Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
644 Cards in this Set
- Front
- Back
- 3rd side (hint)
What are the predefined security zones in an L2 deployment?
|
V1-Trust
V1-Untrust V1-DMZ |
Concepts & Examples ScreenOS Reference Guide, p.100
|
|
Can predefined security zones be deleted?
|
No.
|
Concepts & Examples ScreenOS Reference Guide, p.100
|
|
By default, what policy is applied to traffic flows between to interfaces bound to the same zones?
|
None.
|
Concepts & Examples ScreenOS Reference Guide, p.101
|
|
What type of VLAN tagging is supported by ScreenOS devices?
|
802.1q
|
Concepts & Examples ScreenOS Reference Guide, p.101
|
|
When dealing with VLAN subinterfaces, are the subinterfaces bound to the same zone as the physical interface?
|
Not necessarily.
|
Concepts & Examples ScreenOS Reference Guide, p.102
|
|
Do subinterfaces on the same physical interface need to share the same zone configuration?
|
No.
|
Concepts & Examples ScreenOS Reference Guide, p.102
|
|
In ScreenOS, what are the two predefined virtual routers?
|
trust-vr
untrust-vr |
Concepts & Examples ScreenOS Reference Guide, p.102
|
|
When using two virtual routers on a ScreenOS device, is traffic automatically forwarded between zones residing on different VRs?
|
No.
|
Concepts & Examples ScreenOS Reference Guide, p.102
|
|
What is the default policy on ScreenOS devices?
|
Deny all traffic in all directions. Some security devices ship with a configured policy which allows outbound traffic from Trust to Untrust and denies all inbound traffic from Untrust to Trust.
|
Concepts & Examples ScreenOS Reference Guide, p.102
|
|
What configuration option, when enabled, requires you to create a policy to permit traffic to pass from one interface to another within the same zone?
|
Intrazone blocking
|
Concepts & Examples ScreenOS Reference Guide, p.102
|
|
By default, does a security device permit multicast control traffic between zones?
|
No.
|
Concepts & Examples ScreenOS Reference Guide, p.104
|
|
What are the two main types of VPN configuration methods?
|
route-based VPN
policy-based VPN |
Concepts & Examples ScreenOS Reference Guide, p.104
|
|
Generally speaking, which VPN configuration method is better for site-to-site VPNs?
|
Route-based VPN
|
Concepts & Examples ScreenOS Reference Guide, p.105
|
|
Generally speaking, which VPN configuration method is best for remote-access or dialup VPN?
|
policy-based VPN
|
Concepts & Examples ScreenOS Reference Guide, p.105
|
|
To what three entities can PBR be assigned?
|
interface
zone VR |
Concepts & Examples ScreenOS Reference Guide, p.109
|
|
What command can be used to set the MTU for a device to the maximum for the variable?
|
set envar max-frame-size=9830
|
Concepts & Examples ScreenOS Reference Guide, p.111
|
|
What two CLI commands could you use to set a device MTU back to the default?
|
unset envar max-frame-size
set envar max-frame-size=1514 |
Concepts & Examples ScreenOS Reference Guide, p.111
|
|
What is the default MTU for a ScreenOS device?
|
1514
|
Concepts & Examples ScreenOS Reference Guide, p.111
|
|
When using jumbo frame mode, what caveat is true of packets sent through aggregate interfaces?
|
The packets may be sent out of order.
|
Concepts & Examples ScreenOS Reference Guide, p.111
|
|
When using jumbo frame mode, what caveat is true of NSRP forwarding?
|
NSRP forwarding is not supported in jumbo frame mode.
|
Concepts & Examples ScreenOS Reference Guide, p.111
|
|
When using jumbo frame mode, is Deep Inspection supported?
|
No.
|
Concepts & Examples ScreenOS Reference Guide, p.111
|
|
By default, what virtual routing domain is a user-defined zone placed in?
|
trust-vr
|
Concepts & Examples ScreenOS Reference Guide, p.112
|
|
What CLI command would be used to assign the zone "Zoney" to virtual router "Routey"?
|
set zone Zoney vrouter Routey
|
Concepts & Examples ScreenOS Reference Guide, p.113
|
|
What CLI command would be used to assign interface ethernet1/1 to zone untrust?
|
set interface ethernet1/1 zone untrust
|
Concepts & Examples ScreenOS Reference Guide, p.115
|
|
What CLI command would be used to put IP 192.168.0.1 and subnet 255.255.255.0 on interface ethernet1/1?
|
set interface ethernet1/1 ip 192.168.0.1/24
|
Concepts & Examples ScreenOS Reference Guide, p.115
|
|
What CLI command would be used to configure a subinterface tagged with VLAN 100 on ethernet1/1 (using standard subinterface naming conventions), and place it in zone trust?
|
set interface ethernet1/1.100 tag 100 zone trust
|
Concepts & Examples ScreenOS Reference Guide, p.116
|
|
What CLI command would configure the trust-vr Virtual Router to use the untrust-vr virtual router as its default gateway?
|
set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr
|
Concepts & Examples ScreenOS Reference Guide, p.117
|
|
What CLI command would create a default gateway in the untrust-vr to point to gateway 1.1.1.100 on interface ethernet1/1?
|
set vrouter untrust-vr route 0.0.0.0/0 interface ethernet1/1 gateway 1.1.1.100
|
Concepts & Examples ScreenOS Reference Guide, p.117
|
|
What CLI command would you use to create a new service group called "mail-pop3" and add the "mail" service to the group?
|
set group service mail-pop3 add mail
|
|
|
What CLI command would you use to create a new policy from untrust to trust allowing any sources to access any destination on port 80?
|
set policy from untrust to trust any any http permit
|
|
|
What command in the CLI will show a list of configured zones?
|
get zone
|
Concepts & Examples ScreenOS Reference Guide, p.124
|
|
What four Function zones exist by default?
|
Self
MGT HA VLAN |
Concepts & Examples ScreenOS Reference Guide, p.125
|
|
What default zone serves as a storage area for MIP and VIP addresses?
|
Global Zone
|
Concepts & Examples ScreenOS Reference Guide, p.126
|
|
On which zones can you enable SCREEN Options?
|
Every security zone, and the MGT zone.
|
Concepts & Examples ScreenOS Reference Guide, p.126
|
|
For traffic to flow between VRs, what must be configured?
|
inter-VR routing
|
CJSA Part 2, p.9
|
|
What must be true of an interface before it can be assigned an IP address?
|
It must be assigned to a zone.
|
CJSA Part 2, p.12
|
|
What is the name for the software component designed to manage specific protocols, such as SIP or FTP?
|
Application-Layer Gateway
|
CJFV Part 2, p.18
|
|
Very briefly, what is the ScreenOS decision process/packet flow?
|
1. Perform a sanity check on the packet.
2. Check for existing session. 3. Check if destination is reachable. 4. Check if traffic is crossing zones. 5. Check if traffic is permitted by policy. 6. Perform ARP query to resolve next hop MAC. |
CJFV Part 2, p.20
|
|
What type of Juniper Firewall/VPN offering supports only a single VSYS?
|
Appliances.
|
CJFV Part 2, p.26
|
|
What two main groups can the Juniper firewall/VPN offerings be divided into?
|
Appliances and systems.
|
CJFV Part 2, p.26
|
|
What type of Juniper firewall offering is more suited for a large enterprise or carrier environment?
|
System.
|
CJFV Part 2, p.26
|
|
Into what component does the ScreenOS image load after the power-on self-test completes?
|
RAM
|
CJFV Part 3, p.2
|
|
Generally speaking, what three options are available on a ScreenOS device for management?
|
CLI
WebUI Security Manager |
CJFV Part 3, p.3
|
|
How would you need to connect to a ScreenOS device in order to view boot-up messages?
|
Console
|
CJFV Part 3, p.4
|
|
What type of serial cable is used by a NS-5GT and NS-500?
|
DB9
|
CJFV Part 3, p.4
|
|
What type of serial cable is used by SSG-5, NS-25, NS-50, NS-200, and NS-5000?
|
RJ45
|
CJFV Part 3, p.4
|
|
What is the default login and password on a Juniper networks device?
|
netscreen/netscreen
|
CJFV Part 3, p.5
|
|
Does the "unset all" command modify the ScreenOS configuration loaded into memory?
|
No.
|
CJFV Part 3, p.5
|
|
What CLI command can be used to determine product model, serial number, hardware version, and software version?
|
get system
|
CJFV Part 3, p.6
|
|
What CLI command can be used to determine whether the device is operating in layer 2 or layer 3 mode?
|
get system
|
CJFV Part 3, p.6
|
|
What is another name for Layer 2 mode?
|
transparent
|
CJFV Part 3, p.6
|
|
What is another name for Layer 3 mode?
|
NAT/Route mode
|
CJFV Part 3, p.6
|
|
What CLI command can be used to obtain interface status, uptime, and management IP information from a ScreenOS device?
|
get system
|
CJFV Part 3, p.6
|
|
What is the default IP address of a ScreenOS device?
|
192.168.1.1
|
CJFV Part 3, p.8
|
|
What happens if you connect via the WebUI to a 5GT that has no configuration saved in flash memory?
|
The configuration wizard is displayed instead of the login screen.
|
CJFV Part 3, p.8
|
|
In terms of administrator configuration, what is one of the first tasks you should perform on a new ScreenOS device?
|
Change the default username, password, or both.
|
CJFV Part 3, p. 13
|
|
How many security zones can an interface be a part of?
|
One.
|
CJFV Part 3, p. 15
|
|
What is the default zone for an interface that is not assigned to a specific zone?
|
Null
|
CJFV Part 3, p. 16
|
|
What function zone hosts the logical and internal interface for remote management connections?
|
Self
|
CJFV Part 3, p. 16
|
|
What zone hosts the out-of-band management interface on firewall systems.
|
MGT
|
CJFV Part 3, p. 16
|
|
What zone hosts the high availability interfaces?
|
HA
|
CJFV Part 3, p. 17
|
|
What zone contains the VLAN1 interface for transparent mode deployments?
|
VLAN
|
CJFV Part 3, p. 17
|
|
What zone is used for backward compatibile tunnel support when upgrading from ScreenOS versions before 3.1?
|
Tunnel
|
CJFV Part 3, p.
|
|
If you enter the CLI command "set interface e1/1 manage", which management services are available on e1/1?
|
All management services are enabled.
|
CJFV Part 3, p. 20
|
|
What management services are enabled by default on interfaces in the trust zone?
|
All services.
|
CJFV Part 3, p. 21
|
|
By default, what IP address is used as the management IP on a device with management enabled?
|
The interface IP address.
|
CJFV Part 3, p. 23
|
|
What would you do to configure interface "e1/1" so that WebUI and other management traffic can only connect to IP 1.1.1.100?
|
set interface e1/1 manage-ip 1.1.1.100
|
CJFV Part 3, p. 23
|
|
What is the only requirement when configuring a separate management IP address for an interface?
|
The IP must come from the same block of subnet addresses as the interface IP.
|
CJFV Part 3, p. 23
|
|
What privileges does a root administrator have that a read/write administrator does not have?
|
- Create additional administrators
- Activate and deactivate asset recovery features - Replace configurations from remote devices to flash memory |
CJFV Part 3, p. 27
|
|
What two CLI commands is a read-only administrator limited to?
|
get
ping |
CJFV Part 3, p. 27
|
|
How many administrators can be created on a ScreenOS device?
|
20
|
CJFV Part 3, p. 27
|
|
How many administrators can be logged in simultaneously on a ScreenOS device?
