Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
175 Cards in this Set
- Front
- Back
Persistent connection was made available in what HTTP version? |
HTTP/1.1 |
|
SIP can be described as a protocol to allow what? |
Communicating between different devices on a company network, whether on the LAN, the WAN, or across the Internet |
|
With FTP, which port is the control port & what is the data port? |
Control port: 21, Data Port: 20 |
|
Valid definition of a cookie? |
A cookie is a piece of text that a web server can store on a user's hard disk. Cookies allow a website to store information on a user's machine and later retrieve it. The piece of information are stored as a name-value pair. |
|
What 3 parts does the URL consist of? |
1. Network protocol 2. Host name or address 3. File or resource location IE: http:// or ftp:// |
|
What is an iRule? |
A script that you write if you want to make use of some of the extended capabilities of the BIG-IP that are unavailable via the CLI or GUI. |
|
Using iRules, you send traffic not only to pools, but to where? |
Individual pool members, ports, or URIs |
|
What does UIE stand for? |
Universal Inspection Engine |
|
The syntax that you use to write iRules is based on what? |
Tool Command Language (Tcl) |
|
iRules are configuration objects, which means they are part of what file? |
bigip.conf file - along with your pools, virtual servers, monitors, etc |
|
TCL is an interpreted scripting language, so why do you not need to instantiate the interpreter every time an iRule is executed? |
Every time you save your configuration all of your iRule are pre-compiled into byte-code. Byte-code is mostly compiled and has the vast majority of the interpreter tasks already performed, so that TMM can directly interpret the remaining object |
|
What must be done before an iRule is actually effective? |
It must be applied to a virtual server before it can affect any traffic. If it's not applied to a virtual server it's effectively disabled |
|
Events are one of the ways in which iRules have been made to be what? |
Network aware, as a language |
|
When would it be ideal to use an iRule? |
When you're looking to add some form of functionality to your application or app deployment , at the network layer. This functionality is NOT available within the GUI or CLI. |
|
What is an iApp? |
A user-customized framework for deploying applications |
|
What three components make up an iApp? |
1. Templates 2. Application Services 3. Analytics |
|
What is the definition of iControl? |
The first open API that enables applications to work in concert with the underlying network based on true software integration. |
|
What protocol does iControl use to ensure open communications between dissimilar systems? |
SOAP/XML |
|
What are two other more common names for a reverse proxy? |
1. Load balancer 2. Cache |
|
Reverse proxies are generally HTTP focused, but more recently can be seen used for what other 3 protocols? |
1. Streaming audio (RTSP) 2. File transfer (FTP) 3. Any application protocol over UDP or TCP. |
|
How many connections does a full proxy maintain? |
A full proxy maintains 2 separate connections: 1. One between itself and the client 2. One between and the destination server |
|
A full proxy maintains how many session tables? |
A full proxy maintains 2 separate session: 1. One on the client-side 2. One on the server-side |
|
What is packet-based design? |
A network device located in the middle of a stream of communications, but it is not an endpoint for those communications. |
|
Difference between packet-based design & proxy-based design? |
A proxy-based design fully understands the protocols, and is itself an endpoint and an originator for the protocol. |
|
A full proxy can have it's own __________ because it is a communication endpoint? |
Buffering, retransmits, & TCP options |
|
When running BIG-IP systems as a single device, HA refers to what? |
Core services being up and running on that devices, and VLANs being able to send and receive traffic. |
|
When running a BIG-IP system as a unit of a redundant system configuration, HA refers to what? |
Core system services being up and running on one of the two BIG-IP systems in the configuration. Connections being available between the BIG-IP system and pool of routers, and VLANs on the system being able to send/receive traffic. |
|
What are the two possible modes of HA? |
1. Active/standby 2. Active/Active |
|
When you configure hard-wires failover, you enable failover by using what? |
A failover cable to physically connect the two redundant units. |
|
When you configure a network failover, you enable failover by configuring your redundant system to use what? |
To use the network to determine the status of the active unit. |
|
To facilitate coordination of the failover process, each unit has what? |
Unit ID |
|
What is the process where you replicate one unit's main configuration file on the peer unit |
Configuration Synchronization or "ConfigSync" |
