Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
136 Cards in this Set
- Front
- Back
In SmartDashboard, what tab represents includes the physical machines, and logical components such as dynamic objects and address ranges that make up your organization?
|
Network Objects
|
|
When creating objects, what must the System Administrator consider? (2)
|
1. What are the physical and logical components that make up the org.
2. Who are the users and administrators and how should they be divided into groups. |
|
What are the 4 principal panes in SmartDashboard?
|
Rule Base
Objects List SmartMap Objects Tree |
|
What does the Objects List display?
|
current information for a selected object category
|
|
What are the the Object Types? (6)
|
Network
Services Resources Servers and OPSEC Applications Users and Administrators VPN Communities |
|
In what columns of the Rule Base are Network Objects generally used?
|
Source, Destination, and Install On
|
|
What is the graphical display of objects in the system called?
|
SmartMap
|
|
(T/F) Both physical and logical objects are displayed.
|
False. Only physical
|
|
What is the main view for adding, editing, and deleting objects?
|
Objects Tree
|
|
(T/F) Adding, editing, and deleting objects can be performed via menus, toolbars, and other views.
|
True
|
|
(T/F) You cannot clone host and network objects.
|
False. Right click object, select clone, and enter a new name.
|
|
The view in the Objects Tree that automatically places each object in a predefined logical category is:
|
Classic View
|
|
The view in the Object Tree that organizes objects by groups:
|
Group View
|
|
Which view of the Objects Tree pane opens by default?
|
Classic View
|
|
Which view of the Objects Tree is suggested for small to medium sized deployments?
|
Classic View
|
|
How are objects organized in Group View?
|
By the group objects to which they belong.
|
|
What are the Rule Base options related to Rules? (5)
|
Add Rule (Top, Bottom, Above, Below)
Delete Rule Disable Rule Hide Section Title |
|
What are the columns in the rule base?
|
No., Name, Source, Destination, VPN, Service, Action, Track
|
|
How do you track multiple rules in SmartView Tracker?
|
Use the same name in the Name column for the rules you want to track
|
|
What tracking option can require large amounts of free space?
|
Account
|
|
What are the two basic rules used by nearly all Security Gateway administrators?
|
Stealth Rule
Cleanup Rule |
|
What is the basic rule that logs and drops all traffic that does not match a rule?
|
Cleanup Rule
|
|
What should the last rule in the Rule Base always be?
|
Cleanup Rule
|
|
What rule is used to prevent users from connecting directly to the Security Gateway?
|
Stealth Rule
|
|
The Stealth Rule should be the first rule with the following exceptions that should appear above the Stealth Rule: (3)
|
Client Authentication
Encryption Content Vectoring Protocol (CVP) rules |
|
What is duress?
|
Interferes with capacity b/c it constitutes circumstances where you are not entering into the arrangement freely.
|
|
How do you see implied rules in the rulebase?
|
View > Implied Rules
|
|
(with or without) Implicit rules appear ________ numbering, and explicit rules appear _________ numbering.
|
without, with.
|
|
How do you see implied rules in the rulebase?
|
View > Implied Rules
|
|
(with or without) Implicit rules appear ________ numbering, and explicit rules appear _________ numbering.
|
without, with.
|
|
(T/F) Implied rule traffic will not go over domain based VPNs.
|
True
|
|
The Gateway enforces two types of implicit rules that enable _______ connections and ________ packets.
|
Control, outgoing
|
|
The 3 options for implied rule placement in the rule base are:
|
First
Last Before Last |
|
What are the 3 types of control connections
|
gateway specific traffic (logging, mgt, key exchange, etc)
IKE & RDP traffic Communication with external servers (RADIUS, CVP, etc) |
|
How do you access Global Properties?
|
Policy > Global Properties
|
|
(T/F) If the cleanup rule is the last explicit rule, implied rules with a placement setting of last will still be enforced because they are implied.
|
False. Rules listed after the cleanup rule will not be enforced.
