Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
276 Cards in this Set
- Front
- Back
What does VSX stand for?
|
Virtual System Extension
|
|
How do you move between VS's from the command line on a VSX gateway?
|
vsx set <vs #>
|
|
What command will give you a summary of each VS running on a VSX gateway?
|
vsx stat
|
|
How many expansion slots are available on a VSX-1
|
Two
|
|
What expansion line cards are available for a VSX gateway?
|
1000BaseT line card
1GbE Multi-mode SR fiber optic line card 1GbE Single-mode LR fiber optic line card 10GbE Multi-mode SR fiber optic line card 10GbE Single-mode LR optic line card |
|
True/False - The VSX-1 9000 and 11000 series appliances have two hard drives running RAID 0
|
False - running RAID 1
|
|
Define a Virtual Device
|
Generic term for any VSX virtual network component
|
|
Define Virtual System
|
Virtual device that provides the functionality of a physical gateway that provides full firewall, VPN, and IPS functionality
|
|
Virtual System in the Bridge Mode
|
A VS that implements native layer-2 bridging instead of IP routing, thereby enabling deployment of Virtual Ssytesm in a existing topology without reconfiguring the IP routing scheme
|
|
Virtual Switch
|
Virtual device that provides the functionality of a physical switch in a VSX deployment
|
|
Virtual Router
|
Virtual device that provides the functionality of a physical router in a VSX deployment
|
|
Virtual interface
|
Virtual device that provides the functionality of a physical interface on a virtual device
|
|
Warp (wrp) link
|
A virtual interface created automatically in a VSX topology. Provides a point-to-point connection between the Virtual Systems and the Virtual Switch
|
|
How many virtual devices can be deployed on a single VSX gateway or VSX cluster?
|
250 virtual devices
|
|
Define Virtual System Load Sharing (VSLS)
|
Provides the ability to distribute VS's across cluster members, effectively distributing Virtual System traffic load within a cluster.
|
|
Define VSX Resource Control
|
Allows administrators to manage the processing load by guaranteeing that each Virtual System will receive its minimum CPU allocation.
|
|
Define VSX QoS Enforcement
|
Provides the ability to control network quality of service in the VSX network environment by supporting the Differentiated services (DiffServe) protocol and assigning transmission characteristics to different classes of service
|
|
What is Active/Standby Bridge Mode?
|
Enables failover in a VSLS deployment running in Bridge mode
|
|
What two standards are available for link bonding (link aggregation)
|
IEEE 802.3ad or the Balance-XOR standard
|
|
What method of trunking is used in a layer-2 deployment?
|
802.1q trunking
|
|
What are the three principle interface types in VSX?
|
Physical interface, VLAN interface, and Warp Link (including unnumbered interfaces)
|
|
What is the name of a warp interface created on the Virtual System side prefixed with?
|
wrp
|
|
what is the interface name of a warp interface created on the Virtual Router/Switch side prefixed with?
|
wrpj
|
|
True/False - when connected to a virtual switch, VSX also assigns a unique MAC address to each Warp Link
|
True
|
|
Describe an unnumbered interface
|
A warp link connected to a virtual router can "borrow" an existing IP address from another interface, instead of assigning a dedicated address to the interface leading to a Virtual router
|
|
What are the limitations are using a borrowed interface?
|
- Unnumbered interfaces must be connected to a Virtual Router
- you can only "borrow" an individual interface IP once - In order to use VPN or Hide NAT, the borrowed address must be routable |
|
What are the three basic VS connection scenarios?
|
- VS directly connected to a physical or VLAN interface
- Virtual System connected via a Virtual Switch - Virtual System connected via a Virtual Router |
|
How does route propagation work?
|
this feature enables network nodes located behind neighboring Virtual Systems to communicate without the need for manual configuration
|
|
What do routes that are added through route propagation using a Virtual router look like in the VR routing table?
|
Each entry contains a route pointing to the destination subnet using the Virtual System router-side Warp Interface (wrpj) as the next hop.
|
|
How does route propagation with a Virtual Switch function?
|
VSX propagates routes by automatically adding entries to the routing table in each Virtual System. Each entry contains a route pointing to the destination subnet using the VS Warp (wrp) Interface address
|
|
What routing protocols are supported by the Virtual routers and virtual switches in VSX?
|
OSPF
RIP-v2 BGP-v4 IGMP PIM-SM PIM-DM |
|
Which cluster environments are supported by VSX?
|
Check Point ClusterXL
Crossbeam X-Series Chassis Nokia VRRP appliances |
|
Which two Bridge modes are supported for Cluster XL deployments?