|
10
|
CJFV Part 3, p. 27
|
|
What command will change the name of the root administrator to "bob"
|
set admin name bob
|
CJFV Part 3, p. 28
|
|
What command will change the password of the root administrator to "qwe123"
|
set admin password qwe123
|
CJFV Part 3, p. 28
|
|
How many root users can be defined on a ScreenOS device?
|
One.
|
CJFV Part 3, p. 28
|
|
What command would create a new administrator called "bob" with password "qwe123" and read/write access?
|
set admin user bob password qwe123 privilege all
|
CJFV Part 3, p. 29
|
|
What is the default timeout on the console port?
|
10 minutes
|
CJFV Part 3, p. 30
|
|
What command would disable the console timeout?
|
set console timeout 0
|
CJFV Part 3, p. 30
|
|
What CLI command will display the amount of time that an idle telnet session (for management) will stay open?
|
get console
|
|
|
What CLI command will tell you whether the configuration has been changed, and whether those changes have been saved?
|
get console
|
|
|
What CLI command can be used to change the timeout of a WebUI session to one hour?
|
set admin auth web timeout 60
|
|
|
What CLI comand can be used to add the network 1.1.1.0 255.255.255.0 to the list of hosts who are allowed to manage the device.
|
set admin manager-ip 1.1.1.0 255.255.255.0
|
|
|
After using the "unset all" command, should you save the configuration, or not before rebooting the device?
|
No.
|
|
|
What CLI command can be used to view administrator names and privilege levels?
|
get admin user
|
|
|
What CLI command can be used to view administrators who are authorized to SSH to the ScreenOS device?
|
get admin ssh all
|
|
|
What CLI command can be used to remove all IP addresses from the list of IP addresses allowed to manage the device?
|
unset admin manager-ip all
|
|
|
What four categories of counters are maintained by security devices?
|
Hardware
Flow Policy SCREEN |
CJFV Part 4, p.2
|
|
What three types of logs are maintained on ScreenOS devices?
|
Event Log
Traffic Log Self Log |
CJFV Part 4, p.3
|
|
What two types of alarms are provided by ScreenOS devices?
|
Device-Level Alarm
Traffic Alarm |
CJFV Part 4, p.3
|
|
What log type monitors and records traffic that is permitted or denied based on policies?
|
Traffic log
|
CJFV Part 4, p.3
|
|
What log type monitors and records all packets terminated at the security device?
|
Self log
|
CJFV Part 4, p.3
|
|
What log type monitors system events such as admin config changes and self-generated alarms and messages?
|
Event Log
|
CJFV Part 4, p.3
|
|
What counter tracks the number of packets containing errors?
|
Hardware Counter
|
CJFV Part 4, p.2
|
|
What counter tracks the number of packets inspected at the flow level?
|
Flow Counter
|
CJFV Part 4, p.2
|
|
What counter tracks the amount of traffic affected by specified policies?
|
Policy Counter
|
CJFV Part 4, p.2
|
|
What counter monitors firewall behavior for the entire zone of for a particular interface?
|
SCREEN counter
|
CJFV Part 4, p.2
|
|
What type of alarm monitors the overall device load and may have an LED indicated corellated to it?
|
Device-Level Alarm
|
CJFV Part 4, p.3
|
|
What type of alarm is generated on a per-policy basis?
|
Traffic alarm
|
CJFV Part 4, p.3
|
|
What CLI command could be used to see the statistics counters on interface e1/1?
|
get counter statistics interface e1/1
|
CJFV Part 4, p.4
|
|
What CLI command can be used to clear all interface counters?
|
clear counters all
|
CJFV Part 4, p.4
|
|
What CLI command can be used to see flow counters for interface e1/1?
|
get counter flow interface e1/1
|
CJFV Part 4, p.5
|
|
Does the command "clear counters all" clear hardware or flow counters?
|
Both.
|
CJFV Part 4, p.5
|
|
What CLI command can be used to view all events in the event log?
|
get event
|
CJFV Part 4, p.7
|
|
What CLI command can be used to view only the events from the event log from source 1.1.1.1?
|
get event src-ip 1.1.1.1
|
CJFV Part 4, p.7
|
|
What are the seven log entry severity levels on a ScreenOS device?
|
Emergency
Alert Critical Error Warning Notification Information |
CJFV Part 4, p.8
|
|
What CLI command would configure email alerts for event logs of severity "emergency"?
|
set log module system level emergency destination email
|
CJFV Part 4, p.9
|
|
What CLI command would set the threshold for the CPU alarm to 70%?
|
set alarm threshold cpu 70
|
CJFV Part 4, p.10
|
|
What CLI command would you use to set the primary DNS server IP to 1.1.1.1?
|
set dns host dns1 1.1.1.1
|
CJFV Part 4, p.12
|
|
Does ScreenOS support SNMPv1 or SNMPv2?
|
Both.
|
CJFV Part 4, p.14
|
|
In what three modes can an interface be configured in?
|
Transparent
Route NAT |
Netscreen JNCIS-FWV Study Guide, p.14
|
|
If you assign an interface to a layer 2 zone, what mode is it set to?
|
transparent
|
Netscreen JNCIS-FWV Study Guide, p.14
|
|
When an interface is in NAT mode, and egress traffic is going to the DMZ zone, is that traffic NATed?
|
No.
|
Netscreen JNCIS-FWV Study Guide, p.14
|
|
If using a single virtual router, to what zone must traffic be going in order for NAT mode to perform source address translation?
|
Untrust or DMZ zone.
|
CJFV Part 5 - Layer 3 Operations, p.42
|
|
Is it possible to have some Layer 2 interfaces and some Layer 3 interfaces?
|
No.
|
Netscreen JNCIS-FWV Study Guide, p.14
|
|
What CLI command will give information about all interfaces, their assigned zone, and whether they are up or down?
|
get interface
|
Netscreen JNCIS-FWV Study Guide, p.15
|
|
What CLI command would give specific information about interface e1/1?
|
get interface e1/1
|
Netscreen JNCIS-FWV Study Guide, p.15
|
|
What CLI command would remove the IP address from interface e1/1?
|
unset interface e1/1 ip
|
Netscreen JNCIS-FWV Study Guide, p.16
|
|
Can you place subinterfaces into the HA zone?
|
No.
|
Netscreen JNCIS-FWV Study Guide, p.16
|
|
If you want to dedicate an interface to providing high availability, what zone would you assign it to?
|
HA
|
Netscreen JNCIS-FWV Study Guide, p.16
|
|
What type of interface facilitates the function of route-based VPN?
|
tunnel interface
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What CLI command would create tunnel interface 100 and assign it to the Trust zone?
|
set interface tunnel.100 zone Trust
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What is true of the maximum bandwidth of a subinterface, as compared to the maximum bandwidth of the physical interface it is associated with?
|
Subinterface maximum bandwidth cannot exceed physical interface maximum bandwidth.
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
Can you change the interface mode of a subinterface?
|
No.
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
How is the interface mode of a subinterface determined?
|
It inherits the interface mode from the physical interface.
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What three types of interfaces can have subinterfaces?
|
physical interfaces
redundant interfaces aggregate interfaces |
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What command would set interface e1/1 to route mode?
|
set interface e1/1 route
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What command would add interface e1/1 to aggregate interface aggregate1?
|
set interface e1/1 aggregate aggregate1
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What type of interface allows you to increase bandwidth by combining two interfaces together?
|
aggregate interface
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What type of interface allows you to achieve link-level redundancy by combining two physical interfaces so that one acts as primary and the other as backup?
|
redundant interface
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
Can subinterfaces be grouped into redundant interfaces?
|
No.
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
Regarding connected L2 devices, what is recommended of redundant interfaces?
|
Connect each physical interface in the redundant interface to a different switch.
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What is the terminology for the configured time period that the backup interface in a redundant interface waits before becoming primary?
|
holddown time
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
If you want to configure a holddown time on a redundant interface, how/when is this configured?
|
It must be configured on each physical interface, before the interface is added to the redundant interface.
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
What CLI command would you use to set the holddown time on interface e1/1 to 10 seconds?
|
set interface e1/1 phy holddown 10
|
Netscreen JNCIS-FWV Study Guide, p.17
|
|
If you don't specify a primary interface after creating a redundant interface, which interface is considered primary?
|
Whichever interface was added to the group first.
|
Netscreen JNCIS-FWV Study Guide, p.18
|
|
What command would add interface e1/1 to redundant interface "redundant1"?
|
set interface e1/1 group redundant1
|
Netscreen JNCIS-FWV Study Guide, p.18
|
|
What command would configure redundant interface "redundant1" to use physical interface "e1/1" as the primary interface?
|
set interface redundant1 primary e1/1
|
Netscreen JNCIS-FWV Study Guide, p.18
|
|
What Layer 3 security zones exist by default?
|
Trust
Untrust DMZ Global |
Netscreen JNCIS-FWV Study Guide, p.21
|
|
If you know the ID number of a zone, but not the name of the zone, what command could you use to get more information about that zone?
|
get zone id <#>
|
Netscreen JNCIS-FWV Study Guide, p.22
|
|
What command is used to get a list of all virtual routers?
|
get vrouter
|
Netscreen JNCIS-FWV Study Guide, p.23
|
|
What command would change the default virtual router on a netscreen to "untrust-vr"?
|
set vrouter untrust-vr default-vrouter
|
Netscreen JNCIS-FWV Study Guide, p.23
|
|
If you issue the command "set route 1.1.1.0/24 gateway 2.2.2.2" what virtual router is the route added to?
|
Whatever virtual router is designated as the default virtual router.
|
Netscreen JNCIS-FWV Study Guide, p.24
|
|
What command would you use to create a route for 1.1.1.0/24 to gateway 2.2.2.2, and add it to the default virtual router, whatever virtual router that is?
|
set route 1.1.1.0/24 gateway 2.2.2.2
|
Netscreen JNCIS-FWV Study Guide, p.24
|
|
What command will display the entire routing table?
|
get route
|
Netscreen JNCIS-FWV Study Guide, p.24
|
|
What command can you use to get detailed information about a specific route?
|
get route id <#>
|
Netscreen JNCIS-FWV Study Guide, p.25
|
|
What command can you use to determine what route on the system would be used to get to 1.1.1.1?
|
get route ip 1.1.1.1
|
NetScreen JNCIS-FWV Study Guide, p.26
|
|
If you want to see how long a route has been active, what command would you use?
|
get route id <route-id>
|
NetScreen JNCIS-FWV Study Guide, p.26
|
|
What command would show you all policies configured on the device?
|
get policy
|
NetScreen JNCIS-FWV Study Guide, p.27
|
|
If a device performs an interzone or intrazone policy lookup for traffic, and finds no match, what is checked next?
|
Global policy list
|
NetScreen JNCIS-FWV Study Guide, p.27
|
|
If a device fails to find a policy match after looking in interzone/intrazone and global policy, what is checked next?
|
Nothing, default policy is applied.
|
NetScreen JNCIS-FWV Study Guide, p.27
|
|
What command would display verbose information about policy ID 4?
|
get policy id 4
|
NetScreen JNCIS-FWV Study Guide, p.28
|
|
What three actions are possible for a policy?
|
permit
deny tunnel |
NetScreen JNCIS-FWV Study Guide, p.28
|
|
When a policy is created, what policy ID is assigned to that policy?
|
The next sequential available policy ID.
|
NetScreen JNCIS-FWV Study Guide, p.28
|
|
If a policy with NAT-src has been configured, but no DIP is specified, what IP will the traffic be NATed to?
|
The egress interface IP address.