|
For active-active systems, you must configure what? What alone is not sufficient? |
You must configure network failover. Hard-wired failover alone is not sufficient |
|
What would you use to assign unit ID 1 to the flowing self IP address pertaining to virtual servers A & B? |
Configuration utility |
|
What is a static self IP address? |
IP address that you assign to a BIG-IP system VLAN |
|
F5 recommends that you setup what on each unit of a redundant system? |
Create an additional VLAN on each unit to be used specifically for failover communication. |
|
What is the ability of a BIG-IP system to monitor certain aspects of the system or network, detect, interruptions, and consequently take some action, such as rebooting or initiating failover to the peer unit? |
Fail-Safe |
|
It is essential that each unit shares, or synchronizes it's current configuration data with its peer unit in what deployment? |
Redundant System Configuration |
|
With respect to configuration synchronization, you can use the configuration utility to do what 4 things? |
1. View or specify the peer IP address to user for sync. 2. Enable or disable encryption of config data prior to sync. 3. Enable or disable the global display of sync status. 4. Specify sync direction |
|
What are 2 examples of load balancing algorithms? |
1. Round-Robin 2. Ratio |
|
What are two examples of dynamic load balancing algorithms? |
1. Least Connections 2. Fastest |
|
How does least connections algorithm work? |
Looks at current connection counts at layer 4 to the server and chooses the server with the least connections |
|
How does fastest algorithm work? |
Looks at the outstanding Layer 7 request and chooses the server with the lowest amount. |
|
What are persistent connections? |
Connections that are kept opened and reused. Most commonly in HTTP. |
|
What is persistence? |
It is related to the ability of the load-balancer or other traffic management solution to maintain a virtual connection between a client and a specific server |
|
Positive security moves away from "blocked" to a more what? |
"Allow what I know and expect" methodology |
|
Negative security moves towards what sort of policy? |
"Block what I know is bad", or deny access based on what has previously identified as content to be blocked |
|
A digital signature is basically a way to ensure that an electronic document is what? |
Authentic. Authentic means you know who created the document and you know it has not been altered in any way since the person created it. |
|
What is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode? |
Encryption |
|
What is the process of verifying that information is coming from the trusted source? |
Authentication |
|
What does SAML stand for? |
Security Assertion Markup Lanuage |
|
What is SAML used for? |
Used for exchanging user authentication, entitlement, and attribute information. It is a derivative of XML. |
|
What are the 2 types of hardware platforms that F5 builds? |
Application delivery switches & chassis |
|
A chassis gives the customer what? |
The ability to purchase additional blades that can be inserted into the chassis when needed. |
|
What is the world's first on-demand ADC? |
VIPRION |
|
BIG-IP 1600 |
1. Allows one additional module beyond BIG-IP LTM 2. Capable of running BIG-IP protocol security Manager, Global Traffic Manager, WAN Optimization Module, & Access Policy Manager |
|
BIG-IP 3600 |
1. Allows one additional module beyond BIG-IP LTM 2. Capable of running BIG-IP protocol security Manager, Global Traffic Manager, WAN Optimization Module, & Access Policy Manager, WebAccelerator, Application Security Manager |
|
BIG-IP 3900 |
1. Allows one additional module beyond BIG-IP LTM 2. Capable of running BIG-IP protocol security Manager, Global Traffic Manager, WAN Optimization Module, & Access Policy Manager, WebAccelerator, Application Security Manager |
|
The unified application delivery series includes what models? |
6900, 8900, 8950, & 11050 |
|
What is the unified application Delivery series built for? |
High throughput, multiple modules, 6 to 12 gigabytes per second of throughput on Layer 7. |
|
What is the BIG-IP virtual Edition |
1. Allows customers to run BIG-IP products on a virtual machine 2. Provides more flexibility to customers 3. ADC deployment can vary with the application |
|
What are the 4 type of licenses for BIG-IP LTM VE? |
1. Trial 2. Lab edition 3. Production 200 mega-byte throughput 4. Production 1 gigabyte throughput |
|
HTTP pipelining is what? |
Opening a connection to the server and then sending multiple requests to the server without waiting for a response. |
|
What is the problem with pipelining? |
The server doesn't actually treat the request any different. HTTP/1.1 specification requires that a "server MUST send its response to those requests in the same order that the requests were received" |
|
What is a certificate Chain? |
A list of certificates used to authenticate an entity |
|
SSO? |