|
|
(T/F) Implied rules cannot be directly modified in the rule base.
|
True
|
|
How are implied rules modified?
|
By editing the parameters of the Firewall Implied Rules page of the Global Properties window.
|
|
How do you configure logging for implied rules?
|
Click 'Log Implied Rules' in the Track section of the Firewall Implied Rules page of the Global Properties window.
|
|
What is spoofing?
|
When packets are altered such that they appear to be coming from a part of the network with higher access privileges.
|
|
What does CP Anti-spoofing do?
|
Verifies that packets are coming from, and going to, the correct interfaces on the Gateway.
|
|
What is needed to properly configure ant-spoofing
|
networks that are reachable forma particular interface need to be defined properly.
|
|
What is suggested for anti-spoofing to be most effective? (2)
|
It should be configured on all gateway interfaces.
Spoof tracking should be defined for interfaces. |
|
(T/F)Anti-spoofing rules are enforced before rules in the rule base.
|
True
|
|
Where do you configure anti-spoofing in SmartDashboard
|
The Topology tab of the Interface Properties window.
Edit object > Topology > edit interface > Topology |
|
(T/F) Only managed objects are available for policy installation
|
True
|
|
Policy verification checks for: (2)
|
Rules are consistent
No redundant rules |
|
What is the order rules are processed? (6)
|
IP Spoofing/IP Options
First Explicit Before Last Last Implicit Drop (no logging) |
|
What are the 3 questions you should ask before creating a rule base?
|
1. Which objects are in the network?
2. Which user permissions and auth schemes are needed? 3. Which services are allowed? |
|
(T/F) In general, the policy is enforced from top to bottom.
|
True. Exception is when user auth is present.
|
|
What is the general guideline with regard to restrictive and generalized rules?
|
Most restrictive should be above generalized
|
|
What are the first 2 rules you should add to a policy?
|
Stealth and Cleanup
|
|
What happens when the Reject action is used?
|
A message is returned to the source address.
|
|
What should be used if several versions of a security policy are needed, but the object database needs to stay the same?
|
Policy Packages
|
|
What is included in the Policy Package?
|
Security, NAT, Desktop and QoS policy rules.
|
|
What allows you to associate each Policy Package with the appropriate set of Gateways?
|
Predefined installation targets.
|
|
What allows you to visually break your rule base into subjects?
|
Section Titles
|
|
What tool provides versatile search capabilities for both objects and the rules in which they are used?
|
Queries
|
|
(T/F) Global properties can change for different Policy Packages.
|
False
|
|
(T/F) Using File > Save as is the suggested method for backing up a Policy Package prior to modifying it.
|
False. Database Revision Control feature is the suggested method.
|
|
What is used to set the component selection for a given Policy Package, eliminating the need to repeat the selection each time policy is installed?
|
Installation Targets.
|
|
Where can rule base queries be used? (4)
|
Security, Desktop, QoS, and Web access rule bases.
|
|
(T/F) Rules that do not match a query are hidden, but they are still enforced.
|
True
|
|
How do you set a rule base query clause to be an "OR" clause?
|
Choose more than one item in the list, and verify that "at least one" is selected in the Clause Statement.
|
|
How do you set a rule base query clause to be an "AND" clause?
|
Choose more than one item in the list, and verify that "all" is selected in the Clause Statement.
|
|
How do you set a rule base query clause to be an "NOT" clause?
|
Choose at least one item in the list, and verify that "Negate" is checked.
|
|
Is it true that the default rule base query matches "any" and groups if the selected item is included in the group? If so, can that be disabled?
|
Yes. Yes.