|
NetScreen JNCIS-FWV Study Guide, p.30
|
|
If traffic from an interface in NAT mode going from zone trust to zone untrust hits a policy NAT that performs a src-NAT to an address other than the address of the egress interface, what IP address is the source NATed to?
|
The IP address specified in the policy.
|
NetScreen JNCIS-FWV Study Guide, p.30
|
|
What command would set interface e1/1 to NAT mode?
|
set interface e1/1 nat
|
NetScreen JNCIS-FWV Study Guide, p.31
|
|
If an interface is in NAT mode, is NAT-src applied when traffic from that interface egresses on an interface in the DMZ zone?
|
No.
|
NetScreen JNCIS-FWV Study Guide, p.31
|
|
What command would you use to NAT all traffic from the "trust" zone to the "dmz" zone behind the egress interface IP?
|
set policy from trust to dmz any any any nat src permit
|
NetScreen JNCIS-FWV Study Guide, p.31
|
|
How many concurrent hosts can a DIP pool with a single IP address support?
|
64,500
|
NetScreen JNCIS-FWV Study Guide, p.32
|
|
Which DIP pool IDs are reserved by ScreenOS for internal use?
|
1-4
|
NetScreen JNCIS-FWV Study Guide, p.32
|
|
What is the first usable DIP pool ID?
|
5
|
NetScreen JNCIS-FWV Study Guide, p.32
|
|
What is the DIP ID of 2 most commonly used for?
|
NAT-src instances referring to the egress interface.
|
NetScreen JNCIS-FWV Study Guide, p.32
|
|
What command would create a DIP pool with ID 10 on e1/1 with a starting IP of 1.1.1.1 and an ending IP of 1.1.1.255?
|
set interface e1/1 dip 10 1.1.1.1 1.1.1.255
|
NetScreen JNCIS-FWV Study Guide, p.32
|
|
What command would create a DIP pool with ID 5 on e1/1 with a starting IP of 1.1.1.1 and an ending IP of 1.1.1.255, WITHOUT performing PAT?
|
set interface e1/1 dip 5 1.1.1.1 1.1.1.255 fix-port
|
NetScreen JNCIS-FWV Study Guide, p.32
|
|
What NAT option will make sure the same host gets PAT translation behind the same IP address in the DIP pool, for subsequent connections?
|
Sticky DIP
|
NetScreen JNCIS-FWV Study Guide, p.32
|
|
What CLI command will enable sticky DIP?
|
set dip sticky
|
NetScreen JNCIS-FWV Study Guide, p.32
|
|
What command would you use to create a DIP pool with ID 10 on interface e1/1 that shifts "192.168.1.x" addresses to "1.1.1.x" addresses? (Start at 192.168.1.1)
|
set interface e1/1 dip 10 shift-from 192.168.1.1 1.1.1.1 1.1.1.255
|
NetScreen JNCIS-FWV Study Guide, p.33
|
|
What command would you use to put DIP ID 10 into a policy from trust to untrust that accepts all traffic?
|
set policy from trust to untrust any any any nat src dip-id 10 permit
|
NetScreen JNCIS-FWV Study Guide, p.33
|
|
What type of NAT configuration is normally used to work around overlapping networks in a VPN?
|
NAT-dst
|
NetScreen JNCIS-FWV Study Guide, p.33
|
|
In terms of zone membership, what is true of the addresses used for NAT-dst?
|
The NAT-dst address needs to resolve to the same zone as the original IP address.
|
NetScreen JNCIS-FWV Study Guide, p.34
|
|
What is the most common type of NAT when configuring normal inbound destination NAT?
|
MIP
|
NetScreen JNCIS-FWV Study Guide, p.34
|
|
Can a MIP be used to translate an entire network range to another network range?
|
Yes.
|
NetScreen JNCIS-FWV Study Guide, p.34
|
|
When an internal host is used as the Real IP of a MIP, is outgoing traffic from that host NATed automatically?
|
Yes.
|
NetScreen JNCIS-FWV Study Guide, p.34
|
|
What CLI command will give you a list of configured mapped IPs?
|
get mip
|
NetScreen JNCIS-FWV Study Guide, p.34
|
|
What type of NAT is used for inbound destination NAT, but allows you to NAT traffic differently based on the destination port?
|
VIP
|
NetScreen JNCIS-FWV Study Guide, p.35
|
|
What two components make up a VIP mapping?
|
The VIP address, and the VIP service.
|
NetScreen JNCIS-FWV Study Guide, p.35
|
|
On which interfaces can VIPs be configured?
|
Interfaces bound to the untrust zone.
|
NetScreen JNCIS-FWV Study Guide, p.35
|
|
In which zone are VIP mappings saved?
|
Global Zone
|
NetScreen JNCIS-FWV Study Guide, p.35
|
|
In which zone are MIP mappings saved?
|
Global Zone.
|
NetScreen JNCIS-FWV Study Guide, p.35
|
|
What command will display a list of configured VIPs?
|
get vip
|
NetScreen JNCIS-FWV Study Guide, p.35
|
|
What command would create a VIP on interface e1/1 that would take traffic destined to 1.1.1.1, port 80 and redirect it to 192.168.1.1, port 8080?
|
set interface e1/1 vip 1.1.1.1 80 <8080-service> 192.168.1.1
|
NetScreen JNCIS-FWV Study Guide, p.36
|
|
If interface e1/1 has IP address 2.2.2.2/24, and you try to add a VIP of 1.1.1.1 to that interface via CLI, what output will you receive?
|
###IP 1.1.1.1 is not in the same subnet as interface ethernet1/1
|
|
|
What CLI command would you use to allow public hosts in the untrust zone to access a private server in the dmz zone via a vip at 1.1.1.1 and port 80?
|
set policy from untrust to dmz any vip(1.1.1.1) http permit
|
NetScreen JNCIS-FWV Study Guide, p.36
|
|
If you have a VIP to NAT port 80 traffic to an internal host listening for HTTP requests on port 8080, what port do you specify in the associated permit rule?
|
80
|
NetScreen JNCIS-FWV Study Guide, p.36
|
|
What command would you use to create a mapped IP on interface e1/1 to map 1.1.1.1 to internal host 192.168.1.1? (The internal host is in the trust zone and the NAT IP is in the untrust zone)
|
set interface e1/1 mip 1.1.1.1 host 192.168.1.1 netmask 255.255.255.255 vrouter trust
|
NetScreen JNCIS-FWV Study Guide, p.35
|
|
What command would you use to create a policy allowing external hosts from the untrust zone to access a MIP at 1.1.1.1 that NATs to a host in the dmz zone? Allow any source and any service.
|
set policy from untrust to dmz any mip(1.1.1.1) any permit
|
NetScreen JNCIS-FWV Study Guide, p.35
|
|
If a packet is not encapsulated, what is considered the source zone for that packet?
|
The zone that the ingress interface or subinterface is bound to.
|
NetScreen JNCIS-FWV Study Guide, p.36
|
|
What two packet processing methods can be used, dependent on whether an incoming packet matches an existing session?
|
first packet processing
fast processing |
NetScreen JNCIS-FWV Study Guide, p.37
|
|
When observing a packet leaving your firewall, the source IP address has been changed, even though no policy has been configured to perform this NAT. What is the most likely explanation?
|
The ingress interface is in NAT mode, and the egress interface is in the untrust zone.
|
NetScreen JNCIS-FWV Study Guide, p.41
|
|
What hardware component in a NetScreen System is responsible for performing Fast Processing on a packet?
|
Interface ASIC
|
NetScreen JNCIS-FWV Study Guide, p.41
|
|
What hardware component is responsible for First Packet Processing?
|
CPU
|
NetScreen JNCIS-FWV Study Guide, p.41
|
|
When defining an interface ID for a subinterface (set interface.<ID>), what is the maximum number you can use for the ID?
|
1000
|
|
|
If you have four interfaces, e1/1, e1/2, e2/1, and e2/2, which interfaces could be placed in an aggregate interface together?
|
e1/1 and e1/2
or e2/1 and e2/2 |
|
|
If you have four interfaces, e1/1, e1/2, e1/3, and e1/4, which interfaces could be placed in an aggregate interface together?
|
e1/1 and e1/2
or e1/2 and e1/3 or e1/3 and e1/4 |
|
|
What is the easiest way to see the ID number of all configured zones?
|
get zone
|
NetScreen JNCIS-FWV Study Guide, p.42
|
|
In the output of the "get route" command, what does an asterisk next to an entry mean?
|
That the route is active.
|
NetScreen JNCIS-FWV Study Guide, p.42
|
|
How many interfaces are on a Fast Ethernet module?
|
2
|
NetScreen JNCIS-FWV Study Guide, p.42
|
|
How many interfaces are on a mini-GBIC module?
|
2
|
NetScreen JNCIS-FWV Study Guide, p.42
|
|
How many interfaces are on a GBIC module?
|
1
|
NetScreen JNCIS-FWV Study Guide, p.42
|
|
Put the following in order:
- new session created - checks screen options for the zone - performs policy look-up - resolves MIPs and VIPs - performs a route look-up to determine destination zone |
1) checks SCREEN options for zone
2) resolves MIPs and VIPs 3) performs route look-up to determine destination zone 4) Performs policy look-up 5) New Session Created |
NetScreen JNCIS-FWV Study Guide, p.42
|
|
Why are route look-ups relevant to policy look-ups?
|
Route look-ups determine destination zone, and so also determine what policies will be relevant.
|
|
|
Can a tunnel interface have a VLAN ID assigned?
|
No.
|
NetScreen JNCIS-FWV Study Guide, p.42
|
|
How do you add an IP address to an interface in the "Null" zone?
|
You cannot.
|
NetScreen JNCIS-FWV Study Guide, p.42
|
|
What command do you use to configure an email address for the CA to send a certificate to, after you issue the certificate request?
|
set pki x509 dn email <email-address>
|
NetScreen JNCIS-FWV Study Guide, p.44
|
|
What command do you use to configure the CA email address that your certificate request is sent to?
|
set pki x509 default send-to <email-address>
|
NetScreen JNCIS-FWV Study Guide, p.44
|
|
What three items are required by a NetScreen in order for a digital certificate to function properly?
|
The certificate assigned to the NetScreen
The signing CA's digital certificate The CRL |
NetScreen JNCIS-FWV Study Guide, p.45
|
|
What is the signing CA's digital certificate normally called?
|
auth.cer
|
NetScreen JNCIS-FWV Study Guide, p.45
|
|
What is the NetScreen's digital certificate normally called?
|
local.cer
|
NetScreen JNCIS-FWV Study Guide, p.45
|
|
What two options does a NetScreen have for certificate validation?
|
CRL and OSCP
|
NetScreen JNCIS-FWV Study Guide, p.45
|
|
In IKE Main Mode, what takes place in messages 1 and 2?
|
Propose and accept the encryption and authentication algorithms.
|
NetScreen JNCIS-FWV Study Guide, p.46
|
|
In IKE Main Mode, what takes place in messages 3 and 4?
|
Execute a DH exchange where the initiator and recipient each exchange a nonce.
|
NetScreen JNCIS-FWV Study Guide, p.46
|
|
In terms of IKE negotiation, what is a nonce?
|
A randomly generated number.
|
NetScreen JNCIS-FWV Study Guide, p.46
|
|
In IKE Main Mode, what takes place in messages 5 and 6?
|
Send and verify identities.
|
NetScreen JNCIS-FWV Study Guide, p.46
|
|
In Aggressive Mode IKE, what takes place in the first message?
|
The initiator proposes the SA, initiates a DH exchange, sends a nonce, and its IKE identity.
|
NetScreen JNCIS-FWV Study Guide, p.46
|
|
In Aggressive Mode IKE, what takes place in the second message?
