Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
125 Cards in this Set
- Front
- Back
|
LTM |
Local Traffic Manager
Full proxy between users and application servers. Creates a layer of abstraction to secure, optimize, and load balance application traffic. |
|
|
GTM |
Global Traffic Manager
Automatically routes connections to the closest or best performing data center in the event of an outage, overload, or other disruption. |
|
|
APM |
Access Policy Manager
Provides secure, context-aware , and policy-based access control. It centralizes and simplifies AAA management directly on the BIG-IP system |
|
|
ASM |
Advanced web application firewall that protects critical applications and their data by defending against application specific attacks that bypass conventional firewalls |
|
|
Edge Gateway |
Provides SSL VPN remote access security with applications acceleration and optimization services at the edge of the network. |
|
|
Link Controller |
Prevents costly downtime due to ISP problems or other link failures by autmatically switching traffic to alternate ISP connections and ensuring use of the fastest available connection |
|
|
WOM |
WAN optimization Manager
Overcomes network and application issues on the WAN to ensure that application performance, data replication, and disaster recovery requirements are met. |
|
|
WebAccelerator |
Give your users an instant improvement in web application performance ad helps reduce costs. By offloading your network and servers, BIG-IP WEBaccelerator decreases your spending on additional bandwidth and new hardware |
|
|
ARX Series |
Evnable you to dramatically simplify data management and reduce storage costs. |
|
|
FirePass |
Allows users secure access from anywhere they have an Internet connection, while Firepass ensures that connected computers are fully patched and protefcted |
|
|
4 LTM inital set up steps |
1. Setup MGMT port IP address via config utility 2. License the system through web interface 3. Run the setup utility |
|
|
Default ltm MGMT port IP address? |
192.168.1.245 |
|
|
To gain a license, you need to use your registration key to generage what? |
a Dossier and them present the dossier to the license server |
|
|
Base registration key is how many characters? |
27 |
|
|
Systems are shipped with your registration key where? |
/config/RegKey.license |
|
|
After generating the dossier, what is it names and where is it located? |
/config/bigip.license |
|
|
Dedicated |
designed for situations wher eonyl one module is functional on the system, such as GTM |
|
|
Moninal |
Gives the module its minimun functional resources and distributes additional resources to the module if they are available. |
|
|
Minimum |
Give the module minimum functional resources and distributes additional resources to other modules. |
|
|
None |
Designed for situation where another module need dedicated access to resources |
|
|
Lite |
Available for selected modules granting limited feartures for trials |
|
|
Setup Utility includes the following: |
Self-IP Addresses and Netmasks for VLANS IP address of the default route root password for cli admin password for gui ip address allowed for ssh |
|
|
Administrative IP access Files: |
/etc/hsots.allow |
|
|
Interface and configuration files: |
/config/bigip.conf /config/bigip_base.conf /config/BigDB.dat |
|
|
Default terminal settings for console access.. |
8-N-1 19,200 bps |
|
|
File extension for backups |
*.ucs |
|
|
pool members are? |
each of the actual servers used for client traffic. includes and IP address and port
|
|
|
The devices represented by the IP addreses of pool membera are called what? |
Nodes -- they may represent multiple pool members |
|
|
A pool is what? |
A group of pool members. |
|
|
system logs |
/var/log/messages |
|
|
packet filter logs |
/var/log/pktfilter |
|
|
local traffic logs |
/var/log/ltm |
|
|
audit logs |
Displays system configuration chagnes by user ad time. |
|
|
A Full proxy maintains how many session tables? |
2 |
|
|
bugger-and-stitch- methodology |
Proxy buffers a connection, often through the TCP handshake process and potentially into the first few packets of application data, but then stitches a connection to a given server on the back-end using either layer 4 or layer 7 data. |
|
|
DSR |
Direct Server Return
Requests are proxied by the deice, but the responses do not return through the device. Known as a half proxy because only half the connection is proxied. |
|
|
what is a proxy-based design |
A fill proxy completely understand the protocols, and is itself an endpoint and an originator for the protocols. The connections between a client and the full proxy is fully independent of the connection between the full proxy and the server. |
|
|
iRules |
scripts created using TCL with custom F5 extensions that enables users to create unique functions triggered from TMOS events. |