|
STP Bridge mode
Active/Standby Bridge Mode |
|
What VS configuration just forwards traffic at layer 2?
|
VS in Bridge Mode
|
|
What can a VS in bridge mode NOT do?
|
NAT and VPN
|
|
Why would you have a manually defined topology in VS bridge mode?
|
Anti-spoofing
|
|
What is a router's default policy?
|
Any > Any > Any > Drop
|
|
How many interfaces does a typical VSX gateway cluster have?
|
Four
|
|
What does a VS cluster running in layer 2 mode require in order to avoid loops in a Cluster XL environment?
|
Spanning Tree Protocol
|
|
What are the four typical interfaces on a ClusterXL-enabled VSX gateway?
|
1) CPMI Management
2) Sync Interface 3) External Interface 4) Internal Interface |
|
What type of switchport can be used to trunk traffic from multiple VLANs to a single interface on the VSX gateway?
|
802.1q compliant interface set to trunking mode
|
|
When are the VLAN tags stripped away from the packet?
|
When the packet leaves the gateway's interface.
|
|
Which two elements of the packet's header are split in order to add the VLAN tag?
|
Source and TTL
|
|
What kind of connection is made when using a warp link?
|
Point-to-Point (Interface mask is a /32)
|
|
Warp interfaces on the VS side are typically named what?
|
wrpX (X = interface number)
|
|
Warp interfaces on the virtual router side are typically named what?
|
wrpjN (where N is a number)
|
|
Where does an unnumbered interface get it's IP from?
|
Another interface
|
|
At what two levels are VSX clusters defined at?
|
The VSX level and the Virtual system level
|
|
What is the term for how the VSX gateway determines which VS should be responsible for handling traffic?
|
Context Determination
|
|
How many interfaces are required for a VSX gateway clustering configuration?
|
three
|
|
According to the EULA, how many entities can a SCS be responsible for managing?
|
One
|
|
The SmartCenter management model is recommended for managing up to how many Virtual Systems?
|
25
|
|
where are the three places that alerts would appears if there were a licensing violation?
|
Syslog messages, pop-up in MDG, audit alerts in Tracker
|
|
What command upgrades VSX Gateways/Clusters to NGX from the management server? What else is required to perform this?
|
vsx_util upgrade
Also requires the NGX R67 CD or ISO |
|
If you are running Intel Xeon processors on the server running VSX, CP recommends enabling what processing feature is recommended
|
Hyperthreading
|
|
What 4 platforms support VSX?
|
SPLAT, Crossbeam XOS, Nortel ASF, and IPSO
|
|
When a new device is provisioned to the gateway, is a SIC certificate generated?
|
Yes
|
|
Does each VS contain its own kernel tables, such as NAT, connections, and state?
|
yes
|
|
What are the five tables unique to all VS's?
|
1) State
2) NAT 3) Connections 4) Routing 5) Interface Acronym: SNICR |
|
If a VSX Gateway has a dedicated Management interface, what acts as the NOC firewall?
|
Management Virtual System (MVS)
|
|
Is traffic directed through a VR inspected by the VR if the SRC or DST of the traffic not for VR
|
NO
|
|
What channel is used by the VSX management server to push policy to Virtual Devices over SIC?
|
Security Management Channel (SMC)
|
|
What channel is used by the VSX management server to create and edit virtual devices?
|
Provisioning and Network Configuration Channel
|
|
What are the two types of processes on a VSX gateway?
|
Multi-context and single-context
|
|
What are the multi-context processes on a VSX gateway?
|
cpd - fwd - cplogd
|
|
What type of process is shared by all VS's?
|
Multi-context
|
|
What on a VS keeps all the IPs, Interfaces, interface tables, and forwarding information and is independent from other VS's?
|
Virtual IP stack
|
|
How many interfaces are required (typically) for a VS?
|
Two
|
|
What IP should be set as main on a VS?
|
The external IP
|
|
Is an IVR (Internal Virtual Router) able to perform source based routing?
|
Yes
|
|
Can you configure anti-spoofing when using source based routing?
|
No
|
|
How many interfaces are you allowed on a VSX gateway?
|
4096
|
|
Is vpnd a single or multi-context process?
|
Single
|
|
Are the virtual switches in a cluster defined as active/active even when the VSX gateway is in standby?
|
Yes
|
|
When a virtual switch connects directly to a physical switch, it may be necessary to configure what settings on the physical switches?
|
Spanning Tree Protocol settings
|
|
A packet is sent through a virtual switch to a VS through what?
|
warp link
|
|
What does the IEEE stand for?