|
The recipient accepts the SA, authenticates the initiator, sends a nonce, its IKE identity and its digital certificate (if applicable)
|
NetScreen JNCIS-FWV Study Guide, p.46
|
|
In Aggressive Mode IKE, what takes place in the third message?
|
The initiator authenticates the recipient, confirms the exchange, and sends its digital certificate (if applicable)
|
NetScreen JNCIS-FWV Study Guide, p.46
|
|
What three main components make up the structure of a Phase 1 Proposal?
|
Authentication Method
Diffie-Hellman Group Encryption/Authentication Scheme |
NetScreen JNCIS-FWV Study Guide, p.47
|
|
What three main components make up the structure of a Phase 2 proposal?
|
Perfect Forward Secrecy (on or off)
Encapsulation method (esp or ah) Encryption/Authentication scheme |
NetScreen JNCIS-FWV Study Guide, p.48
|
|
What command would create a gateway for use with policy based VPN called "gateway" with IP 1.1.1.1, using e1/1 as the outgoing interface, and qwe123 as the preshared key?
|
set ike gateway gateway address 1.1.1.1 outgoing-interface e1/1 preshare qwe123 proposal <proposal-name>
|
NetScreen JNCIS-FWV Study Guide, p.49
|
|
What command would create a VPN policy to use a VPN tunnel called "vpnObject" for all traffic from untrust to trust?
|
set policy from untrust to trust any any any tunnel vpn vpnObject
|
NetScreen JNCIS-FWV Study Guide, p.49
|
|
After creating a gateway called "VPNgateway", what command would configure an IPSec VPN called "vpnObject" to use that gateway?
|
set vpn vpnObject gateway VPNgateway sec-level <phase2-proposal>
|
NetScreen JNCIS-FWV Study Guide, p.49
|
|
What command would bind tunnel interface tunnel0 to VPN vpnObject?
|
set vpn vpnObject bind interface tunnel0
|
NetScreen JNCIS-FWV Study Guide, p.50
|
|
What command would configure vrouter "trust-vr" to create a route-based VPN using interface tunnel0 when sending traffic to 192.168.1.0/24?
|
set vrouter trust-vr route 192.168.1.0/24 interface tunnel0
|
NetScreen JNCIS-FWV Study Guide, p.51
|
|
What mode needs to be used for IKE when creating VPNs with dynamically addressed peers?
|
Aggressive mode
|
NetScreen JNCIS-FWV Study Guide, p.54
|
|
If N is the number of sites, how many tunnels will be necessary to create a fully meshed VPN?
|
[N x (N-1)]/2
|
NetScreen JNCIS-FWV Study Guide, p.55
|
|
What two files does a NetScreen rely on for operation?
|
The ScreenOS binary, and the configuration file.
|
CJFV, Part 4 - Device Management, p.21
|
|
What command would you use to restore a configuration called config.txt from a TFTP server at 1.1.1.1 to the local device?
|
save config from tftp 1.1.1.1 config.txt to flash
|
CJFV, Part 4 - Device Management, p.23
|
|
After restoring a configuration from a TFTP server (without merging), what do you need to do to activate that configuration?
|
Restart the system.
|
CJFV, Part 4 - Device Management, p.23
|
|
What command is used to save the current configuration as the "last known good" configuration?
|
save config to last-known-good
|
CJFV, Part 4- Device Management, p.23
|
|
What commands would be used to reset the system using the saved "last known good" configuration?
|
exec config rollback enable
reset |
CJFV, Part 4- Device Management, p.23
|
|
What command would be used to upgrade your device using a file, newimage.bin, on a TFTP server at 1.1.1.1?
|
save software from tftp 1.1.1.1 newimage.bin to flash
reset |
CJFV, Part 4 - Device Management, p.28
|
|
What method can you use via the console to reset a system to defaults if you lose the root password?
|
Use the serial number as the username and password.
|
CJFV, Part 4 - Device Management, p.34
|
|
To disable recovery via console login, what command would you use?
|
unset admin device-reset
|
CJFV, Part 4 - Device Management, p.34
|
|
To disable recovery via the physical pinhole on the exterior of the system, what command would you use?
|
unset admin hw-reset
|
CJFV, Part 4 - Device Management, p.34
|
|
What command would create a zone called "Zoney"
|
set zone name zoney
|
CJFV Part 5 - Layer 3 Operations, p.11
|
|
What command could you use to test the path to 1.1.1.1 and display each hop along the path?
|
trace-route 1.1.1.1
|
CJFV Part 5 - Layer 3 Operations, p.23
|
|
What command will display the debug buffer size in bytes?
|
get dbuf info
|
CJFV Part 5 - Layer 3 Operations, p.26
|
|
What command will display the contents of the debug buffer?
|
get dbuf stream
|
CJFV Part 5 - Layer 3 Operations, p.26
|
|
What command will set the size of the debug buffer to 32 kilobytes?
|
set dbuf size 32
|
CJFV Part 5 - Layer 3 Operations, p.26
|
|
What is the maximum configurable size of the debug buffer, using the command "set dbuf size" ?
|
4096 kilobytes
|
|
|
What command will clear the contents of the debug buffer?
|
clear dbuf
|
CJFV Part 5 - Layer 3 Operations, p.26
|
|
What command would you use to create a flow filter designed to show one-way traffic to 1.1.1.1?
|
set ffilter dst-ip 1.1.1.1
|
CJFV Part 5 - Layer 3 Operations, p.28
|
|
What command would you use to view the current flow filter?
|
get ffilter
|
CJFV Part 5 - Layer 3 Operations, p.30
|
|
What command would you use to remove the flow filter with the lowest ID?
|
unset ffilter
|
CJFV Part 5 - Layer 3 Operations, p.30
|
|
What will you see in a "debug flow basic" if you have no route to reach the destination IP of a packet the ScreenOS device is inspecting?
|
packet dropped, no route
|
CJFV Part 5 - Layer 3 Operations, p.37
|
|
What message will you see in a "debug flow basic" if the packet gets dropped by policy?
|
packet dropped, denied by policy
|
CJFV Part 5 - Layer 3 Operations, p.38
|
|
If using multiple virtual routers, to what zone must traffic be going in order for NAT mode to perform source address translation?
|
The egress zone must be a member of the untrust-vr, and the ingress zone must be in NAT mode.
|
CJFV Part 5 - Layer 3 Operations, p.42
|
|
What command would create an address called Internal, in zone Trust, with address 1.1.1.1?
|
set address Trust Internal 1.1.1.0/32
|
CJFV Part 6 - Basic Policy Configuration, p.7
|
|
What command would create an address in zone Untrust, called Google, whose address resolves to www.google.com?
|
set address Untrust Google www.google.com
|
CJFV Part 6 - Basic Policy Configuration, p.7
|
|
What command will display all service objects that exist by default?
|
get service pre-defined
|
CJFV Part 6 - Basic Policy Configuration, p.12
|
|
What command will create a custom service object called Service that matches TCP destination port 1000?
|
set service Service protocol tcp dst-port 1000-1000
|
CJFV Part 6 - Basic Policy Configuration, p.13
|
|
What command will move policy 5 to before policy 4 in the policy order?
|
set policy move 5 before 4
|
CJFV Part 6 - Basic Policy Configuration, p.19
|
|
What command would create a new address group in zone Trust, called "internal-hosts" and add host1 to the group?
|
set group address Trust internal-hosts add host1
|
|
|
What command will list all service groups?
|
get group service
|
CJFV Part 6 - Basic Policy Configuration, p.30
|
|
What command will display specific information about a service group called service-group?
|
get group service service-group
|
CJFV Part 6 - Basic Policy Configuration, p.30
|
|
What command would create a policy in the global zone to deny all traffic?
|
set policy global any any any deny
|
CJFV Part 6 - Basic Policy Configuration, p.43
|
|
What command could you use to determine if intra-zone block is enabled in zone Trust?
|
get zone trust
|
CJFV Part 6 - Basic Policy Configuration, p.49
|
|
Will the snoop command show you packets handled via the CPU, ASIC processor, or both?
|
Only CPU
|
CJFV Part 6 - Basic Policy Configuration, p.50
|
|
What command can be used to determine if any snoop filters are currently defined?
|
snoop info
|
CJFV Part 6 - Basic Policy Configuration, p.51
|
|
What command will turn snoop on?
|
snoop
|
CJFV Part 6 - Basic Policy Configuration, p.51
|
|
What two methods can you use to disable snoop after turning it on?
|
"snoop off" command, or press Esc key
|
CJFV Part 6 - Basic Policy Configuration, p.51
|
|
What command would you use to filter snoop for packets destined to 1.1.1.1?
|
snoop filter ip dst-ip 1.1.1.1
|
CJFV Part 6 - Basic Policy Configuration, p.54
|
|
What command is used to display data captured with the snoop command?
|
get db stream
|
CJFV Part 6 - Basic Policy Configuration, p.55
|
|
When using logging on a policy, when is traffic logged, by default?
|
When a session is closed.
|
CJFV Part 7 - Basic Policy Configuration, p.8
|
|
What command would you use to create a policy from trust to untrust to permit any traffic, and log the traffic when the session closes?
|
set policy from trust to untrust any any any permit logging
|
CJFV Part 6 - Basic Policy Configuration, p.8
|
|
What command would you use to create a policy from trust to untrust to permit any traffic, and log the traffic when the session is opened?
|
set policy from trust to untrust any any any permit logging session-init
|
CJFV Part 6 - Basic Policy Configuration, p.8
|
|
What command is used to display the traffic log?
|
get log traffic
|
CJFV Part 6 - Basic Policy Configuration, p.10
|
|
What command would create a policy from trust to untrust that permits all traffic, and enable counting on that policy?
|
set policy from trust to untrust any any any permit count
|
CJFV Part 6 - Basic Policy Configuration, p.12
|
|
From within the "(policy:1)" context, what command will enable counting?
|
set count
|
CJFV Part 6 - Basic Policy Configuration, p.12
|
|
From within the "(policy:1)" context, what command will enable counting with alarm thresholds for more than 1000 B/sec or 50 KB/minute?
|
set count alarm 1000 50
|
CJFV Part 6 - Basic Policy Configuration, p.12
|
|
What command would show policy counters from the last day on policy id 20?
|
get counter policy 20 day
|
CJFV Part 6 - Basic Policy Configuration, p.14
|
|
What two types of of time objects can be used in policies?
|
Recurrent times, and one-time scheduling.
|
CJFV Part 6 - Basic Policy Configuration, p.15
|
|
What command would create a time object called "Timer" that matches Friday from 01:00 to 02:00 and 03:00 to 04:00?
|
set scheduler Timer recurrent friday start 01:00 stop 02:00 start 03:00 stop 04:00
|
CJFV Part 6 - Basic Policy Configuration, p.17
|
|
What command would create a time object called "Timer" that matches the dates 1/1/12 to 1/10/12?
|
set scheduler Timer once start 01/01/2012 00:00 stop 01/10/2012 23:59
|
CJFV Part 6 - Basic Policy Configuration, p.17
|
|
What command would create a policy from Trust to Untrust that allows any traffic but only during times matching scheduler object "Timer"?
|
set policy from trust to untrust any any any permit schedule Timer
|
CJFV Part 6 - Basic Policy Configuration, p.20
|
|
By default, how long is an authentication good for?
|
As long as the session remains active, plus 10 minutes.
|
CJFV Part 6 - Basic Policy Configuration, p.22
|
|
What command would change the length of time that an authentication is good for to 20 minutes after the close of the authenticated session?