You can disable the default behavior by choosing Explicit in the Query Clause. |
|
What are the steps for opening a Network Object query?
|
Search > Query Network Objects
|
|
What are the steps for opening a rule base query?
|
Search > Query Network Objects
Right click a column and choose Query. |
|
(T/F) You cannot create a group using the Network Object query function.
|
False. After clicking apply, click "Define query results as group"
|
|
What are the 3 options for sorting in the Object Tree and Object List panes?
|
Type
Name Color |
|
What is included when using Database Revision Control to backup your policies?
|
All Policies, objects, users, global properties, and SmartDefense settings.
|
|
(T/F) You can create a database-revision entry with unsaved changes in SmartDashboard
|
False
|
|
(T/F) You can configure SmartDashboard to create a database-revision entry whenever policy is pushed.
|
True
|
|
NAT is defined in what RFC?
|
3022
|
|
What are the main reasons enterprises employ NAT?
|
Private IP addresses used in internal networks.
Limiting external network addresses. Ease and flexibility of network administration. |
|
(T/F) Network Address Translation can be used to translate either IP address in a connection
|
True
|
|
In NAT, translating the "client" address initiating a connection is called:
|
Source NAT
|
|
In NAT, translating the address of the machine receiving the connection is called:
|
Destination NAT
|
|
What type of NAT is a many-to-one relationship?
|
Hide NAT
|
|
What type of NAT has multiple hosts represented by a single IP address?
|
Hide NAT
|
|
What is another name for Hide NAT?
|
Dynamic NAT
|
|
What type of NAT is a one-to-one relationship?
|
Static NAT
|
|
What is the effect of a withdrawal of a partner?
Apparent Authority? |
The partnership usually buys out the partner for fair value and continues without her. A withdrawing partner is liable to existing creditors unless released, for 2 years to subsequent creditors who reasonably believed that she was a partner and were unaware of the withdrawal, and to other partners if the withdrawal was wrongful.
Apparent Authority of Withdrawn Partner - For one year after withdrawal to a 3P who was unaware of the withdrawal. But the Partnership can protect itself by notifying potential creditors of the withdrawal |
|
In CP, what kinds of objects can NAT be configured on? (5)
|
Hosts, nodes, networks, address ranges, and dynamic objects.
|
|
What does Static NAT allow?
|
Connections can be initiated internally or externally.
|
|
What do Manual NAT rules allow? (2)
|
Translation of both source and destination.
Translation of services. |
|
What are the Class A private network addresses?
|
10.0.0.0 - 10.255.255.255
|
|
What are the Class B private network addresses?
|
172.16.0.0 - 172.31.255.255
|
|
What are the Class C private network addresses?
|
192.168.0.0 - 192.168.255.255
|
|
Which address is hide NAT is translated?
|
source
|
|
In the i, I, o, O series where is the packet processed by the firewall kernel?
|
between i and I and between o and O.
|
|
For a server side translation, where does the translation occur? (i, I, o, O)
|
O
|
|
What CLI command is used to view packets on the gateway?
|
fw monitor
|
|
How does the Gateway handle packets from overlapping IP networks coming from different interfaces?
|
Packets are translated to a virtual IP network and then translated back to their original address when leaving the Gateway.
|
|
What was required when server side translation was the default for destination NAT?
|
a host route to route packets to the desired server.
|
|
Since NGX what is the default NAT method for Destination NAT? (client side/server side)
|
client side
|
|
For a client side translation, where does the translation occur? (i, I, o, O)
|
I
|
|
For Static NAT defaults in R70, the original packet has the destination translated at ___ and the reply packet has the source translated at____.
|
I, O
|
|
What type of NAT should not be used if the port number cannot be changed?
|
Hide NAT
|
|
When an external server must distinguish between clients based on their IP address, what type of NAT should be used?
|
Static
|
|
What type of NAT should be used if connections must be initiated from external sources?
|
Static
|
|
In Hide NAT, it is possible to hide behind: (2)
|
interface of the gateway
specified IP address |
|
What is the the benefit of using the Gateway address for hide NAT?
|
If the external IP address changes then the NAT rules do not need to be changed.
|
|
In what 3 areas can NAT be configured?
|
Global Properties
Object Properties Address-translation rules |
|
What is the global NAT setting that configures Gateways to check all NAT rules to see if there is a source match in one rule and a destination match in another and applies both concurrently?
