else

What is negative security model?

Defines what is not allowed, while implicitly allowing everything else

Benefit of the positive security model

A new attack, not anticipated by the admin/developer, will be prevented

Reset on timeout

The system sends a reset (RST) and deletes the TCP connection when the connection exceeds the idle timeout value. If disabled, the system will delete the TCP connection when it exceeds the idle timeout value, but will NOT send an RST to the client.

SIP

Session Initiated Protocol




Application layer protocol that can establish, modify, and terminate multimedia sessions such as Internet telephony calls

HTTP header methods?

1. GET


2. POST


3. PUT


4. DELETE


5. HEAD

With the GET method, all query parameters are part of what?

URI

200 OK

The request succeeded and the resulting resource is returned in the message body

304 Not modified

This shows that the resource in question has not changed and the browser should load it from its cache instead.

404 Not found

The requested resource doesn't exist on the server

401 Authorization required

This indicates that the resource is protected and requires valid credentials before the server can grant acess

500 Internal Error

An unexpected server error. The most common cause is a server-side script that has bad syntax, fails, or otherwise can't run correctly

IPsec

IP layer protocol that enables the sending and receiving of cryptographically protected packets of any size (TCP, UDP, ICMP) without any modifications.

What are two cryptographic services that IPsec provides?

1. Confidentiality and authenticity (Encapsulated security payload


2. Or Authenticity ONLY. (Authentication header)



What is SSL?

An application layer protocol, mostly utilized to protect HTTP transactions, and has been used for other purposes like IMAP AND POP3




Only compatible with applications running over TCP

IPsec supports the use of Digital signatures and the use of secret key algorithm, where SSL supports only the use of what?

Digital Signature

200 OK

Standard response for successful HTTP request

SNAT

Security Network address Translation




Maps the source client IP address in a request to the translated address defined on the BIG-IP device

301 Moved permanently

This and all future requests should be directed to the given URL

303 See other

The resource has moved to another URL, and it should be automatically retrieved by the client.

Buffer-and-stitch Methodology

Buffers a connection, often through TCP handshake process and potentially into the first few packets of application data, but then "stitches" a connection to a given server on the back-end using either layer 4 or layer 7 data, perhaps both.