|
Institute of Electrical and Electronic Engineers
|
|
How many bytes in the VLAN tag header?
|
4 bytes
|
|
What VLAN trunking standard did the IEEE introduce?
|
802.1q
|
|
What four fields make up the VLAN tag?
|
1) Tag protocol identifier (TPID)
2) user_priority 3) Canonical Format Indicator (CFI) 4) VLAN Identified |
|
How many bytes is the TPID?
|
2 bytes
|
|
What type of value is the TPID?
|
hex (such as 0x8100)
|
|
How many priority levels are there in the User_Priority section of a VLAN tag?
|
8 (0-7)
|
|
user priority is mainly used to help with what?
|
Port Congestion/Reactive Bandwidth Management
|
|
How many bits is the User_Priority binary number in the VLAN tag?
|
3
|
|
The Canonical Format Indicator is a single-bit flag that indicates what?
|
Whether or not the MAC address in the header is standard format
|
|
How many bits is the VLAN identifier?
|
12 bits
|
|
If the VLAN ID is left blank of 0, what is assumed?
|
No VLAN info exists in frame header and switch should rely on user_priority to determine how to handle traffic
|
|
By trunking a port, will it apply or change vlan tags?
|
No, it will just be aware of the tags
|
|
What are the three types of VLAN memberships?
|
Port-based, MAC address-based, Protocol based
|
|
When VLAN membership is explicit it has to add what to the packets?
|
VLAN tag
|
|
With explicit VLAN membership, what two types of membership does this include?
|
Port-based, Protocol-based
|
|
Which type of VLAN membership uses tables, and can consume bandwidth?
|
Implicit
|
|
STP detects a failure when it stops receiving what?
|
BPDU (Bridge Protocol Data Units)
|
|
Can a VS intiate a failover by blocking BPDUs when using STP?
|
Yes
|
|
A VSX cluster can contains no more than how many members?
|
5
|
|
What are the two levels a VSX gateway is synced at?
|
VSX Gateway - Virtual System/Router
|
|
do all peers of the cluster need to be identically configured including interface number and settings?
|
Yes
|
|
Does the sync interface connected to a sync network need to be secure?
|
Yes
|
|
What are the two modes of VSX's synchronization architecture?
|
Full - Delta
|
|
When does full synchronization occur?
|
When a VSX gateway joins a cluster or has been restarted.
|
|
Which process handles full synch?
|
fwd
|
|
Can a VSX gateway configured with Virtual Systems be added or removed from a VSX cluster?
|
No
|
|
How often does delta sync take place?
|
Very
|
|
How much data is sync'd in delta sync?
|
Little
|
|
How does NGX kernel update other members of the cluster changes?
|
UDP broadcast or multicasts on port 8116
|
|
When configuring an EVR do you need a route pointing internal traffic to the EVR's external address
|
yes
|
|
What does VSLS stand for?
|
Virtual System Load Sharing
|
|
Which type of management interface does CP recommend?
|
DMI (Dedicated Management Interface)
|
|
If you create a non-DMI gateway, can you convert if to have DMI?
|
NO
|
|
Does a VS in bridge mode require IP's when doing VLAN inspection?
|
NO
|
|
the admin guide states that a VSX in bridge mode can enforce anti-spoofing if what?
|
If you manually configure the topology
|
|
If you have a VLAN tag 100 on eth3, what is the virtual interface named?
|
eth3.100
|
|
What are the limitations to unnumbered interfaces?
|
- Must connect to a virtual router
- You can only "borrow" an individual interface IP once - For VPN and hide NAT, address must be routable. |
|
Does the management server distinguish between virtual and physical gateways?
|
No
|
|
With the shared interface template, how many interfaces are assigned to the virtual system and how many are assigned to the external interface?
|
1 ext interface for all VS's separate internal interfaces for all VS's
|
|
Are the virtual systems affected by the rules made in the VSX gateway wizard for management?
|
No
|
|
When enabling dynamic routing, it is best to disable which option?
|
"Calculate topology automatically based on routing information"
|
|
What command can be used to restore a VSX gateway configuration as well as it's virtual device and gateway config?
|
vsx_util reconfigure
|
|
How many interfaces does a virtual device support?
|
64
|
|
Can you create a virtual system in bridge mode with the shared interface template?
|
No
|
|
When is the topology for a clustered virtual system installed on a cluster?
|
Policy Push
|
|
What command enables dynamic routing after the context of a virtual system? And which command starts the dynamic routing daemon?
|
drouter enable <sys_id>
drouter start <sys_id> |
|
Which command checks the dynamic routing status?