|
|
Single Device HA |
-Core services being up and running on that device -VLANs being able to send and receive traffic
|
|
|
Redundant system configuration HA |
Core system services being up and running on one of the two BIP-IP systems Connection being available between the BIP-IP system and a pool of routers, and VLANS on the system being able to send and receive traffic. |
|
|
Hard-wired failover |
you enable failover by using a failover cable to physically connect the two dedundant units default setting |
|
|
Network Failover |
Enable failover by configuring redundant system to use the network to determine the statuc of the active unit. |
|
|
what is ConfigSync |
a process where you replicate one units main config file on the peer unit. |
|
|
What does SNAT do? |
Secure Network Address Translation
maps the source client IP in a request to a translation address defined on the BIG-IP device |
|
|
what is Intelligent SNAT |
the mapping of one or more original client IP address to a translation address. However, you impliment this type of SNAT mapping within an iRule Can be based on any piece of packet data you specifiy |
|
|
how to monitor the number of concurrent connections going through the SNAT? |
tmsh show /ltm snat |
|
|
Auto Last Hop |
Is a global setting that is used to track the source MAC address of incoming connections. Allows the BIG-IP system to send return traffic from pools to the MAC address that transmitted the request, even though the routing table points to a different network or interface. |
|
|
what is a node? |
the physical server itself that will receive traffic from the load balancer |
|
|
How is a member different than a node? |
a member includes the TCP port of the actual application that will be receiving the traffic |
|
|
What is a basic load balancing transaction... |
1. Client attempts to connect with the service on the load balancer 2. LB accepts the connection, and changes the destination IP to match the service of the selected host 3. Host accepts the connection and responds back to the original source, the client, via its default route 4. The LB intercepts the return packet from the host and now changes the source IP to match the virtual server IP and port, and forwards packet 5. Clients receives the return packet, believing that it came from the virtual server. |
|
|
Random Algorithm |
randomly distributes load across the servers availables. |
|
|
Round Robin Algorithm |
passes each new connection request to the next server in line, eventually distributing connection evenly across the array of machines being load balanced. |
|
|
Weighted Route Robin Algorithm(Ratio) Algorithm |
the number of connections that each machine receives over time is proportionate to a ratio weight you define for each machine |
|
|
Dynamic Round Robin (dynamic ratio) Algorithm |
Weights are based on continuous monitoring of the servers and are therefore continually changing. Distributed based on real-time server performance analysis. |
|
|
Fastest Algorithm |
Passes a new connection based on the fastest response time of all server. |
|
|
Least Connections Algorithm |
The system passes a new connection to the server that has the least number of current connections. Works best with equipment all has similar capabilities. |
|
|
Observed Algorithm |
Uses a combination of the logic used in the Least Connections and Fastest Algorithms to load balance connections to servers. Servers are ranked based on current connections and response time. |
|
|
Predictive Algorithm |
The system analyzes the trend of the ranking over time, determining whether a servers performance is currently improving or declining. |
|
|
What is the primary reason for tracking and storing session data? |
To ensure that client requests are directed to the same pool member throughout the life of a session, or during subsequent sessions. |
|
|
what is a Persistence Profile? |
a pre-configured obect that automatically enables persistence when you assign the profile to a VS |
|
|
Cookie persistence |
Cookie persistence uses an HTTP cookie stored on a clients computer to allow the client to reconnect to the same server previously visited at a web site. |
|
|
Destination address affinity persistence |
Also known as sticky persistence, destination address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the destination IP address of a packet. |
|
|
hash persistence |
Hash persistence allows you to create a persistence hash based on an existing iRule |
|
|
Microsoft® Remote Desktop Protocol persistence |
Microsoft® Remote Desktop Protocol (MSRDP) persistence tracks sessions between clients and servers running the Microsoft® Remote Desktop Protocol (RDP) service. |
|
|
SIP Persistence |