Sign Sign-on Authentication. The ability to reduce the number of ID's and passwords the user has to remember. |
|
What is SAML used for? |
It is an XML-based framework for exchanging user authentication, entitlement, and attribute information. Its purpose is to enable Single Sign-On for web applications across various domains. |
|
Browser cookies are not transferred between what? |
DNS domains |
|
IPsec is limited because it was not built with what in mind? |
IPsec solutions were designed for trusted site-to-site connectivity and NOT with a highly-mobile workforce in mind. |
|
When compared to IPsec, SSL VPNs are typically what? |
SSL-VPNs are typically: 1. Less costly to manage 2. Eliminate concerns related to open-by-default tunnels 3. Offer flexible experience for employees and business partners using untrusted end point environments |
|
By operating at the application layer, SSL-VPN can provide what? |
High granular policy and access control required for secure remote access. |
|
Because SSL is pair of any web browser, SSL-VPN solutions provide what? |
Client-less and web-delivered thin client access that significantly increases the number of points from which employees, partners, and customers can access network data |
|
BIG-IP VE can be used with what? |
LTM & APM |
|
To overcome packet loss, the acceleration device can implement what? |
Selective TCP acknowledgements (SACK) and advanced congestion control algorithms to prevent TCP from reducing throughput. |
|
One way a BIG-IP reduces server side TCP connections? |
It aggregates, or pools, TCP server-side connections by combining many separate transactions, potentially from many users, through fewer TCP connections. |
|
HTTP compression is done on acceleration devices for what 2 reason? |
1. Offload compression overhead from web servers 2. Enable the acceleration device to perform other optimization that improves performance |
|
Caching? |
Storing the data close to users and re-using the data during subsequent requests |
|
3 forms of caching? |
1. Web application instructs a browser to cache an object marked as static for a specific time period. 2. Deploy acceleration device in a data center to offload requests for web application content from the server. 3. Symmetric acceleration device caches and serves content to users at the remote site. |
|
2 Caching Limitations |
1. Client side acceleration device MUST implement access control to prevent unauthorized access to an object. 2. Client-side device may serve older, stale version of content |
|
What do http request and response headers consist of? |
1. An initial line 2. Zero or more header lines 3. a blank line 4. an optional message body |
|
In an HTTP header, what does an initial request line consist of? |
1. A method name (GET, POST, HEAD) 2. Local path of the requested resource 3. HTTP version being used (HTTP/x.x) |
|
What other name does the initial response line go by? |
status line |
|
What part does the status line consist of? |
1. The HTTP version (HTTP/x.x) 2. A response status code (200, 404) |
|
HTTP status code: 1xx |
Indicates informational messages only |
|
HTTP status code: 2xx |
Indicates success of some kind |
|
HTTP status code: 3xx |
Redirects the client to another URL |
|
HTTP status code: 4xx |
Indicates an error on the client's part |
|
HTTP status code: 5xx |
Indicates an error on the server's part |
|
What is the HEAD method and what does it request? |
Similar to GET, except it asks the server to return the response headers ONLY, and not the actual resource |
|
What is the post method and what does it request? |
Used to send data to the server to be processed in some way |
|
In what 3 ways does the POST method differ from the GET method? |
1. There is a block of data sent with the request. Usually there are extra headers to describe this message body like Content-Type & Content-Length. 2. The request URI is not a resource to retrieve; its usually a program to handle the data you're sending 3. HTTP response is normally program output, not a static file |
|
What is multi-homed? |
The ability for multiple domains to live on the same server. |
|
Multi-homed in HTTP/1.1 requests what line to be added to the header? |
Host line Get /path/file.html HTTP/1.1 Host: www.host1.com:80 |
|
What is the term for sending several HTTP requests in a series? |
HTTP pipelining |
|
What must the client include in the header to close the connection after the corresponding response? |
Connection: close |
|
LTM |
Local Traffic Manager Full proxy between users and application servers. Creates a layer of abstraction to secure, optimize, and load balance application traffic. |
|
GTM |
Global Traffic Manager Automatically routes connections to the closest or best performing data center in the event of an outage, overload, or other distruption |
|
APM |
Access Policy Manager Provides secure, context-aware, and policy-based access control. It centralizes and simplifies AAA management directly on the BIG-IP system |