|
set auth-server local timeout 20
|
CJFV Part 6 - Basic Policy Configuration, p.22
|
|
What three services does policy-based authentication work for?
|
Telnet, FTP, HTTP
|
CJFV Part 6 - Basic Policy Configuration, p.22
|
|
What command would create a user bob with password qwe123, for use with an authentication policy?
|
set user bob password qwe123
|
CJFV Part 6 - Basic Policy Configuration, p.27
|
|
What type of authentication requires a user to actively browse to a specific IP address before they can generate authenticated traffic?
|
WebAuth
|
CJFV Part 6 - Basic Policy Configuration, p.24
|
|
What command would create a policy from trust to untrust that allows any traffic, but only if webauth is performed?
|
set policy from trust to untrust any any any permit webauth
|
CJFV Part 6 - Basic Policy Configuration, p.30
|
|
What command would create a policy from trust to untrust that allows any traffic, but requires standard authentication?
|
set policy from trust to untrust any any any permit auth
|
CJFV Part 6 - Basic Policy Configuration, p.30
|
|
What series of commands would enable WebAuth on interface e1/1 to IP address 1.1.1.1, and require HTTPS?
|
set interface e1/1 webauth
set interface e1/1 webauth ssl-only set interface e1/1 webauth-ip 1.1.1.1 |
|
|
What command would show all currently authenticated users?
|
get user all
|
|
|
What command will show authentication login statistics?
|
get auth table
|
|
|
What type of NAT provides bidirectional translation?
|
MIP
|
CJFV Part 8 - Address Translation, p.3
|
|
If you want to have a single public address map to multiple internal servers, what type of NAT should you use?
|
VIP
|
CJFV Part 8 - Address Translation, p.5
|
|
What command would you use to display all configured DIP addresses?
|
get dip
|
CJFV Part 8 - Address Translation, p.18
|
|
What command would create a NAT-dst policy from untrust to trust that directs HTTP traffic from any host to address PublicIP to port 8080 on host 1.1.1.1?
|
set policy from untrust to trust any PublicIP http nat dst ip 1.1.1.1 port 8080 permit
|
CJFV Part 8 - Address Translation, p.31
|
|
Should MIP addresses be defined on the internal or external interface?
|
external
|
CJFV Part 8 - Address Translation, p.46
|
|
What type of NAT can use addresses that are not associated with the interface on which the NAT is placed?
|
MIP
|
CJFV Part 8 - Address Translation, p.46
|
|
If an overlap exists between MIP and VIP mappings, which one takes precedence?
|
MIP
|
CJFV Part 8 - Address Translation, p.60
|
|
What takes precedence, MIP/VIP or unidirectional translation?
|
MIP/VIP
|
CJFV Part 8 - Address Translation, p.60
|
|
What takes precedence, policy-based or interface-based NAT?
|
policy-based
|
CJFV Part 8 - Address Translation, p.60
|
|
What does CIA stand for, in regard to the three driving concerns for network security?
|
Confidentiality
Integrity Authentication |
CJFV Part 9 - VPN Concepts, p.3
|
|
What method of encryption uses the same key for encryption and decryption?
|
Symmetric Key Encryption
|
CJFV Part 9 - VPN Concepts, p.5
|
|
What method of encryption uses one key that is secret and known only to the owner, and one key that is widely distributed and can be accessed by anyone?
|
Asymmetric Key/Public Key Encryption
|
CJFV Part 9 - VPN Concepts, p.6
|
|
What is the major drawback of Public Key Encryption?
|
Large key size means that public keys are extremely slow and generally not feasible for bulk data encryption.
|
CJFV Part 9 - VPN Concepts, p.6
|
|
How many bits are in an MD5 hash?
|
128
|
CJFV Part 9 - VPN Concepts, p.7
|
|
How many bits are in a SHA-1 hash?
|
160
|
CJFV Part 9 - VPN Concepts, p.7
|
|
What is the authentication process that appends a hashed pre-shared key to data, so that the receiver can validate the source of the data?
|
Hashed Method Authentication Code (HMAC)
|
CJFV Part 9 - VPN Concepts, p.10
|
|
How large is the prime number used for Diffie-Hellman group 1?
|
768 bits
|
CJFV Part 9 - VPN Concepts, p.13
|
|
How large is the prime number used for Diffie-Hellman group 2?
|
1024 bits
|
CJFV Part 9 - VPN Concepts, p.13
|
|
How large is the prime number used for Diffie-Hellman group 5?
|
1536 bits
|
CJFV Part 9 - VPN Concepts, p.13
|
|
What three Diffie-Hellman groups are supported by ScreenOS devices?
|
1, 2, and 5
|
CJFV Part 9 - VPN Concepts, p.13
|
|
What two protocols are defined in the IPSec standard?
|
ESP and AH
|
CJFV Part 9 - VPN Concepts, p.17
|
|
Of the two protocols defined in the IPSec standard, which does NOT provide encryption?
|
AH
|
CJFV Part 9 - VPN Concepts, p.17
|
|
In what two modes can IPSec be implemented?
|
Tunnel mode and Transport mode.
|
CJFV Part 9 - VPN Concepts, p.18
|
|
How many bits are in the SPI field of an ESP packet header?
|
32
|
CJFV Part 9 - VPN Concepts, p. 20
|
|
What is the protocol number of ESP traffic?
|
50
|
CJFV Part 9 - VPN Concepts, p. 20
|
|
What is the protocol number of AH traffic?
|
51
|
CJFV Part 9 - VPN Concepts, p. 21
|
|
What port and protocol does the Internet Key Exchange protocol use?
|
UDP port 500
|
CJFV Part 9 - VPN Concepts, p. 23
|
|
What values are used to uniquely identify a Security Association?
|
- SPI number
- Destination IP address - Security Protocol (ESP/AH) |
CJFV Part 9 - VPN Concepts, p. 24
|
|
If one peer has a dynamically assigned peer address, what changes need to be made to IKE Phase 1?
|
IKE Phase 1 should use aggressive mode.
|
CJFV Part 9 - VPN Concepts, p. 27
|
|
Which packets of Phase 1 are used to determine the encryption algorithm, hash algorithm, DH group, and authentication method?
|
Packets one and two.
|
CJFV Part 9 - VPN Concepts, p. 29
|
|
Of the two protocols defined in the IPSec standard, which does NOT provide encryption?
|
AH
|
CJFV Part 9 - VPN Concepts, p.17
|
|
In what two modes can IPSec be implemented?
|
Tunnel mode and Transport mode.
|
CJFV Part 9 - VPN Concepts, p.18
|
|
What values are used to uniquely identify a Security Association?
|
- SPI number
- Destination IP address - Security Protocol (ESP/AH) |
CJFV Part 9 - VPN Concepts, p. 24
|
|
If one peer has a dynamically assigned peer address, what changes need to be made to IKE Phase 1?
|
IKE Phase 1 should use aggressive mode.
|
CJFV Part 9 - VPN Concepts, p. 27
|
|
Which packets of Phase 1 are used to determine the encryption algorithm, hash algorithm, DH group, and authentication method?
|
Packets one and two.
|
CJFV Part 9 - VPN Concepts, p. 29
|
|
What is the main purpose of IKE Quick Mode packet 3?
|
To acknowledge information sent in Quick Mode packet 2, and complete tunnel establishment.
|
CJFV Part 9 - VPN Concepts, p. 32
|
|
When using IKE aggressive mode to allow a VPN tunnel with a DAIP peer, which device should send Phase 1 Packet 1?
|
The device with the dynamic IP.
|
CJFV Part 9 - VPN Concepts, p.33
|
|
If using a policy-based VPN, what action do you use in the policy for the traffic that you intend to encrypt?
|
Tunnel
|
CJFV Part 10 - VPN Concepts, p.2
|
|
What CLI command would you use to create a peer gateway called VPNpeer, at 1.1.1.1, to go out interface e1/1, using a preshared key, qwe123 with standard security level?
|
set ike gateway VPNpeer address 1.1.1.1 outgoing-interface e1/1 preshare qwe123 sec-level standard
|
CJFV Part 10 - VPN Concepts, p.5
|
|
What CLI command would you use to create a Phase 2 called p2-VPN, using a configured gateway called VPNpeer with standard security level?
|
set vpn p2-VPN gateway VPNpeer sec-level standard
|
CJFV Part 10 - VPN Concepts, p.10
|
|
What caveat is true of policy-based VPN if the user traffic and outgoing interface for a VPN are in the same zone?
|
Policy-based VPN will not work -- you need to configure a route-based VPN.
|
CJFV Part 10 - VPN Concepts, p. 16
|
|
What CLI command will configure a policy for policy-based VPN to direct traffic to VPN p2-VPN?
|
set policy from trust to untrust <source> <destination> any tunnel vpn p2-VPN
|
CJFV Part 10 - VPN Concepts, p.17
|
|
If you have a policy-based VPN that directs all traffic from the network associated with your firewall's trust interface, what ping command can you use to test the tunnel?
|
ping x.x.x.x from trust
|
CJFV Part 10 - VPN Concepts, p.20
|
|
What "get" command can be used to verify that Phase 1 completed successfully?
|
get ike cookie / get ike cookies
|
CJFV Part 10 - VPN Concepts, p.21
|
|
What "get" command can be used to verify that Phase 2 completed successfully?
|
get sa active
|
CJFV Part 10 - VPN Concepts, p.21
|
|
What "get event" command can be used to see all messages in the event log related to VPN?
|
get event type 536
|
CJFV Part 10 - VPN Concepts, p.25
|
|
What is true of tunnel interface configuration if you need to use a MIP or DIP in the tunnel?
|
The tunnel interface must have an IP address.
|
CJFV Part 11 - VPN Concepts, p.5
|
|
In terms of address assignment, if two devices are using route-based VPN, what must be true of addressed tunnel interfaces in order for routing to function properly?
|
The tunnel interfaces must be in the same subnet.
|
|
|
What must be true of your tunnel interface if you want to use MIP and DIP addresses in the VPN tunnel?
|
The tunnel interface must have a fixed IP address.
|
|
|
In terms of zone membership, what must be true of a tunnel interface and the interface from which that tunnel interface borrows its IP?
|
The two interfaces must be in the same zone.
|
CJFV Part 11, p.6
|
|
Is there a limit to the number of tunnel interfaces that a device can support?
|
Yes, but the number varies by appliance.
|
CJFV Part 11, p.8
|
|
If Intrazone Blocking is enabled, and a tunnel interface resides in the same zone as where the traffic originzted, is policy required for the traffic to pass?
|
Yes.
|
CJFV Part 11, p.8
|
|
What CLI command would create tunnel interface "tunnel.100" and assign it to the "Trust" zone?
|
set interface tunnel.100 zone trust
|
CJFV Part 11, p.8
|
|
What CLI command would create unnumbered tunnel interface "tunnel.100," and configure the tunnel interface to borrow the IP of the e1/1 interface?
|
set interface tunnel.100 ip unnumbered interface trust
|
CJFV Part 11, p.8
|
|
What command would create an Autokey IKE entry called "CorporateVPN" to use IKE gateway "toCorporate" with standard security level?
|
set vpn CorporateVPN gateway toCorporate sec-level standard
|
CJFV Part 11, p.13
|
|
What command would bind Autokey IKE entry "CorporateVPN" to tunnel interface tunnel.1
|
set vpn CorporateVPN bind interface tunnel.1
|
CJFV Part 11, p.13
|
|
If using route-based VPNs, how do you determine what traffic should go through the VPN tunnel?
|
By creating a route for that traffic to use the tunnel interface.
|
CJFV Part 11, p.16
|
|
What to events of type 00536 normally pertain to?
