Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
168 Cards in this Set
- Front
- Back
|
(True/False) Management High Availability does not require all participating servers to have the same OS.
|
False
|
|
|
(True/False) Management High Availability does not require all participating servers to have the same OS version.
|
True
|
|
|
Which databases are stored on both the active SCS and the backup SCSs.
|
database of objects and users, policy information, and ICA files.
|
|
|
(T/F) Security gateways can fetch policy and retrieve a CRL from a standby SCS.
|
True
|
|
|
In Management HA, which SCS is designated as the primary SCS.
|
The first one installed.
|
|
|
In Management HA, once the primary SCS has been installed, how must all subsequent SCSs be designated.
|
They must be designated as secondary SCSs.
|
|
|
(T/F) In Management HA, once the primary SCS has been designated, it will always be the active SCS unless it has failed.
|
False. Once the servers are installed (primary or secondary) they are referred to by their role in HA, active or standby.
|
|
|
What is required for Management HA?
|
The active SCS and at least one standby SCS.
|
|
|
In Management HA, what is required for the secondary SCS to be considered ready
|
It is configured on the primary SCS by a network object, SIC, and a manual synchronization.
|
|
|
What is likely to happen if work is done on more than one active SCS?
|
One of the databases is overwritten upon synchronization.
|
|
|
In Management HA, what does the synchronization status indicate?
|
The status of the peer SCS in relation to that of the selected SCS.
|
|
|
In Management HA, where can synchronization status be viewed?
|
In the Management HA Servers window or in SmartView Monitor.
|
|
|
In Management HA, what does the status "Never been synchronized" mean?
|
The peer has not yet undergone the first manual synchronization.
|
|
|
In Management HA, what does the status "Synchronized" mean?
|
The peer is properly synchronized.
|
|
|
In Management HA, what does the status "Lagging" mean?
|
The peer has not been properly synchronized.
|
|
|
In Management HA, what does the status "Advanced" mean?
|
The peer is more up to date.
|
|
|
In Management HA, what does the status "Collision" mean?
|
The active SCS and the peer have different installed policies and databases. A manual sync must be performed.
|
|
|
(T/F) In Management HA, when there is a Collision status, CA changes, such as the issuance of certificates, made by one server are overwritten during a manual sync.
|
False
|
|
|
What Check Point product distributes network traffic between groups of redundant VPN-1 Gateways, and provides transparent failover between machines in a group?
|
ClusterXL
|
|
|
In ClusterXL, when one gateway fails, and another immediately takes its place, maintaining the failed gateway's connections, this is called...
|
High Availability (HA)
|
|
|
(T/F) In ClusterXL, HA does not need to be enabled on both gateways.
|
False
|
|
|
What are the two networking conditions that must be satisfied when implementing ClusterXL
|
1) A mechanism mus be established to redirect traffic from the failed FW to the backup FW.
2) State synchronization must be configured. |
|
|
ClusterXL provides transparent failover, zero downtime when using state sync, enhanced throughput in load sharing modes, and transparent upgrades. How many of the previous criteria are true?
|
All 4.
|
|
|
(T/F) In ClusterXL, load sharing involves common interfaces.
|
False
|
|
|
(T/F) In ClusterXL High Availability, only 1 member of the cluster is active at any one time.
|
True
|
|
|
(T/F) In ClusterXL, HA Legacy mode what do cluster members share with regard to interfaces?
|
Identical IP and MAC addresses.
|
|
|
In ClusterXL, does moving from a single gateway configuration to an HA Legacy mode cluster require IP and routing changes?
|
No
|
|
|
In ClusterXL, which mode does not support all hardware?
|
Not all routers are supported in Load Sharing Multicast
|
|
|
In ClusterXL, which mode requires Performance Pack or SecureXL Turbocard to support SecureXL.
|
Load Sharing Multicast
|
|
|
(T/F) In ClusterXL, state sharing is mandatory for Legacy and New High Availability.
|
False
|
|
|
(T/F) In ClusterXL, state sharing is mandatory for both Load Sharing modes.
|
True
|
|
|
(T/F) In ClusterXL, all modes support VLAN tagging.
|
True
|
|
|
In ClusterXL, what is required for New HA mode to maintain connections through failover?
|
Check Point's State Synchronization.
|
|
|
In ClusterXL HA one gateway is in active mode, the other gateway/s is/are in...
|
Standby mode.
|
|
|
In ClusterXL Legacy HA, what is the network requirement for the SCS.