|
ASM |
Application Security Manager Advanced web application firewall that protects critical applications and their data by defending against application specific attack that bypass conventional firewalls |
|
Edge Gateway |
Provides SSL VPN remote access security with applications acceleration and optimization services at the edge of the network |
|
Link Controller |
prevents costly downtime due to ISP problems or other link failures by automatically switching traffic to alternate ISP connections and ensuring use of the fastest available connection |
|
WOM |
WAN Optimization Manager Overcomes network and application issues on the WAN to ensure that application performance data replication, and disaster recovery requirements are met |
|
WebAccelerator |
Gives your users an instant improvement in web application performance and helps reduce costs. |
|
ARX series |
Enable you to dramatically simplify data management and reduce storage costs. |
|
FirePass |
Allows users secure access from anywhere they have an internet connection, while Firepass ensures that connected computers are fully patches and protected |
|
3 LTM initial setup steps |
1. Setup MGMT port IP address via config utility 2. License the system through web interface 3. Run the setup utility |
|
Default LTM Management port IP address? |
192.168.1.245 |
|
To gain a license, you need to use your registration key to generate what? |
A dossier and then present the dossier to the license server |
|
Base registration key is how many characters? |
27 |
|
Systems are shipped with your registration key where? |
/config/RegKey.license |
|
After generating the dossier, where is it located? |
/config/bigip.license |
|
Dedicated? |
Designed for situations where only one module is functional on the system such as GTM |
|
Nominal |
A module gets the least amount of resources required. After all modules are enabled the modules gets additional resources from the portion of remaining resources |
|
Minimum |
Given the module minimum functional resources. No additional resources are ever allocated to the module |
|
None |
Specifies that a module is not provisioned |
|
Lite |
Available for selected modules granting limited features for trials |
|
setup utility includes the following: |
1. Self-IP addressing and Netmasks for VLANs 2. Assign interfaces to VLANs 3. IP address of the default route 4. Root password for CLI 5. admin password for GUI 6. IP address allowed for SSH |
|
Administrative IP access file: |
/etc/hosts.allow |
|
Interface and configuration files |
/config/bigip.conf /config/bigip_base.conf /config/BigDB.dat |
|
Default terminal settings for console settings? |
Bits per second: 19200 Data bits: 8 Parity: None Stop bit: 1 Flow control: None |
|
File extension for backups |
*.ucs |
|
pool members are? |
Each of the actual servers used for client traffic. Includes IP address & port. |
|
The devices represented by the IP address of pool members are called what? |
Nodes - They may represent multiple pool members |
|
A pool is what? |
A group of pool members |
|
System logs |
/var/log/messages |
|
Packet filter logs |
/var/log/pktfilter |
|
local traffic logs |
/var/log/ltm |
|
Audit logs |
Display system configuration changes by user and time |
|
A full proxy maintains how many session tables? |
2 |
|
DSR |
Direct Server Return Requests are proxied by the device, but the responses do not return through the device. Known as a half proxy because only half the connection is proxied. |
|
What is proxy-based design |
A full proxy completely understands the protocols, and is itself and endpoint and an originator for the protocols. |
|
iRules |
Scripts created using TCL with custom F5 extensions that enables users to create unique functions triggered from TMOS events |
|
Single device HA |
1. Core services being up and running on that device 2. VLANs being able to send and receive traffic |
|
Redundant system configuration HA |
Core system services being up and running on one of the two BIG-IP systems. Connections being available between the BIG-IP system and a pool of routers, and VLANs on the system being able to send/receive traffic. |
|
Hard-wired failover |
Enable failover by using a failover cable to physically connect the two redundant units. This is the default setting. |
|
Network failover |
Enable failover by configuring redundant system to use the network to determine the status of the active unit. |
|
What is ConfigSys |
A process where you replicate one units main config file on the peer unit |
|
What does SNAT do? |
Secure Network Address Translation Maps the source client IP address in a request to a translated address defined on the BIG-IP device |
|
What is intelligent SNAT |
Mapping of one or more original client IP address to a translated address |
|
Auto Last Hop |
Global setting that is used to track the source MAC address of incoming connections |
|
What is a node? |
The physical server itself that will receive traffic from the load balancer. |