|
drouter stat <vs_id>
|
|
What are the four supported cluster environments?
|
ClusterXL HA, ClusterXL Load Sharing, Crossbeam Systems XOS, Nokia VRRP
|
|
What is the default IP range for internal communications when creating a cluster?
|
192.168.196.0/22
|
|
How do you change cluster priority?
|
vsx_util redistribute_vsls
|
|
Which has a higher vsls priority? 2 or 5?
|
2
|
|
How do you distribute weight among VSX members and what is the default weight?
|
vsx_util redistribute_vsls
default weight is 10 |
|
What are the two bridge mode types?
|
STP bridge mode
Active/Standby bridge mode |
|
What 5 layer 2 standards does STP support?
|
802.1q, 802.1D, 802.1s, 802.1w, PVST+
|
|
Can STP bridge mode support VSLS?
|
No
|
|
By enabling IP addresses on Active/Standby Bridge mode firewalls, what does this do?
|
Enable layer-3 monitoring
|
|
Which general command is used to modify ClusterXL configuration?
|
vsx_util
|
|
Which command is used to add cluster members?
|
vsx_util add_member
|
|
How do you convert the cluster type?
|
vsx_util redistribute_vsls <same number>
vsx_util convert_cluster cpstop-cpstart |
|
By Default if the middle vlans go down, would the interface considered down?
|
No, it's just the VLAN listed as highest or lowest goes down.
|
|
How do you view resource utilization for vsx?
|
fw vsx resctrl stat
|
|
Which command is used to enable the QoS configuration?
|
cpqos
|
|
How do you view the interfaces of one VS?
|
fw <vs_id> getifs
|
|
fw monitor -v 2 will only show packets through which system?
|
VS 2
|
|
how to you view the connections table for VS 1?
|
fw -vs 1 tab -t connections -s
|
|
What are some of the features of running a VSX gateway in bridge mode?
|
- Has the same FW capabilities of a VS, except VPN and NAT
- Enables easier configuration of VS's, since no IP addresses or routing info is required. - Does not segment an existing network - Must have manually defined topology to enforce anti-spoofing - Requires spanning tree to prevent loops in a ClusterXL environment |
|
What are virtual routers used to route?
|
- packets arriving at the VSX gateway through a shared interface to the relevant Virtual System, based on the source or destination of a packet
- Traffic arriving from Virtual Systems, directed to a shared interface or to other virtual systems - Traffic to and from network resources, such as DMZs |
|
True/False - can multiple VRs be configured on a single VSX gateway?
|
True
|
|
What is the function of the DMI?
|
Connects the VSX gateway to the management server when locally managed.
|
|
What two levels is VSX clustering defined?
|
- VSX Gateway level
- The virtual device level |
|
Define the Internal communication network.
|
It is a logical network used for communication (not synchronization) between VSX components.
|
|
When is a packet matched against the policy of the Virtual Router?
|
When the packet is actually destined to the virtual router.
|
|
How does the forwarding decision process on a Virtual Switch function?
|
1) The Virtual Switch determines which VS should handle the packet, by matching the destination MAC address inside the packet to an address in the switch's forwarding table.
2) Based on a forwarding decision, the packet is sent to the relevant Virtual System through a Warp Link |
|
How does the forwarding decision occur on a Virtual Router?
|
1) Otherwise, the Virtual Router determines which Virtual System should handle the packet, by doing a route lookup on the Virtual router's rout table. The route lookup can be destination or source-based.
2) Based on the route decision, the packet is forwarded to the relevant Virtual System through a warp link. |
|
Does VSX support overlapping IP address-space?
|
Yes - because each VS maintains separate state and routing tables.
|
|
What is the minimum number of interfaces requires for a VSX gateway in a cluster configuration?
|
3 interfaces
|
|
What might be one reason to separate multiple entities into separate CMAs on a Provider-1 server?
|
Separate legal entities
|
|
What does a standard Check Point license include?
|
- The IP address of the machine for which the license is intended.