|
It must be connected to an unshared cluster network, ie the sync network or a dedicated management network.
|
|
|
(T/F) In ClusterXL New HA, the active member is not responsible for routing and filtering all traffic directed at the cluster.
|
False
|
|
|
In ClusterXL New HA, how are member priorities set?
|
In the Cluster Members dialog box of the Gateway Cluster Properties window. The topmost member has the highest priority.
|
|
|
In ClusterXL New HA, how are changes in the connection and state tables communicated to the standby members?
|
The active cluster member is responsible for informing the standby members of any changes.
|
|
|
In ClusterXL New HA, what happens when the cluster detects a problem with the active member that is severe enough to cause a failover?
|
The cluster passes the role of active member to the standby member with the highest priority.
|
|
|
In ClusterXL New HA, what happens when the cluster detects a problem with one of the standby members?
|
It is not considered for the role of active member in the case of a failover.
|
|
|
In ClusterXL Load Sharing Multicast, which member/s receives all packets sent to the cluster IP address?
|
A router or L3 switch forwards packets to all members using multicast.
|
|
|
In ClusterXL Load Sharing Multicast, how does the cluster decide which member handles the packet.
|
It uses the ClusterXL decision algorithm.
|
|
|
What hardware is required for ClusterXL Load Sharing Multicast.
|
Routers and switches that will accept a multicast MAC address.
|
|
|
In ClusterXL Load Sharing Unicast, which member/s receives all packets from a router with a unicast configuration?
|
The Pivot.
|
|
|
In ClusterXL Load Sharing Unicast, how is the Pivot chosen?
|
Automatically by ClusterXL.
|
|
|
In ClusterXL Load Sharing Unicast, which member is responsible for redistributing packets to other machines in the cluster
|
The Pivot.
|
|
|
In ClusterXL Load Sharing Unicast, which of the following does the Pivot participate the least in:
1) Communicating with the router. 2) Redistributing packets to other members. 3) Load sharing 4) Implementing load sharing and redundancy |
3) Load sharing
|
|
|
(T/F) ClusterXL Load Sharing Unicast does not work with all routers and Layer 3 switches.
|
False
|
|
|
What are the steps in Pivot Mode?
|
1) The pivot is assigned to receive all traffic.
2) The pivot analyzes the packet 3) The pivot decides which member will handle the packet 4) The pivot forwards the packet to the chosen member 5) analysis and inspection |
|
|
(T/F) The Pivot may decide to handle packets itself.
|
True
|
|
|
(T/F) The Pivot acts as a cluster router for both the internal network outwards, and vice versa. This also applies to DMZs
|
True
|
|
|
CCP runs on which port?
|
UDP 8116
|
|
|
The roles of CCP are: (2 answers)
|
1) Allows cluster members to report and learn states.
2) State synchronization |
|
|
(T/F) CCP is used by all ClusterXL modes, but not OPSEC clusters.
|
False. CCP is used by all ClusterXL modes, and OPSEC clusters.
|
|
|
(T/F) You need to add a rule that accepts CCP
|
False
|
|
|
(T/F) It is necessary to sync the clocks of cluster members
|
True
|
|
|
What is used to specify which services are synchronized
|
Selective Synchronization
|
|
|
Selective Synchronization should only be used in ClusterXL configurations that do not include:
|
Asymmetric routing.
|
|
|
Name 2 good candidates for selective synchronization.
|
HTTP and DNS (Over
|
|
|
Name criteria that would make a service a good candidate for selective synchronization.
|
Connections are short lived, and recoverable at the application layer.
|
|
|
Where do you exclude a service from synchronization?
|
Advanced properties of the service itself.
|
|
|
Which types of services are elligible for selected synchronization? (3 answers)
|
TCP, UDP, and user defined services.
|
|
|
(T/F) All services are synchronized by default.
|
True
|
|
|
It is suggested that you make sure the Synchronization network is secured against both malicious and unintentional interference by: (2 answers)
|
1) Using a dedicated network.