|
VPN
|
CJFV Part 11, p.24
|
|
What algorithm can be used to calculate the total number of VPN tunnels that will be required in a fully meshed VPN between "N" sites?
|
[N x (N-1)]/2
|
JNCIS-FWV Study Guide, p.55
|
|
How do you view the NHTB table?
|
It is not possible to view the next-hop tunnel binding table.
|
JNCIS-FWV Study Guide, p.60
|
|
What table is used to assign multiple VPN tunnels to a single tunnel interface?
|
The next-hop tunnel binding (NHTB) table.
|
JNCIS-FWV Study Guide, p.60
|
|
What CLI command would be used to create an NHTB table entry for tunnel interface tunnel.10 to use 10.1.1.1 as the IP for the vpn "VPN1"
|
set interface tunnel.10 nhtb 10.1.1.1 vpn VPN1
|
JNCIS-FWV Study Guide, p.60
|
|
What type of packets are sent through the VPN tunnel if VPN monitoring is used?
|
ICMP echo requests
|
JNCIS-FWV Study Guide, p.66
|
|
What command will set VPN monitoring to send a tunnel test packet every 30 seconds?
|
set vpnmonitor frequency 30
|
JNCIS-FWV Study Guide, p.66
|
|
What is the default value for VPN monitoring frequency?
|
10 seconds
|
JNCIS-FWV Study Guide, p.66
|
|
What is the default threshold for number of consecutive successful or failed responses, in VPN monitoring?
|
10
|
JNCIS-FWV Study Guide, p.67
|
|
What CLI command would set the VPN monitoring threshold to 50?
|
set vpnmonitor threshold 50
|
JNCIS-FWV Study Guide, p.66
|
|
What CLI comand would set up vpn monitoring on the CorpVPN VPN to ping from the tunnel.1 interface to the destination IP 1.1.1.1?
|
set vpn CorpVPN source-interface tunnel.1 destination-ip 1.1.1.1
|
JNCIS-FWV Study Guide, p.67
|
|
What does the rekey option do, in regards to VPN monitoring?
|
Even if the tunnel is not currently up, the firewall will send tunnel test packets that attempt to establish the VPN tunnel.
|
JNCIS-FWV Study Guide, p.67
|
|
What does the optimization option do, in regard to VPN monitoring?
|
1) The device will consider incoming traffic through the tunnel equivalent to tunnel test packets, and will not mark the VPN as down, regardless of whether ICMP echo requests are successful.
2) If there is incoming AND outgoing traffic in the VPN tunnel, the firewall suppresses ICMP tunnel test packets altogether. |
JNCIS-FWV Study Guide, p.67
|
|
What two mechanisms are used to monitor members of a VPN group?
|
1) IKE Heartbeats
2) IKE Recovery Attempts |
JNCIS-FWV Study Guide, p.68
|
|
What CLI command would set up IKE heartbeat monitoring to gateway gateway_a, and set the number of heartbeats to send to the default value?
|
set ike gateway gateway_a heartbeat hello 5
or set ike gateway gateway_a heartbeat |
JNCIS-FWV Study Guide, p.68
|
|
What CLI command would be used on a VPN group member to configure its weight to 10 in group id 10 of the CorpVPN VPN?
|
set vpn-group id 10 vpn CorpVPN weight 10
|
JNCIS-FWV Study Guide, p.69
|
|
When using VPN groups, what CLI command is necessary to prevent failover packets from being dropped?
|
unset flow tcp-syn-check-in-tunnel
|
JNCIS-FWV Study Guide, p.69
|
|
What CLI command will enable IKE debugging?
|
debug ike basic | detail
|
JNCIS-FWV Study Guide, p.71
|
|
What CLI command will give you verbose information about a specific IKE SA?
|
get sa id <id#>
|
JNCIS-FWV Study Guide, p.72
|
|
What does the error "Phase 2: No policy exists for the proxy ID received" normally indicate?
|
The encryption domains do not match up on the devices.
|
JNCIS-FWV Study Guide, p.74
|
|
What does the error "Rejected an IKE packet because there were no acceptable Phase 1 proposals" normally indicate?
|
That the phase 1 proposals do not match on the VPN peers.
|
JNCIS-FWV Study Guide, p.75
|
|
What does the error "Rejected an IKE packet because there were no acceptable Phase 2 proposals" normally indicate?
|
That the phase 2 proposals on the VPN peers do not match.
|
JNCIS-FWV Study Guide, p.76
|
|
What does the error "Rejected an IKE packet because an initial Phase 1 packet arrived from an unrecognized peer gateway." normally indicate?
|
That the outgoing interface for a given VPN has been incorrectly specified.
|
JNCIS-FWV Study Guide, p.78
|
|
Is g3-esp-aes-md5 an acceptable Phase 2 proposal? Why?
|
No. Only Diffie-Hellman groups 1, 2, and 5 are supported.
|
JNCIS-FWV Study Guide, p.78
|
|
In terms of a phase 2 proposal, such as g1-esp-aes-sha, what are the valid values for the section before the first dash? (g1 above)
|
nopfs, g1, g2, g5
|
JNCIS-FWV Study Guide, p.78
|
|
During main mode, in which messages is the nonce exchanged?
|
MM3 and MM4
|
JNCIS-FWV Study Guide, p.78
|
|
How many tunnels are required for fully meshed bidirectional traffic between 20 firewalls?
|
( 20 x ( 20 - 1 ) ) / 2
---------- ( 20 x 19 ) / 2 ---------- ( 380 ) / 2 ---------- 190 |
JNCIS-FWV Study Guide, p.79
|
|
If you configure your VPN tunnel to use the wrong outgoing interface, what error will you see when the other side of the VPN attempts to set up the tunnel?
|
"packet arrived from an unrecognized peer gateway"
|
JNCIS-FWV Study Guide, p.79
|
|
Based on the following output from "get ike cookie", how long has the Phase 1 SA been active?
resent-tmr 7166032 lifetime 28800 lt-recv 28800 nxt_rekey 28379 cert-expire 0 |
421 seconds (lifetime - nxt_rekey)
|
JNCIS-FWV Study Guide, p.79
|
|
Based on the following output from "get sa", how long has the Phase 2 SA most likely been active?
00000001< 1.1.1.1 500 esp:3des/sha1 e3270b99 3193 unlim A/- 2 0 00000001> 1.1.1.1 500 esp:3des/sha1 3c472af5 3193 unlim A/- 1 0 |
3600 (default lifetime) - 3193, or 407 seconds.
|
JNCIS-FWV Study Guide, p.80
|
|
Based on the following output from "get sa", is VPN monitoring being used?
00000001< 1.1.1.1 500 esp:3des/sha1 e3270b99 3193 unlim A/- 2 0 00000001> 1.1.1.1 500 esp:3des/sha1 3c472af5 3193 unlim A/- 1 0 |
No. If VPN monitoring was enabled, we'd see A/Up or A/Down in the status column, instead of A/-
|
JNCIS-FWV Study Guide, p.80
|
|
Do more relevant VPN setup error messages normally come from the initiator or the recipient of a VPN negotiation?
|
The recipient.
|
JNCIS-FWV Study Guide, p.85
|
|
What components need to be loaded on a irewall to support digital certificates for VPN authentication?
|
The CA's digitial certificate, the local certificate assigned to the device, and the CRL
|
JNCIS-FWV Study Guide, p.86
|
|
Given the following information, if the VPN tunnel to the primary firewall were to fail, which firewall would be next in line?
Firewall 1: VPN Group 1 – Weight 3 Firewall 2: VPN Group 1 – Weight 1 Firewall 3: VPN Group 1 – Weight 4 Firewall 4: VPN Group 1 – Weight 2 |
Firewall 1 (Firewall 3 would be the primary firewall in the group)
|
JNCIS-FWV Study Guide, p.86
|
|
What Phase 1 mode should be used in order to establish a VPN with a dynamic peer?
|
Aggressive Mode
|
JNCIS-FWV Study Guide, p.86
|
|
What is the default proxy-id for a route-based VPN?
|
There is none.
|
JNCIS-FWV Study Guide, p.86
|
|
Generally speaking, what two access methods does "Local Management" refer to?
|
Access via an interface bound to the Trust zone, and direct console access.
|
JNCIS-FWV Study Guide, p.88
|
|
What is the term used to describe an IP address assigned to an interface for the sole purpose of management?
|
Manage IP
|
JNCIS-FWV Study Guide, p.88
|
|
What CLI command can you use to find out if any manage IPs are in use on interface ethernet1?
|
get interface ethernet1
|
JNCIS-FWV Study Guide, p.89
|
|
When you assign a Manage IP to an interface, can the actual IP of the interface still be used to manage the firewall?
|
No.
|
JNCIS-FWV Study Guide, p.89
|
|
Can a manage IP be in a different network than the actual IP of an interface?
|
No.
|
JNCIS-FWV Study Guide, p.89
|
|
What is the difference between a manage IP and a manager IP?
|
A manage IP is the IP address assigned to an interface for the purposes of management, while a manager IP is the IP address of a host, range or network that can access the device in order to manage it.
|
JNCIS-FWV Study Guide, p.90
|
|
What manager IP is configured on a firewall, by default?
|
None.
|
JNCIS-FWV Study Guide, p.90
|
|
Are manager IP addresses global, or assigned on a per-interface basis?
|
Global.
|
JNCIS-FWV Study Guide, p.90
|
|
If no manager IPs are configured on a device, can the device be managed?
|
Yes. Any address will be allowed to manage the device.
|
JNCIS-FWV Study Guide, p.90
|
|
What CLI command will add the network 192.168.0.0/24 to the list of manager IPs?
|
set admin manager-ip 192.168.0.0 255.255.255.0
|
JNCIS-FWV Study Guide, p.90
|
|
What CLI command will give you a list of currently configured manager IPs?
|
get admin manager-ip
|
JNCIS-FWV Study Guide, p.90
|
|
What three methods of CLI access are supported on a ScreenOS device?
|
telnet, SSH, and console
|
JNCIS-FWV Study Guide, p.91
|
|
What is the main difference between CLI and WebUI management, in terms of saving the configuration?
|
In CLI, you have to issue the save command to save configuration, while in WebUI, configurations are written to memory as they are applied.
|
JNCIS-FWV Study Guide, p.91
|
|
Is it recommended to use SSHv1 or SSHv2 for SSH access to the ScreenOS device?
|
SSHv2
|
JNCIS-FWV Study Guide, p.91
|
|
What version of SSH access is supported on a ScreenOS device?
|
SSHv1, and SSHv2
|
JNCIS-FWV Study Guide, p.91
|
|
By default, do any interfaces have telnet management enabled?
|
Yes, interfaces assigned to the Trust zone.
|
JNCIS-FWV Study Guide, p.92
|
|
What commands would enable SSHv2 management on interface ethernet1?
|
set ssh version v2
set ssh enable set interface ethernet1 manage ssh |
JNCIS-FWV Study Guide, p.92
|
|
What CLI commands are necessary to enable telnet on interface ethernet1?
|
set interface ethernet1 manage telnet
|
JNCIS-FWV Study Guide, p.92
|
|
What CLI command will enable WebUI management on interface ethernet1?
|
set interface ethernet1 web
|
JNCIS-FWV Study Guide, p.92
|
|
What CLI command will enable SSL-encrypted WebUI management on interface ethernet1?
|
set interface ethernet1 ssl
|
JNCIS-FWV Study Guide, p.92
|
|
What CLI command will create a juser called johndoe with password qwe123 and read-only access?