- A certificate key, a string of 12 alphanumeric characters. The string is unique to each product. - The expiration date of the license - SKU/Features, the character string that defines an individual product |
|
Explain the "MDS Manger License"
|
This license covers the admin access point to the P-1 environment and is bound to the MDS Manager IP address. The MDG can only connect to the MDS machine having a valid manager license.
|
|
Explain the "MDS Container License"
|
This license covers the container hosting the CMAs running on an MDS machine. A container license is bound to the MDS container IP address and covers a specified max number of CMAs. Multiple container licenses can be combined on a given MDS container to cover up a max of 250s CMAs.
|
|
Explain the "MDS combined Manager and Container License."
|
This license covers an MDS machine that functions as both a container and manager. A combined and container license is bound to the IP address of the MDS.
|
|
Explain the CMA license of the MDS.
|
Each individual CMA requires its own license, bound to its IP address. CMA licenses cover a predefined number of enforcement points
|
|
Explain the CMA pro Add-on license.
|
Enable additional management features at the CMA level, can be purchased in bulk and are called Pro Add-ons for MDS
|
|
Explain the Multi-Domain Log Manager (MLM).
|
This is a comprehensive license that enables real-time logging, tracking, and log management for a predefined number of CLMs hosted on the dedicated MLM server. This license is bound to the MLM IP address
|
|
Explain the Customer Log Module license.
|
This license is intended for a single customer with log files hosted on the container MDS only. The license is bound to the CLMS IP address. Individual CLMS licenses are not required for CLMs hosted an MLM server.
|
|
In terms of VSX clustering, what is a peer?
|
A peer is defined as a identical instance of each virtual device on all VSX gateways participating in the cluster.
|
|
Define what the internal communications network is
|
Enables cluster members to communicate and recognize the state of the environment in a ClusterXL environment.
|
|
Will VSX automatically arp over warp links?
|
NO - so it is critical to add static routes so that the warp links will arp for static NAT addresses
|
|
Can you add more than one VR to a single VSX gateway?
|
Yes
|
|
If a VSX gateway is protecting multiple customer networks behind a single shared interface, what are some options for configuring VS connectivity?
|
Deploy a Virtual Switch, configure an Internal Virtual Router for source-based routing, or deploy a VLAN solution.
|
|
On a Splat VSX gateway, how many interfaces are you allowed?
|
4095
|
|
Which process is the only single-Context VSX process?
|
VPND
|
|
If a VSX Gateway has a dedicated management interface, the MVS will act as what?
|
NOC firewall
|
|
What are the steps to enable advanced routing on a VSX gateway.
|
Run the 'pro enable' command and reboot the gateway
Enable the advanced routing features through CPCONFIG Enable advanced routing for each VS you wish to have the feature enabled on: drouter enable <VSID> drouter start <VSID> |
|
How do you enter the router configuration mode for a particular VS?
|
router vs <VSID>
|
|
How do you disable advanced routing for a particular VS
|
drouter stop <VSID>
drouter disable <VSID> |
|
Based on a Virtual Switch's forwarding decision, a packet is sent to the relevant Virtual System through what?
|
Warp Link
|
|
How large is the VLAN tag header?
|
4-Bytes
|
|
What fields comprise the VLAN tags?
|
- Tag Protocol Identifier (TPID)
- user_priority - Canonical Format Indicator (CFI) - VLAN Identifier (VID) |
|
How large is the user_priority field in a 802.1q VLAN Tag?
|
3 bits
|
|
How large is the 802.1q VLAN identifier field?
|
12 bits (2^12) - 2 = 4094 available VLANs
|
|
What are the three basic types of VLAN memberships?
|
- Port-based
- MAC addressed based - Protocol based |
|
Describe port-based VLANs
|
Membership is determined by the port on which the incoming traffic enters a switch.
|
|
Describe MAC address-based vlans
|
A table within the switch maintains a record of MAC addresses belonging to each configured VLAN.
|
|
Describe protocol-based VLANS
|
VLAN membership is determined by what Layer 3 protocol is being used by the traffic.
|
|
Compare/contrast explicit vs. implicit VLAN Membership
|
Explicit VLAN membership requires that the switch adds the 802.1Q tag to the frame header.
Implicit VLAN would be based on pre-configured MAC/VLAN associated that do not require the switch to include the VLAN tag in the frame header. |
|
Membership in MAC address-based VLAN is considered what?
|
- Implicit
|
|
The standard 802.1q format adds how many bytes to a frame header for VLAN tagging.
|
4 bytes
|
|
Describe some qualities of a Virtual System in Bridge mode.
|
- Has the same firewall-security capabilities of a Virtual System, except for VPN and NAT (NAT, modifies layer-3 information).