|
Allow bi-directional NAT
|
|
What is the global NAT setting that forces the translation of destination IP addresses in the kernel nearest the client.
|
Translate Destination on the client side.
|
|
What is the global NAT setting that automatically updates ARP tables on Security Gateways so they accept packets whose destination addresses differ from the addresses configured on its interfaces?
|
Automatic ARP configuration
|
|
What ARP setting in Global Properties configures gateways to maintain the definitions of both the local.arp file and entries related to Automatic ARP configuration?
|
Merge manual proxy ARP
|
|
What happens if Automatic ARP configuration is enabled and Merge manual proxy ARP is not enabled?
|
Gateways ignore the entries in the local.arp file.
|
|
What happens if Automatic ARP configuration and Merge manual proxy ARP are enabled and there is conflict?
|
The manual configuration is used.
|
|
(T/F) All boxes for NAT Global Properties are check by default in new istallations.
|
True
|
|
(T/F) All boxes for NAT Global Properties are unchecked by default when upgrading from FW-1 4.1 or earlier.
|
True
|
|
What are the 2 elements of address-translation rules?
|
Original packet and translated packet.
|
|
What is the purpose of the original packet element of address-translation rules?
|
To identify which packets match a rule.
|
|
What is the purpose of the translated packet element of address-translation rules?
|
To define how the Gateway will modify the packets.
|
|
What rules are created when a object is configured for automatic Hide NAT?
|
1. Prevents translation of packets traveling from the translated object to itself.
2. Translates packets from private addresses to the IP address of the exiting interface (or configured IP) |
|
(T/F) Automatic hide NAT requires a 3rd rule for reply packets.
|
False
|
|
For Automatic Hide NAT, what is used to modify the destination IP address and destination port of reply packets?
|
The Gateway's state tables.
|
|
What is the best practice regarding external IP addresses for Hide NAT?
|
The NAT IP should not be the interface IP.
|
|
(T/F) The Hide or Static NAT address should be on the same subnet as the interface IP.
|
True
|
|
(T/F) The address-translation rules added for automatic Static NAT are the same as for Hide NAT.
|
False. Both rules are translating rules in automatic Static NAT.
|
|
For Automatic Hide NAT, what is used to modify the destination IP address and destination port of reply packets?
|
The Gateway's state tables.
|
|
What is the best practice regarding external IP addresses for Hide NAT?
|
The NAT IP should not be the interface IP.
|
|
(T/F) The Hide or Static NAT address should be on the same subnet as the interface IP.
|
True
|
|
(T/F) The address-translation rules added for automatic Static NAT are the same as for Hide NAT.
|
False. Both rules are translating rules in automatic Static NAT.
|
|
Are you going to study page 208?
|
YUP!
|
|
What is the only global property for Manual NAT rules?
|
Translate destination on client side
|
|
What must be considered when creating a manual NAT rule? (3)
|
Anti-spoofing issues.
ARP entries routing-table entries |
|
What ARP table editing must be done for HIDE NAT, Security Gateway in Translated Pack Source Field?
|
None
|
|
What ARP table editing must be done for HIDE NAT hiding being an adress not assigned to the Security Gateway?
|
Add ARP table entry for the hiding address.
|
|
What ARP table editing must be done for Static NAT?
|
Add ARP table entry for all hiding addresses.
|
|
As long as ____________________ is implemented, no ant-spoofing issues exist with Manual NAT rules.
|
client-side translation
|
|
(T/F) If client-side translation is not implemented for Manual NAT Rules, traffic flow should be used to determine which IP addresses will be seen on which interfaces to properly configure anti-spoofing.
|
True
|
|
Where can an administrator configure a list of multicast address ranges to accept or drop?
|
The Multicast Restrictions tab in the Interface Properties window.
|
|
(T/F) A rule is required in the rule base to allow configured multicast groups.
|
True
|