|
set admin user johndoe password qwe123 privilege all
|
JNCIS-FWV Study Guide, p.93
|
|
What two privilege levels can be assigned to an administrative user with the "set admin user" CLI command?
|
all, read-only
|
JNCIS-FWV Study Guide, p.93
|
|
How many root users can be configured on a ScreenOS device?
|
One.
|
JNCIS-FWV Study Guide, p.93
|
|
What is the main difference in access privileges between the root user and an administrator with privilege level "all"?
|
The root user can add, modify, and remove other administrative users.
|
JNCIS-FWV Study Guide, p.94
|
|
What log is responsible for monitoring packets which terminate at the ScreenOS device itself?
|
The Self Log
|
JNCIS-FWV Study Guide, p.95
|
|
What CLI command will enable self logging?
|
set firewall log-self
|
JNCIS-FWV Study Guide, p.95
|
|
What is the usual source and destination of a self log entry?
|
Source: null
Destination: self |
JNCIS-FWV Study Guide, p.95
|
|
What CLI command is used to view the self log?
|
get log self
|
JNCIS-FWV Study Guide, p.95
|
|
To what levels are logs in the event log categorized and assigned into?
|
Emergency
Alert Critical Error Warning Notification Information Debugging |
JNCIS-FWV Study Guide, p.95-97
|
|
What severity level would a SYN attack be logged as in the event log?
|
Emergency
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would a Tear Drop attack be logged as in the event log?
|
Emergency
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would a Ping of Death attack be logged as in the event log?
|
Emergency
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would more than three authentication failures be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would a WinNuke attack be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would an IP Spoofing attack be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would a Source Route Option attack be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would a LAND attack be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would an ICMP flood be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would a port scan be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would an Address Sweep be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would an Communication error with an external server such as WebSense be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would a Denied policy alarm be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would an Incorrect CA cert used be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would a DHCP range exhausted error be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.95
|
|
What severity level would an Exceeded BGP Limits error be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a System upgrade failure error be logged as in the event log?
|
Alert
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a Bad packet settings error be logged as in the event log?
|
Critical
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a Blocked Traffic through Screen error be logged as in the event log?
|
Critical
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a Issue with High Availability error be logged as in the event log?
|
Critical
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a Low resources error be logged as in the event log?
|
Critical
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a VIP connectivity error be logged as in the event log?
|
Critical
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a SSH failure error be logged as in the event log?
|
Critical
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a VPN monitoring status change mesage be logged as in the event log?
|
Critical
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a dynamic routing error be logged as in the event log?
|
Critical
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a SSH negotiation failure error be logged as in the event log?
|
Error
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would an AV scanning error be logged as in the event log?
|
Error
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a SMTP issue be logged as in the event log?
|
Warning
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a Administrative login, logout, or single login failure be logged as in the event log?
|
Warning
|
JNCIS-FWV Study Guide, p.96
|
|
What severity level would a SYSLOG status or failure be logged as in the event log?
|
Warning
|
JNCIS-FWV Study Guide, p.96
|
|
In the event log, under what severity level would an administrative configuration change normally show up?
|
Notification
|
JNCIS-FWV Study Guide, p.97
|
|
In the event log, under what severity level would a failure that does not affect the functioning of the firewall normally show up?
|
Notification
|
JNCIS-FWV Study Guide, p.97
|
|
In the event log, under what severity level would general information about system operations normally show up?
|
Information
|
JNCIS-FWV Study Guide, p.97
|
|
What CLI command is used to view all "emergency" level events in the event log?
|
get event level emergency
|
JNCIS-FWV Study Guide, p.97
|
|
What CLI command is used to view all "warning" level alerts in the event log?
|
get event level warning
|
JNCIS-FWV Study Guide, p.97
|
|
What CLI command is used to view traffic logs related to policy ID 5?
|
get log traffic policy 5
|
JNCIS-FWV Study Guide, p.98
|
|
What CLI command is used to view the flow counters on all interfaces?
|
get counter flow
|
JNCIS-FWV Study Guide, p.98
|
|
What CLI command is used to view the flow counters for the Untrust zone?
|
get counter flow zone Untrust
|
JNCIS-FWV Study Guide, p.99
|
|
What CLI command is used to view the screen counters for the Untrust zone?
|
get counter screen zone Untrust
|
JNCIS-FWV Study Guide, p.99
|
|
What CLI command is used to view the hardware counters on interface ethernet1?
|
get counter statistics interface ethernet1
|
JNCIS-FWV Study Guide, p.100
|
|
What CLI command is used to view the hardware counters for zone Untrust?
|
get counter statistics zone Untrust
|
JNCIS-FWV Study Guide, p.101
|
|
What option needs to be enabled on a policy in order for that policy to create policy counters?
|
Count
|
JNCIS-FWV Study Guide, p.101
|
|
What CLI command would view the policy counter for policy 5?
|
get counter policy 5
|
JNCIS-FWV Study Guide, p.101
|
|
What version of the SNMP protocol is supported by ScreenOS?
|
SNMPv1, SNMPv2
|
JNCIS-FWV Study Guide, p.101
|
|
What would you append to the end of a CLI policy creation command to create a traffic alarm when that policy sees more then 50 bytes of traffic per second?
|
alarm 50(B/s)
|
JNCIS-FWV Study Guide, p.105
|
|
How many SNMP communities and members can you configure on a ScreenOS device?
|
Three communities with up to 8 members each.
|
JNCIS-FWV Study Guide, p.105
|
|
How many syslog servers can be configured on a ScreenOS device?
|
Four.
|
JNCIS-FWV Study Guide, p.101
|
|
How many email addresses can you configure for an alert?
|
Up to two specific addresses.
|
JNCIS-FWV Study Guide, p.109
|
|
What are the four default SNMP traps?
|
Cold Start Trap
Trap for SNMP Authentication Failure Traps for System Alarms Traps for Traffic Alarms |
JNCIS-FWV Study Guide, p.102
|
|
Which type of counter would show the number of incoming and outgoing VLAN-tagged packets? How would you view that counter on interface ethernet1?
|
Flow counter.
get counter flow interface ethernet1 |
JNCIS-FWV Study Guide, p.99
|
|
Where are debug messages stored on a ScreenOS device?
|
The debug buffer (dbuf)
|
JNCIS-FWV Study Guide, p.110
|
|
What is the minimum and maximum size of the ScreenOS debug buffer?
|
32 KB minimum, 4096 KB maximum
|
JNCIS-FWV Study Guide, p.110
|
|
What can you do if the ScreenOS debug buffer is filling too quickly for you to collect all of the information you need?
|
Increase the size of the debug buffer.
|
JNCIS-FWV Study Guide, p.110
|
|
Where are events generated by snoop stored on the ScreenOS device?
|
In the debug buffer (dbuf)
|
JNCIS-FWV Study Guide, p.111
|
|
What snoop command would you use to filter for packets sourced from 1.1.1.1?
|
snoop filter ip src-ip 1.1.1.1
|
JNCIS-FWV Study Guide, p.112
|
|
What snoop command would you use to filter for packets destined to 1.1.1.1?
|
snoop filter ip dst-ip 1.1.1.1
|
JNCIS-FWV Study Guide, p.112
|
|
What snoop command would you use to filter for traffic to or from port 80?
|
snoop filter ip port 80
|
JNCIS-FWV Study Guide, p.112
|
|
What snoop command would you use to filter for traffic sourced from port 80?
|
snoop filter ip src-port 80
|
JNCIS-FWV Study Guide, p.112
|
|
What snoop command would you use to filter for traffic destined to port 80?
|
snoop filter ip dst-port 80
|
JNCIS-FWV Study Guide, p.112
|
|
What snoop command would you use to filter for traffic on interface ethernet1?
|
snoop filter ip interface ethernet1
|
JNCIS-FWV Study Guide, p.112
|
|
What snoop command would you use to filter for only ESP traffic?
|
snoop filter ip ip-proto 50
|
JNCIS-FWV Study Guide, p.112
|
|
If you issue two snoop commands with different filters, does the snoop logic use AND or OR to combine the filters?
|
AND
|
JNCIS-FWV Study Guide, p.113
|
|
What CLI command can you use to view the events captured by snoop?
|
get dbuf stream
|
JNCIS-FWV Study Guide, p.113
|
|
In snoop output, what does the "vhl" field represent?
|
Protocol version and header length (in 32-bit words)
|
JNCIS-FWV Study Guide, p.113
|
|
What does the output "vhl=45" indicate in snoop output?
|
IP version 4, with a header length of 160 (5 32-bit words)
|
JNCIS-FWV Study Guide, p.113
|
|
Do flow filters capture ingress traffic, egress traffic, or both?
|
Ingress only.
|
JNCIS-FWV Study Guide, p.114
|
|
Can you use a flow filter to view traffic originating at the firewall?
|
No. Flow filters only capture ingress traffic.
|
JNCIS-FWV Study Guide, p.114-115
|
|
What CLI command can be used to enable basic verbosity flow debugging?
|
debug flow basic
|
JNCIS-FWV Study Guide, p.115
|
|
What CLI command can be used to enable detailed verbosity flow debugging?
|
debug flow detail
|
JNCIS-FWV Study Guide, p.115
|
|
As a general rule of thumb, should basic or detailed flow debugs be used in most applications?
|
Basic.
|
JNCIS-FWV Study Guide, p.115
|
|
What CLI command would you use to create a flow filter that displays all traffic from 1.1.1.1?
|
set ffilter src-ip 1.1.1.1
|
JNCIS-FWV Study Guide, p.115
|
|
What CLI command would you use to create a flow filter that displays traffic destined to port 80?
|
set ffilter dst-port 80
|
JNCIS-FWV Study Guide, p.115
|
|
What CLI command would you use to create a flow filter that displays traffic sourced from port 80?
|
set ffilter src-port 80
|
JNCIS-FWV Study Guide, p.115
|
|
What CLI command would you use to create a flow filter that displays all UDP traffic?
|
set ffilter ip-proto 17
|
JNCIS-FWV Study Guide, p.115-116
|
|
What CLI command will remove the flow filter with the lowest ID?
|
unset ffilter
|
JNCIS-FWV Study Guide, p.116
|
|
What CLI command would you use to remove a flow filter with ID 5?
|
unset ffilter 5
|
JNCIS-FWV Study Guide, p.116
|
|
What CLI command would you use to clear all flow filters?
|
This is not possible -- flow filters can be removed only one at a time.
|
JNCIS-FWV Study Guide, p.116
|
|
When you remove a flow filter, do other flow filter IDs change, or remain the same?
|
Assuming the removed filter was not the last (highest ID) flow filter the IDs shift so that the first flow filter is 0 and the flow filter IDs are sequential.
|
JNCIS-FWV Study Guide, p.116
|
|
When you create multiple flow filters, are the flow filter statements combined with an AND or an OR?
|
OR
|
JNCIS-FWV Study Guide, p.116
|
|
To create a flow filter using AND logic, what do you need to do?
|
Use multiple arguments with a single flow filter.
|
JNCIS-FWV Study Guide, p.117
|
|
What CLI command would create a flow filter to filter for anything to destination IP 1.1.1.1 and destination port 80?
|
set ffilter dst-ip 1.1.1.1 dst-port 80
|
JNCIS-FWV Study Guide, p.117
|
|
What CLI command will display open connections on the ScreenOS device?
|
get session
|
JNCIS-FWV Study Guide, p.121
|
|
In what two ways can you disable snoop?
|
By running "snoop off" or pressing the Escape key.
|
|
|
What CLI command would set the maximum bandwidth for interface ethernet1 to 50Kbps?
|
set interface ethernet1 bandwidth 50
|
JNCIS-FWV Study Guide, p.132
|
|
What is the valid range for assigning traffic priority when managing bandwidth?
|
0-7
|
JNCIS-FWV Study Guide, p.133
|
|
What priority level for traffic priority will give your traffic the highest possible priority?
|
0
|
JNCIS-FWV Study Guide, p.133
|
|
What priority level for traffic priority will give your traffic the lowest possible priority?
|
7
|
JNCIS-FWV Study Guide, p.133
|
|
What CLI command will deactivate bandwidth management system-wide?
|
set traffic-shaping mode off
|
JNCIS-FWV Study Guide, p.134
|
|
What CLI command will configure the ScreenOS device to activate bandwidth management if there is a policy configured with bandwidth management, but disable bandwidth management if there is no policy configured with bandwidth management?
|
set traffic-shaping mode auto
|
JNCIS-FWV Study Guide, p.134
|
|
Does Guaranteed Bandwidth have an associated traffic priority?
|
No.
|
JNCIS-FWV Study Guide, p.134
|
|
If there is more than one policy with the same traffic priority fighting over maximum bandwidth limits, how is the bandwidth allocated?
|
On a round-robin basis.
|
JNCIS-FWV Study Guide, p.134
|
|
What CLI command would be used to map DSCP markings to traffic priorities on the ScreenOS device?
|
set traffic-shaping ip_precedence n0 n1 n2 n3 n4 n5 n6 n7
|
JNCIS-FWV Study Guide, p.135
|
|
If you intend to use bandwidth management on a policy, what option must be enabled?
|
Count.
|
JNCIS-FWV Study Guide, p.133
|
|
What CLI command would create a policy to allow the following traffic, guarantee 10Kbps, assign priority 1, and a maximum bandwidth of 150Kbps, with DSCP disabled?