- Enables easier configuration of Virtual Systems since no IP address or specific routing information is required. - Does not segment an existing network |
|
In what type of deployments could a Layer 2 Bridge mode VSX deployment be valuable?
|
- An enterprise deployment
- A service-provider deployment - a data center deployment |
|
True/False - VSX supports MPLS
|
False - but using a layer 2 deployment MPLS can run transparently over the top
|
|
True/False - If a critical firewall process fails in the Virtual System, the Virtual System initiates a failover to its peer in the VSX cluster by blocking BPDUs.
|
True
|
|
How many members can participate in a VSX cluster?
|
Five
|
|
Who controls the sync interfaces in a VSX cluster?
|
The MVS on each VSX member
|
|
True/False - the only possible clustering mode in VSX is broadcast
|
True
|
|
What is the Source MAC address of CCP frames in VSX?
|
00:00:00:00:F6:XX
fwha_mac_magic = 246 (in DEC) or 0xF6 (Hex) |
|
You have a VSX Gateway configured with Virtual Systems. What must be done to add this Gateway to a VSX cluster?
|
A VSX gateway configured with Virtual Systems cannot be added to a VSX cluster.
|
|
A VSX cluster delta synchronization can be in the form of a multicast on what port of the VSX gateway?
|
8116
|
|
What command will failover an HA bond interface?
|
cphaconf failover_bond <bond-name>
|
|
What command will display the status of an interface bond?
|
cphaconf show_bond <bond-name -a>
|
|
True/False - when migrating from an open server to a VSX-1 appliance, you don't need to do anything in order to change the format of the interface names.
|
False - you must use the vsx_util change_interfaces command to change the appliance interface names.
|
|
True/False - all interaction with the QoS module is performed with the cpqos command.
|
True
|
|
What command shows the defined QoS classes?
|
cpqos class show
|
|
What command will show QoS statistics?
|
cpqos stats
|
|
What file controls QoS policy? When is this file created?
|
$FWDIR/database/qos_policy.C
This file is created the first time the cpqos command is run. |
|
What are the two components to Resource Control?
|
- The Resource Control Monitor
- The Resource Control Enforcer |
|
What is the function of the Resource Control Monitor?
|
- Keeps track of CPU consumption of each Virtual System. Also provides real-time info on the present and average CPU consumption by the VS on the VSX machine.
|
|
What is the function of the Resource Control Enforcer?
|
Implements the Resource Policy. The Resource Control Enforcer utilizes the data collected by the Resource Control Monitor to implement Resource Policy
|
|
What is the Default Resource Control weight for each VS?
|
10 - so if 5 VS's all were set at the default weight of 10, each Virtual System would be allocated 20% of the available resources
|
|
What file can be edited to manually control VS priorities?
|
$FWDIR/con/resctrl
|
|
What utility should be used when adding a bonded interface?
|
sysconfig
|
|
What is a sample config for a Cisco switch using port-channel for LAG?
|
#conf t
(config)#port-channel load-balance src-dst-ip (config)#int f0/0-0/1 (config-if)#channel-group 1 mode active (config-if)#channel-protocol lacp (config-if)#exit (config)#int port-channel 1 (config-int)#switchport access vlan # |
|
What commands should be run to verify that a bond is functioning properly?
|
cphaprob -a if -> Verify bond state is UP
cphaconf show_bond <bond name> -> Check to make sure bond is configured correctly. |
|
Which file specifies the number of critical interfaces needed for a bond to remain UP?
|
$FWDIR/conf/cpha_bond_ls_config.conf
|
|
True/False - In a bond, the slave interfaces should be configured as disconnected.
|
True - this is accomplished by adding the physical interface names contained in the bond to the $FWDIR/conf/discntd.if file.
|
|
How many interfaces can be added to a link agg bond?
|
8 interfaces
|
|
By default, which VLANs are monitored for failover in a ClusterXL deployement?
|
The lowest and highest
|
|
True/False - you will need to enable monitoring all VLANs manually, even if the Per VLAN state option is enabled
|
False - Monitoring all VLANs is enabled automatically when the Per VLAN state option is enabled.
|
|
What kernel parameter enables monitoring all VLANs?
|
fwha_monitor_all_vlans
- this needs to be enabled and added to the $FWDIR/boot/modules/fwkern.conf file. |
|
When configuring a VSX Bridge configuration, what two options are available?
|
- Standard Layer-2 Loop Detection Protocols (STP, PVST, etc.)
- Check Point ClusterXL |
|
What type of file is used for the VSLS config file?
|
A CSV file
|
|
What does a sample VSLS config file look like?
|
2,10,gw150,gw151,gw152
where: VSID: 2 Weight:10 Primary Member:gw150 StandbyMember:gw151 Backup Member: gw1512 |
|
What Virtual System Priorities are available?
|
Priority 0: Highest priority indicatd the cluster designated to host the Virtual System's active state.