2) Connecting the network interfaces of cluster members directly using crossover cables (2 members) or a dedicated hub/switch. |
|
|
(T/F) It is not possible to define more than one sync network.
|
False
|
|
|
(T/F) It is recommended that the backup sync network be a dedicated network.
|
True
|
|
|
Which VLAN tag of a VLAN interface is supported for a synchronization network (R65)?
|
the lowest VLAN tag.
|
|
|
Synced members of a cluster update each other with their state information at lease every ___ milliseconds.
|
100
|
|
|
Under heavy loads, synchronization occurs more or less frequently?
|
more frequently
|
|
|
Connections initiated within ___ milliseconds of a failure will likely be lost.
|
50
|
|
|
Full state sync is handled by?
|
fwd
|
|
|
Delta sync is handled by?
|
VPN01 kernel.
|
|
|
What are the two modes of state sync?
|
Full and Delta.
|
|
|
(T/F) Full sync transfers all VPN-1 table information from one member to another.
|
True
|
|
|
(T/F) Delta sync transfers all VPN-1 table information from one member to another.
|
False. Delta sync transfers CHANGES in the kernel tables.
|
|
|
Full sync uses what kind of connection?
|
encrypted TCP
|
|
|
Delta sync uses what kind of connection?
|
UDP multi/broadcase on port 8116.
|
|
|
When is full sync used? (2 answers)
|
Initial transfers of state information and when a member is brought back up after failing down.
|
|
|
Once all members are synchronized, what type of sync is used?
|
Delta sync.
|
|
|
How are state sync packets distinguished between other CCP traffic?
|
via an opcode in the UDP header.
|
|
|
(T/F) It is not possible to have a synchronized and an unsynchronized version to be used selectively in the Rule Base.
|
False
|
|
|
What are the conditions that are required to not sync a service? (2 answers)
|
1) SecureXL is enabled on the gateway.
2) Templates are offloaded from the CXL enabled device. |
|
|
(T/F) Only cluster members running on the same platform can by synced.
|
True
|
|
|
(T/F) Cluster members do not need to be of the same software version to be synced.
|
False
|
|
|
(T/F) User auth connections through a cluster member will be lost if it fails
|
True
|
|
|
(T/F) Client/Session auth connections through a cluster member will not be lost if it fails
|
True
|
|
|
User auth state is maintained where?
|
on Security Servers (processes that cannot be synced)
|
|
|
Client/Session auth connections are maintained where?
|
kernel tables (can be synced)
|
|
|
Sate of connections using resources is maintained where?
|
Security Servers (processes that cannot be synchronized)
|
|
|
What happens to accounting information that was accumulated on the failed member, but not reported SCS?
|
It is lost.
|
|
|
How do you minimize the amount of accounting information that might be lost if a failed member does not report it?
|
Reduce the period in which accounting information is flushed.
Logs & Masters > Additional Logging. Configure "Update Account Log Summary" |
|
|
Sticky connections are handled by how many cluster members?
|
1
|
|
|
What is the primary purpose of sticky connections?
|
Enables certain services to operate in a Load Sharing deployment.
|
|
|
(T/F) VPN deployments with 3rd party VPN peers are supported by enabling the Sticky Decision Function.
|
True
|
|
|
(T/F) SecureClient/SecureRemote/SSN (T/F) Network Extender encrypted connections, including SecureClient Visitor Mode are supported by enabling the Sticky Decision Function.
|
True
|
|
|
(T/F) Sticky Decision Function is supported when employing either Performance Pack or a hardware based accelerator card.
|
False. NOT supported
|
|
|
(T/F) When Sticky Decision Function is used, VPN-1 cluster members are not prevented from opening more than one connection to a specific peer.
|
False. ARE prevented.
|
|
|
What is the command to enable the HA feature.
|
cphastart. WinNT it is not when the gateway is started. In Solaris it is part of the cpstart script.
|
|
|
What command disables the HA feature?
|
cphastop
|
|
|
What command defines critical processes?
|
cphaprob
|
|
|
what command displays information about HA machines and their states?
|
fw hastat <target>. Local if no target.
|
|
|
Problems relating to functionality of the CXL product should be debugged based on?
|
1) error messages generated by CXL
2) a snoop of port 8116. |
|
|
What are the 6 steps to setting up a kernel debug?
|
1. Set debug flag to 0 (fw ctl debug 0)
2. Allocate buffer for messages generated by the kernel (fw ctl debug -buf) 3. Set a debug flag to misc (fw ctl debug misc 4. run debug (fw ctl debug -f > <filename>) 5. Ctrl-C 6. Set debug flag to 0 (fw ctl debug 0) |
|
|
What command do you use to verify State Synchronization is working?
|
fw ctl pstat
|
|
|
when running a fw ctl pstat, high numbers of retransmission requests could be a sign that:
|
The unit is under high load and may not be syncing properly.