|
How is a member different than a node? |
A member includes the TCP port of the actual application that will receive the traffic |
|
Random Algorithm |
Randomly distributes load across the servers available |
|
Round Robin Algorithm |
Passes each new connection request to the next server in line, eventually distributing connection evenly across the array of machines being load balanced |
|
Weighted Round Robin Algorithm |
The number of connections that each machine receives over time is proportionate to a ratio weight you define for each machine |
|
Dynamic round robin (dynamic ratio) algorithm |
Weights are based on continuous monitoring of the servers and are therefore continually changing. Distributed based on real-time server performance analysis |
|
Fastest Algorithm |
Passes a new connection based on the fastest response time of all servers |
|
Least connections algorithm |
The system passes a new connection to the server that has the least number of current connections. Works best with equipment that all has similar capabilities |
|
Observed Algorithm |
uses a combination of the logic used in the Least connections and fastest algorithms to load balance connections to servers. Servers are ranked based on current connections and response time |
|
Predictive Algorithm |
The system analyzes the trend of the ranking over time, determining whether a servers performance is currently improving or declining |
|
What is the primary reason for tracking & storing session data? |
The ensure the client requests are directed to the same pool member throughout the life of a session, or during subsequent sessions |
|
What is persistence profile? |
A pre-configured object that automatically enables persistence when you assign the profile to a Virtual system |
|
Destination address affinity persistence |
Also known as sticky persistence, destination address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the destination IP address of a packet |
|
Source address affinity persistence |
Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the source IP address of the packet |
|
What is positive security model? |
One that defines what is allowed and rejects everything else |
|
What is negative security model? |
Defines what is not allowed, while implicitly allowing everything else |
|
Benefit of the positive security model |
A new attack, not anticipated by the admin/developer, will be prevented |
|
Reset on timeout |
The system sends a reset (RST) and deletes the TCP connection when the connection exceeds the idle timeout value. If disabled, the system will delete the TCP connection when it exceeds the idle timeout value, but will NOT send an RST to the client. |
|
SIP |
Session Initiated Protocol Application layer protocol that can establish, modify, and terminate multimedia sessions such as Internet telephony calls |
|
HTTP header methods? |
1. GET 2. POST 3. PUT 4. DELETE 5. HEAD |
|
With the GET method, all query parameters are part of what? |
URI |
|
200 OK |
The request succeeded and the resulting resource is returned in the message body |
|
304 Not modified |
This shows that the resource in question has not changed and the browser should load it from its cache instead. |
|
404 Not found |
The requested resource doesn't exist on the server |
|
401 Authorization required |
This indicates that the resource is protected and requires valid credentials before the server can grant acess |
|
500 Internal Error |
An unexpected server error. The most common cause is a server-side script that has bad syntax, fails, or otherwise can't run correctly |
|
IPsec |
IP layer protocol that enables the sending and receiving of cryptographically protected packets of any size (TCP, UDP, ICMP) without any modifications. |
|
What are two cryptographic services that IPsec provides? |
1. Confidentiality and authenticity (Encapsulated security payload 2. Or Authenticity ONLY. (Authentication header) |
|
What is SSL? |
An application layer protocol, mostly utilized to protect HTTP transactions, and has been used for other purposes like IMAP AND POP3 Only compatible with applications running over TCP |
|
IPsec supports the use of Digital signatures and the use of secret key algorithm, where SSL supports only the use of what? |
Digital Signature |
|
200 OK |
Standard response for successful HTTP request |
|
SNAT |
Security Network address Translation Maps the source client IP address in a request to the translated address defined on the BIG-IP device |
|
301 Moved permanently |
This and all future requests should be directed to the given URL |
|
303 See other |
The resource has moved to another URL, and it should be automatically retrieved by the client. |
|
Buffer-and-stitch Methodology |
Buffers a connection, often through TCP handshake process and potentially into the first few packets of application data, but then "stitches" a connection to a given server on the back-end using either layer 4 or layer 7 data, perhaps both. |