SIP persistence is a type of persistence used for servers that receive Session Initiation Protocol (SIP) messages sent through UDP, SCTP, or TCP. |
|
|
Source address affinity persistence |
Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the source IP address of a packet. |
|
|
SSL Persistence |
SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID. |
|
|
Univresal persistence |
Universal persistence allows you to write an expression that defines what to persist on in a packet. The expression, written using the same expression syntax that you use in iRulesTM, defines some sequence of bytes to use as a session identifier. |
|
|
What is the Positive Security Model |
One that defines what is allowed, and rejects everything else. |
|
|
What is the Negative Security Model |
Defines what is disallowed, while implicitly allowing everything else. |
|
|
Benefit of the Positive Security Model |
Is that new attacks, not anticipated by the admin/deveoper, will be prevented. |
|
|
Reset on Timeout |
The system sends a reset (RST) and deletes the TCP connection when the connection exceeds the idle timeout value. If disabled, the system will delete the TCP connection when it exceeds the idle timeout value, but will not send an RST to the client. |
|
|
SIP |
Session Initiated Protocol
Application layer protocol that can establish, modify, and terminate multimedia sessions such as Internet telephony calls. |
|
|
HTTP Header Methods? |
GET POST PUT DELETE HEAD |
|
|
With the get method, all query parameters are mart of what? |
URI |
|
|
200 OK |
This indicates a success |
|
|
304 Not Modified |
This shows that the resource in question has not changed and the browser should load it from its cache instead. This is used only when the browser performs a conditional GET request |
|
|
404 Not Found |
This suggests that the resource requested cannot be found on the server |
|
|
401 Authorization Required |
This indcates that the resource is protected and requires valid credentials before the server can grant access |
|
|
500 Internal Error |
This signifies that the server had a problem processing the request |
|
|
most important browser headers? |
HTTP Version Accept-Encoding: gzip, deflate Connection: Keep-Alive If-* headers Cache-Control or Pragma no cache |
|
|
Most important web server headers? |
HTTP Version connection: Keep-Alive/Close Encoding: gzip, deflate Cach-strong headers (max-age) Content-Type: Date: Accept-Ranges: bytes |
|
|
no-cache meta tag |
instructs the browser to not cache the object that contain the meta tag
Forces the browser to always get a full download of that object |
|
|
refresh meta tag |
often used to mimic an HTTP 302 redirect response.
Tells the browser to override the browser's cache settings and revalidate every object referenced by the refresh tag. |
|
|
IPSEC |
IP layer protocol that enables the sending and receiving of cryptographically protected pachets of any times (TCP, UDP, ICMP) without any modification |
|
|
What two cryptographic services does IPSec provide? |
1. confidentiality and authenticity (Encapsulated Security Payload) 2. Or authenticity only. (Authentication Header) |
|
|
Main Mode exchanges |
-> HDR, SA <- HDR, SA <- HDr, KE, Ni -> HDR, KE, Nr <- HDY*, ID_I, [CERT], SIG_I -> HDR*, ID_R[CERT], SIG_R
HDR ISAKMP header SA Security Association |
|
|
Aggressive Mode Exchanges |
-> HDR, SA, KE, Ni, ID_I <- HDR, SA, KE, Nr, ID_R, [CERT], SIG_R -> HDR, [CERT], SIG_R
HDR ISAKMP header SA Security Association |
|
|
What does Phase 2 do? |
Negotiates the cipher and authentication algorithm required to protect further transactions. |
|
|
What does Phase 1 do? |
Performs mutual authentication and produces the encryption key required to protect Phase 2. |
|
|
What is SSL? |
an application layer protocol. Mostly utilized to protect HTTP transactions, and has been used for other purposed like IMAP and POP3
Only compatible with applications running over TCP |
|
|
SSL is composed of what 4 protocols? |
Handshake protocol Change Cipher Spec protocol Alert protocol Application Data protocol |
|
|
What is the handshake protocol used for? |
To perform authentication and key exchanges |
|
|
What is the Change Cipher Spec Protocol used for? |
To indicate that the chosen keys will now be used |
|
|
What is the Alert protocol used for? |
Signaling errors and session closure |
|
|
What is the application data protocol used for? |
to transmist and receive encrypted data |
|
|
Hash algoritms used in SSL "Client Authentication"? |
ND5 and SHA-1 |
|
|
IPSec supports the use of Digital Signature ad the use of a Secret KEy Alforithm, where SSL supports only the use of what? |
Digital Signature |
|
|
MAC |
Message Authentication Code
Used for authentication the exchanged messages after the connection is established. |
|
|
What two connection modes what IPSec have? |