|
|
|
when running a fw ctl pstat, dropped by net, can indicate:
|
network congestion
|
|
|
What is the optimum range of Callback Avg. Delay when running a fw ctl pstat?
|
1-5. Larger numbers indicate heavy load of sync traffic which can increase latency.
|
|
|
Why is it important to separate secured networks of each SXL cluster?
|
Different versions of CCP are incompatible and each hears the other's 8116 traffic.
|
|
|
Which version remains operational when there are different versions of CCP on the same network?
|
The oldest version.
|
|
|
What do higher versions of CCP do when there is a lower version on the same network?
|
They stop passing CCP traffic and report a problem.
|
|
|
What is the recommended configuration for multiple SecureXL clusters?
|
Each cluster should have its own hub, VLAN or switch where applicable.
|
|
|
What mode of ClusterXL supports SecureXL Performance Pack ?
|
Legacy HA only.
|
|
|
What happens when the crossover cable used for sync is disconnected?
|
Both members report link-down and change state to down. Special code is needed to keep this from happening.
|
|
|
T/F - Management HA supports Load Sharing
|
false
|
|
|
T/F - SmartCenter Servers in HA must be the same operating system?
|
true
|
|
|
What identical information is stored on both Active and Standby SmartCenter Servers?
|
Various databases int he corporate organization, such as the database of objects and users, Policy information, and ICA files.
|
|
|
If the Active SCS is down, what must happen before a Security Policy can be edited or installed?
|
A Standby SCS must become Active
|
|
|
T/F - Certain operations that are performed by the Security Gateway via the active SCS, such as fetching a Security Policy or retrieving a CRL from the SCS, can be performed on a Standby SCS
|
true
|
|
|
What three things must be done to make a secondary SCS ready?
|
1) It is represented ont he primary SCS by a network object
2) SIC has been initialized between it and the primary SCS 3) Manual synchronization has been done with the primary SCS for the first time |
|
|
Why should you not work with more than one active SCS?
|
When the SmartCenter Servers synchronize, one of the databases is overwritten
|
|
|
Where can you find the synchronization status of SmartCenter Servers?
|
SmartView Monitor > Management High Availability Servers
|
|
|
What does Lagging mean in SCS synchronization status?
|
The peer SCS has not been synchronized properly. For instance, since the active SCS has undergone changes since the previous synchronization (objects edited or the Security Policy newly installed), information on the standby SCS is lagging
|
|
|
What does Advanced mean in SCS synchronization status?
|
The peer SCS is more up to date.
|
|
|
How do you resolve a SCS synchronization status of Advanced?
|
Change the active SCS to a standby SCS, making the Advanced SCS active. On the more advanced SCS, perform a "synch me" operation. Now each SCS has the most up-to-date info.
|
|
|
What does Collision mean in SCS synchronization state?
|
The active SCS and its peer have different installed Policies and databases. The administrator must perform a manual synchronization and decide which of the SCSs to overwrite.
|
|
|
When resolving a SCS Collision state when changes have been made by the CA, how is a security breach avoided?
|
Any CA changes are merged to eliminate security issues.
|
|
|
What two networking conditions must be satisfied when implementing a ClusterXL configuration?
|
A mechanism must be established for redirecting traffic from a failed gateway to a backup gateway
State synchronization between gateways must be configured, so backup gateways are able to continue connections originally handled by the failed gateway |
|
|
What are the four ClusterXL modes?
|
High Availability
New High Availability Load Sharing Multicast Load Sharing Unicast |
|
|
Before what version was High Availability Legacy mode the only available HA mode?
|
NG FP3
|
|
|
What is the recommended mode for HA?
|
HA New mode
|
|
|
What are the properties of cluster members in Legacy HA mode?
|
Identical IP and MAC addresses, so that the active cluster member receives from a hub or switch all the packets that were sent to the cluster IP address
|
|
|
In HA New mode, how many cluster members may be "active"
|
1
|
|
|
The cluster's virtual IP addresses are associated with the physical network interfaces of which machine?
|
The active member
|
|
|
In HA New mode, how does the virtual IP address associate with the correct member?
|
ARP with the active member's MAC
|
|
|
In the Cluster Members dialog box of the Gateway Cluster Properties window, how can you tell which member has the highest priority?
|
The topmost member
|
|
|
What happens if a standby cluster member encounters a problem in New Mode HA?