Priority 1: Second highest priority, indicating the member designated to host the Virtual System's standby state Priority >1: Indicate backup state. The cluster member assigned priority 2 will be the first to switch the Virtual System to Standby in the event of a failure of either the Active or Standby Virtual System. |
|
What are the steps for configuring client/session auth for the VSX Gateway?
|
1) Backup $FWDIR/conf/cpauthd.conf
2) Open $FWDIR/conf/cpauthd.conf on the VSX Gateway 3) Add or modify the following attributes according to the table (see admin guide) 4) Stop and Restart the FWD process |
|
What are the steps for configuring client/session auth for separate VS's?
|
1) Backup $FWDIR/CTX/CTX#/conf/cpauthd.conf
2) Delete the original cpauthd.conf file 3) Create a new cpauthd.conf file 4) Add or modify the attributes 5) Restart FWD |
|
Which authentication methods are not supported in VSX?
|
- User auth
- The following client auth methods - Partially auto - Fully auto - SSO |
|
What path holds the $FWDIR files for each VS?
|
$FWDIR/CTX/CTX000#
|
|
What are some limitation of source based routing?
|
- Source based routing does not support overlapping IP addresses
- Anti-spoofing protection is not effective for packets originating from a shared interface b/c there's no logical or physical segregation of traffic. |
|
What is true of configuring NAT on a Virtual System that connects to a VR?
|
You must propagate the affected routes to the virtual router. To do so, you must first define NAT addresses for Virtual System connected to a Virtual Router
|
|
What is the purpose of defining Creation Templates?
|
Creation Templates allows you to select a template that applies predefined, default topology and routing definitions to a VS when they are first created.
|
|
What are the three options available for Creation Templates?
|
- Shared Interfaces
- Separate Interfaces - Custom Configuration |
|
What can you configure in the Defining Physical Interfaces window during the VSX Wizard
|
Which interfaces are to be configured as a VLAN trunk, and add/delete interfaces
|
|
When using dynamic routing, should you enable "Calculate topology automatically based on routing information"?
|
No - it is recommended to disable this option
|
|
Which two interfaces does a typical VS gateway contain?
|
- External
- Internal |
|
True/False - when creating a VS in the bridge mode on an IPSO cluster, you must enable Layer-3 Bridge interface monitoring.
|
True - The IP address to be monitored should reside on a different subnet than the one that handles bridge traffic
|
|
What is the default max # of concurrent connections on a single VS?
|
15,000
|
|
What's one feature that is configured in the Advanced Routing section of the Topology tab?
|
Source-based routing
|
|
What add-on to FWM handles the provisioning process?
|
VSXM
|
|
What useful command can so you a quick summary of the current, peak, and total limit for connections from the CLI?
|
cpstat -f conns vsx
|
|
Is it possible to simulate a VSX environment on a MGMT server without actually pushing the provisioning changes out to a VSX object?
|
Run these commands on the Main CMA:
fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_PING=INFO fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_INSTALL=INFO fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_PULL_SIC=INFO These flags suppress connectivity checks and scripts' execution on VSX, if the actual gateway is not available. |
|
Once a VLAN tag is configured, can it be used by another VS?
|
No - once a VLAN tag is configured on an interface, it cannot be used by any other VS.
|
|
Does a VSX bridge mode cluster require STP to function correctly?
|
No - you can also use ClusterXL for this functionality
|
|
Why does Check Point recommend not using non-DMI?
|
- Provisioning and logging may degrade user performance.
- Does not support several new VSX features - non-DMI is irreversible - you cannot change a non-DMI gateway to DMI |
|
Does Check Point support creating a shared DMI interface on a Virtual System?
|
No - you can only created a non-DMI interface on a virtual router or virtual switch. Creating one on the Virtual System is not allowed.
|
|
What features on separated by VS?
|
- State tables
- Security and VPN policies - Configuration Parameters - Logging configuration |
|
True/False - When sharing a physical interface via a Virtual Switch, the IP addresses for VSs connected to a Virtual Switch should be allocated from the same subnet as the shared interface.
|
True
|
|
When can the virtual switch be defined without interfaces?
|
Yes - when the virtual switch only connects to Virtual Systems (unless Virtual System load sharing is enabled)
|
|
Does the VSX gateway assign a unique MAC address to each Warp Link connected to a Virtual Switch?
|
Yes
|
|
When does a Unnumbered interface come into play?
|
A warp link connected to a Virtual Router can "borrow" an existing IP address from another interface, instead of assigning a dedicated address to the interface leading to a Virtual Router
|
|
What are some limitations of unnumbered interfaces?