Tunnel Mode Transport Mode |
|
|
What is Tunnel mode? |
Established between gateway-to-gateway, gateway-to-host, and host-to-host. It established a tunnel between the endpoint and it requires adding a new IP header to the original packet |
|
|
What is Transport mode? |
Host-to-host connection. The data between the two entities are encrypted. |
|
|
PFS |
Perfect Forward Secrecy
Exchanges new DH values each time a session is resumed |
|
|
100 Continue |
This means that the server has received the request headers, and that the client should proceed to send the request body |
|
|
101 Switching Protocols |
This means the requester has asked the server to switch protocols and the server is acknowledging that it will do so. |
|
|
200 OK |
Standard response for successful HTTP requests. |
|
|
201 Created |
The request has been fulfilled and resulted in a new resource being created. |
|
|
202 Accepted |
The request has been accepted for processing, but the processing has not been completed. The request might or might not eventually be acted upon, as it might be disallowed when processing actually takes place. |
|
|
203 Non-Authoritative Information (since HTTP/1.1) |
The server successfully processed the request, but is returning information that may be from another source. |
|
|
204 No Content |
The server successfully processed the request, but is not returning any content. Usually used as a response to a successful delete request. |
|
|
205 Reset Content |
The server successfully processed the request, but is not returning any content. Unlike a 204 response, this response requires that the requester reset the document view. |
|
|
206 Partial Content |
The server is delivering only part of the resource due to a range header sent by the client. The range header is used by tools like wget to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams. |
|
|
207 Multi-Status |
The message body that follows is an XML message and can contain a number of separate response codes, depending on how many sub-requests were made. |
|
|
208 Already Reported |
The members of a DAV binding have already been enumerated in a previous reply to this request, and are not being included again. |
|
|
226 IM Used (RFC 3229) |
The server has fulfilled a GET request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance. |
|
|
SNAT |
Security Network Address Translation
Maps the source client IP address in a request to a translation address defined on the BIG-IP device |
|
|
300 Multiple Choices |
Indicates multiple options for the resource that the client may follow. It, for instance, could be used to present different format options for video, list files with different extensions, or word sense disambiguation. |
|
|
301 Moved Permanently |
This and all future requests should be directed to the given URI. |
|
|
302 Found |
This is an example of industry practice contradicting the standard. The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect (the original describing phrase was "Moved Temporarily"),[5] but popular browsers implemented 302 with the functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307 to distinguish between the two behaviours.[6] However, some Web applications and frameworks use the 302 status code as if it were the 303.[7] |
|
|
303 See Other |
The response to the request can be found under another URI using a GET method. When received in response to a POST (or PUT/DELETE), it should be assumed that the server has received the data and the redirect should be issued with a separate GET message. |
|
|
304 Not Modified |
Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-Match. This means that there is no need to retransmit the resource, since the client still has a previously-downloaded copy. |
|
|
305 Use Proxy |
The requested resource is only available through a proxy, whose address is provided in the response. Many HTTP clients (such as Mozilla[8] and Internet Explorer) do not correctly handle responses with this status code, primarily for security reasons |
|
|
306 Switch Proxy |
No longer used. Originally meant "Subsequent requests should use the specified proxy |
|
|
307 Temporary Redirect |
the request should be repeated with another URI; however, future requests should still use the original URI. In contrast to how 302 was historically implemented, the request method is not allowed to be changed when reissuing the original request. For instance, a POST request should be repeated using another POST request |
|
|
308 Permanent Redirect |
The request, and all future requests should be repeated using another URI. 307 and 308 (as proposed) parallel the behaviours of 302 and 301, but do not allow the HTTP method to change. So, for example, submitting a form to a permanently redirected resource may continue smoothly. |