|
It is not considered for the role of active members
|
|
|
In Load Sharing Multicast Mode, what forwards packets to all cluster members?
|
Layer 3 switch or router, using multicast
|
|
|
What is the most efficient Load Sharing mode?
|
LS Multicast mode
|
|
|
What must the layer 3 switch be able to do in LS Multicast mode?
|
Accept a multicast MAC address as a response to an ARP request with a unicast IP address
|
|
|
In LS Unicast mode, how is the Pivot chosen?
|
Automatically by ClusterXL
|
|
|
What does the router (next hop) use in LS Unicast?
|
The Pivot's unicast MAC address
|
|
|
What protocol and port number does the Cluster Control Protocol use?
|
UDP 8116
|
|
|
What are two functions of CCP?
|
Allows cluster members to report their own states and learn about the states of other members by sending keep-alive packets
State synchronization |
|
|
In ClusterXL, what needs to be added to the Rule Base to allow CCP?
|
nothing
|
|
|
What is the purpose of Selective Synchronization?
|
In high-traffic networks, synchronization can adversely affect gateway performance, and can cause congestion on the sync network
|
|
|
T/F - Selective synchronization should only be used in ClusterXL configurations that have asymmetric routing
|
False, ...that do NOT have asymmetric routing (pg 311)
|
|
|
Where can you configure a service to be excluded from synchronization?
|
The Advanced properties of the service itself
|
|
|
What types of services can selective synchronization be implemented on?
|
TCP, UDP, and user-defined services
|
|
|
What are the two recommended methods of connecting your sync network?
|
Dedicated hub/switch
Crossover cable |
|
|
If you have multiple VLAN tags on your sync network interface, which VLAN tag is supported by CP?
|
The lowest VLAN tag (pg 312)
|
|
|
Synchronized members of a gateway cluster update each other with their state information at least every ___ milliseconds?
|
100
|
|
|
What are the two modes of state synchronization?
|
Full sync - all kernel table info, handled by fwd, using encrypted TCP
Delta sync - transfers changes in the kernel tables between cluster members, handled by the kernel, using UDP multicast or broadcast on port 8116 |
|
|
When does a full sync occur?
|
When a cluster member is brought up
|
|
|
About how much of all CCP traffic is state synchronization?
|
90%
|
|
|
How do state synchronization packets distinguished from the rest of CCP traffic?
|
Via an opcode int he UDP data header
|
|
|
Synchronization has some performance cost. You can decide not to synchronize a service if what two conditions are true?
|
This capability is only available if a SecureXL enabled device is installed on the gateway through which the connection passes
The setting is ignored if connection templates are not offloaded from the ClusterXL enabled device |
|
|
T/F - Cluster members must be on the same platform to synchronize
|
true
|
|
|
T/F - Cluster members on the same platform, but different versions, can still be synchronized
|
False, must be same platform and version
|
|
|
Which of the following connections will continue through a synchronized failover:
User Auth Client Auth Session Auth |
Client Auth
Session Auth [(page 314) - User Auth connection will be lost] |
|
|
Why can User Authentication state not be synchronized?
|
User Authentication state is maintained on Security Servers, which are processes, and cannot be synchronized like kernel data
|
|
|
Can connections using resources be synchronized?
|
Nope, they are maintained in a Security Server, which is a process, not the kernel
|
|
|
What connection types require the Sticky Decision Function in order to work?
|
L2TP traffic
VPN deployments with third party VPN peers SecureClient/SR/SNX encrypted connections |
|
|
What are the limitations of the Sticky Decision Function?
|
Not supported when employing either Performance Pack or a hardware based accelerator card. Enabling Sticky disables these products
When used, cluster members are prevented from opening more than one connection to a specific peer. Opening another connection would cause another SA to be generated, which a third party peer would not be able to process, in many cases |
|
|
What does fw hastat do?
|
Displays information about HA machines and their states.
|
|
|
How do you allocate a buffer for all messages generated by the kernel in debuggin?
|
fw ctl debug -buf
|
|
|
What does fw ctl pstat do?
|
It is one of the tests to verify state synchronization is working.
|
|
|
In fw ctl pstat, how does the "queue" counter get increased?
|
The sync packet is received with a sequence number that is not just following the previously processed sync packet
The sync packet is fragmented. this is used to solve MTU restrictions. This figure is never decreased. Therefore, it is OK to have a non-zero value |
|
|
In what modes of ClusterXL is SecureXL supported?
|
HA Legacy mode only
|