|
- Must connect to a Virtual Router
- You can only "borrow" an individual interface IP once - In order to use VPN or Hide NAT, the borrowed address must be routable. |
|
How many VSX gateways (or clusters) does Check Point recommend managing by a single CMA?
|
Just one.
|
|
What is the recommended maximum number of gateways a single security management server manages?
|
Twenty-Five
|
|
How SIC establish for a virtual device?
|
When creating a virtual device, VSX automatically establishes SIC trust using the secure communications channel defined between the management server and the VSX gateway. The VSX gateway uses its management interface for SIC between the management server and all virtual devices.
|
|
What happens if the destination MAC address does not exist in the Virtual Switch's forwarding table?
|
The traffic is broadcast over all defined Warp Links (Virtual Switch is still a switch, and the three F's still apply - Flood, Filter, Forward)
|
|
What is the difference between route propagation with a Virtual Switch vs. a Virtual Router?
|
Switch - route entries are added to the routing table of Virtual Systems
Router - route entries are added to the routing table contained on the Virtual Router |
|
Do you still need to edit and save the Virtual System object to update the topology map if route propagation is enabled?
|
Yes - but you do not have to manually edit the routing entries
|
|
What are the limitations to overlapping IP space?
|
- Source-based routing won't work
- Address spoofing will not work on the virtual systems (deploy on the virtual router instead using the NAT'd source addresses) |
|
True/False - each Virtual Device has its own routing daemon.
|
True
|
|
What two bridge mode solutions are available for a ClusterXL deployment?
|
- STP Bridge Mode
- Active/Standby Bridge Mode |
|
True/False - VSLS is only available in a CP ClusterXL environment
|
True
|
|
Which default creation templates creates a DMI interface by default
|
Separate Interfaces
|
|
If the VSX gateway has a failure and must be replaced, what is the process for reloading the configuration onto the replacement VSX gateway?
|
1) Reinstall the gateway and configure IP, net mask, and default gateway
2) Verify that all management interfaces have the same IP as before 3) From a command line on the management server, run vsx_util reconfigure to restore the previous configuration |
|
True/False - if you modify the topology for a specific Virtual System in a cluster environment, the cluster topology is updated whether you install a policy to that Virtual System or not.
|
False - you MUST install policy in order for the changes to take effect on the cluster
|
|
True/False - you can delete a virtual router even if it is still connected to a virtual system
|
False - all virtual router connections must be deleted first.
|
|
Is there a difference between enabling the advanced routing daemon and starting it?
|
Yes- enabling it does not start the process. You must run separate commands to enable/disable and start/stop
|
|
What command can be used to check if dynamic routing is running?
|
drouter stat <vs_id>
|
|
What is the net mask for a warp link always defined as?
|
255.255.255.255
|
|
What are two effects of upgrading concerning external authentication servers?
|
- An existing Virtual System that has been upgraded to the current version, receives the default settings for authentication with external servers.
- If the virtual system was originally created on a management server located on the same network segment as the external authentication server, connectivity may be lost until the "private" option is enabled. |
|
Which two client/session authentication schemes are supported by VSX?
|
- Client auth over Telnet (port 259)
- Client auth over HTTPS (port 900) |
|
What symbolic link is created for virtual servers to their $FWDIR variable?
|
$FWDIR/CTX/CTX#/ -> $FWDIR
|
|
What are the two ways to propagate NAT information for manual NAT rules in VSX?
|
- using explicit static routes
- Using the "NAT addresses" feature under the Topology section of the Virtual System |
|
Do virtual switches and virtual routers require their own licenses?
|
No
|
|
What does each license bundle allow you to manage?
|
- One Main CMA
- Up to (10,25, 50,100,250) customer CMAs - Up to (10, 25,50, 100, 250) virtual systems |
|
Which virtual devices are not supported when the Per Virtual System state is enabled?
|
- Virtual Routers
- Virtual Switches w/o physical or VLAN interfaces (in PVS HA, there has to be either a physical or VLAN interface to monitor PER VS in order to monitor each VS for HA) |
|
What are the requirements for VSLS
|
- Requires ClusterXL
- Much have direct L2 connectivity - VSLS does not support Virtual Routers - Bridge Mode |
|
What command controls the VSLS configuration?
|
vsx_util vsls
|
|
What state is added to active and standby in a VSLS configuration?
|
backup state (only policy updates are sync'd to this member)
|
|
Is VSLS really an Active/Active solution?
|
NO - it distributes the active VS across different cluster members to optimize resources and performance.
|
|
What is the principal limitation of the Active/Standby bridge mode?
|
It breaks the STP tree structure
|