Source: 1.1.1.1 (Trust zone) Destination: 2.2.2.2 (Untrust zone) Service: http |
set policy from Trust to Untrust 1.1.1.1 2.2.2.2 http permit count gbw 10 priority 1 mbw 150 dscp disable
|
JNCIS-FWV Study Guide, p.135
|
|
Can bandwidth management policies be modified via the CLI?
|
No, only through the WebUI.
|
JNCIS-FWV Study Guide, p.135
|
|
Which bits of the DSCP marking are used by a ScreenOS device when mapping to priority levels?
|
The first three bits.
|
JNCIS-FWV Study Guide, p.138
|
|
How many priority queues exist on a ScreenOS device for bandwidth management?
|
8
|
JNCIS-FWV Study Guide, p.136
|
|
What is the default maximum bandwidth and priority assigned to policies with no bandwidth management enabled?
|
Unlimited bandwidth (-1) and Lowest Priority (7)
|
JNCIS-FWV Study Guide, p.138
|
|
Can a vsys be set to transparent mode?
|
No.
|
JNCIS-FWV Study Guide, p.140
|
|
When a vsys is defined, what three zones are created for its use?
|
Trust-<vsys>, Untrust-Tun-<vsys>, and Global-<vsys>
|
JNCIS-FWV Study Guide, p.140
|
|
What commands are necessary to create a vsys called "Virtual" with an admin named "Virtual-admin" with password "qwe123" ?
|
set vsys Virtual
set admin name Virtual-admin set admin password qwe123 |
JNCIS-FWV Study Guide, p.140
|
|
When you are in a vsys context, what command will return you to the root system?
|
exit
|
JNCIS-FWV Study Guide, p.141
|
|
From the root system, what commands will set the default virtual router of vsys "Virtual" to "Vrouter1" ?
|
enter vsys Virtual
set vrouter Vrouter1 default-vrouter |
JNCIS-FWV Study Guide, p.141
|
|
From the root system, what command is used to enter a vsys called "Virtual" ?
|
enter vsys Virtual
|
JNCIS-FWV Study Guide, p.141
|
|
What types of admins can create a new virtual system?
|
The root, and read/write root system admins.
|
JNCIS-FWV Study Guide, p.141
|
|
Do a root-level write/read administrator and a write/read Virtual System administrator have the same permissions within the relevant vsys?
|
Yes.
|
JNCIS-FWV Study Guide, p.141
|
|
Can subinterfaces be created within a vsys?
|
Yes.
|
JNCIS-FWV Study Guide, p.142
|
|
Can a write/read Virtual System administrator create subinterfaces within the relevant vsys?
|
No. Only a root-level write/read admin can create subinterfaces within a vsys.
|
JNCIS-FWV Study Guide, p.142
|
|
Where do the default settings of a vsys come from?
|
From the root system.
|
JNCIS-FWV Study Guide, p.142
|
|
In regard to vsys sharing, what components of the root system are shared by default?
|
The untrust-vr, untrust zone, and any interfaces bound to the untrust zone.
|
JNCIS-FWV Study Guide, p.142
|
|
What command would allow a virtual router called "Vrouter1" to be shared with virtual systems?
|
set vrouter Vrouter1 shared
|
JNCIS-FWV Study Guide, p.142
|
|
What needs to be done before sharing an unshared virtual router?
|
Nothing -- this can be done at any time.
|
JNCIS-FWV Study Guide, p.142
|
|
What needs to be done before unsharing a shared virtual router?
|
All Virtual Systems need to be deleted.
|
JNCIS-FWV Study Guide, p.142
|
|
What command will set a zone called "Zoney" to be shared with virtual systems?
|
set zone Zoney shared
|
JNCIS-FWV Study Guide, p.143
|
|
When sharing zones with virtual systems, what caveat regarding virtual router membership is true?
|
To make a zone shareable, it must be bound to a shared virtual router.
|
JNCIS-FWV Study Guide, p.143
|
|
What administrators can import an interface into a vsys?
|
Only the root administrator.
|
JNCIS-FWV Study Guide, p.143
|
|
What commands do you need to run to import interface ethernet1 to vsys "Virtual1"?
|
unset interface ethernet1 ip
set interface ethernet1 zone null enter vsys Virtual1 set interface ethernet1 import |
JNCIS-FWV Study Guide, p.143
|
|
What commands do you need to run to attach ethernet1 to the root system, if it has previously been attached to vsys "Virtual1"?
|
enter vsys Virtual1
unset interface ethernet1 ip set interface ethernet1 zone null unset interface ethernet1 import |
JNCIS-FWV Study Guide, p.143-144
|
|
For through traffic, what two methods of traffic classification exist to assign traffic to virtual systems?
|
VLAN-based traffic classification, and IP-based traffic classification
|
JNCIS-FWV Study Guide, p.144
|
|
What CLI command would enable IP-based classification on the zone "Zoney" ?
|
set zone Zoney ip-classification
|
JNCIS-FWV Study Guide, p.147
|
|
Before exporting an interface from a vsys back to the rootsys, what zone does the interface need to be assigned to?
|
Null.
|
JNCIS-FWV Study Guide, p.148
|
|
How many virtual routers can a vsys have?
|
One.
|
JNCIS-FWV Study Guide, p.151
|
|
If you want a vsys to use a shared root system virtual router instead of its own default virtual router, what do you add to the end of the "set vsys" command?
|
vrouter share <vrouter-name>
|
JNCIS-FWV Study Guide, p.140
|
|
If both ingress and egress IP-classification found matching virtual systems, but the interfaces were bound to different shared security zones, what would happen to the traffic?
|
The traffic would be dropped.
|
JNCIS-FWV Study Guide, p.145-146
|
|
When you create vsys subinterfaces, are they in NAT mode or route mode, by default?
|
NAT mode
|
JNCIS-FWV Study Guide, p.146-147
|
|
Can a vsys be configured to use both IP-based and VLAN-based classification at the same time?
|
Yes.
|
JNCIS-FWV Study Guide, p.147
|
|
What options for debugging does a read-only vsys administrator have?
|
None. A read-only administrator can only "get" and "ping"
|
JNCIS-FWV Study Guide, p.142
|
|
What does NSRP stand for?
|
NetScreen Redundancy Protocol
|
JNCIS-FWV Study Guide, p.152
|
|
What CLI command would configure a firewall with NSRP cluster ID 7?
|
set nsrp cluster id 7
|
JNCIS-FWV Study Guide, p.152
|
|
What are the valid values for NSRP cluster ID?
|
1 through 7
|
JNCIS-FWV Study Guide, p.152
|
|
What CLI command would configure an NSRP cluster with the name "Cluster" ?
|
set nsrp cluster name Cluster
|
JNCIS-FWV Study Guide, p.153
|
|
What does VSD stand for?
|
Virtual Security Device
|
JNCIS-FWV Study Guide, p.153
|
|
What is the default cluster group for ScreenOS clusters?
|
VSD Group 0
|
JNCIS-FWV Study Guide, p.153
|
|
What happens to configured security interfaces when a firewall becomes a cluster member?
|
They convert to Virtual Security Interfaces (VSIs)
|
JNCIS-FWV Study Guide, p.153
|
|
Once an interface becomes a VSI for VSD group 0, can you make that interface a local interface again?
|
No.
|
JNCIS-FWV Study Guide, p.153
|
|
If you want to remove a VSI, what is the recommended process?
|
Remove VSD group 0, and then create a new VSD group.
|
JNCIS-FWV Study Guide, p.153
|
|
When creating a cluster, what routes are included in the cluster routing table?
|
Directly connected routes for the interfaces which became VSIs
|
JNCIS-FWV Study Guide, p.153
|
|
What is the default priority assigned to a VSD group member?
|
100
|
JNCIS-FWV Study Guide, p.153
|
|
As a cluster member's priority approaches 0, does it have a higher or lower priority within the cluster?
|
Higher.
|
JNCIS-FWV Study Guide, p.153
|
|
If two VSD group members have the same priority number, which one will be the master for the cluster?
|
The one with the lowest MAC address.
|
JNCIS-FWV Study Guide, p.153
|
|
What clustering option allows a group member with a higher priority to resume as master once it recovers from a failure?
|
The preempt option.
|
JNCIS-FWV Study Guide, p.154
|
|
What CLI command will enable preempt mode on VSD 7?
|
set nsrp vsd-group id 7 preempt
|
JNCIS-FWV Study Guide, p.154
|
|
What preempt mode configuration option is used to delay the preempt failover for a specified amount of time?
|
The hold down timer.
|
JNCIS-FWV Study Guide, p.154
|
|
What CLI command would turn on preempt mode for VSD 5, and set the hold down timer to 10 minutes?
|
set nsrp vsd-group id 5 preempt hold-down 600
|
JNCIS-FWV Study Guide, p.154
|
|
What is the valid range for the preempt mode hold-down timer?
|
0-600 seconds.
|
JNCIS-FWV Study Guide, p.154
|
|
In NSRP what will be member state of the device that is next in line to take over, should the master fail?
|
Primary Backup
|
JNCIS-FWV Study Guide, p.154
|
|
In NSRP, what is the member state of the device processing traffic sent to VSIs?
|
Master
|
JNCIS-FWV Study Guide, p.154
|
|
In NSRP, what is the transient state that a group member is in while it joins a VSD group during boot or immediately after being added?
|
Initial
|
JNCIS-FWV Study Guide, p.154
|
|
What NSRP member state is assigned purposefully by an administrator to prevent a member from participating in the election process?
|
Ineligible
|
JNCIS-FWV Study Guide, p.154
|
|
What NSRP member state indicates a system check has determined the device has a problem?
|
Inoperable
|
JNCIS-FWV Study Guide, p.154
|
|
If the HA LED on a device is not lit, what does that indicate?
|
The device is not enabled for NSRP.
|
JNCIS-FWV Study Guide, p.154
|
|
If the HA LED on a device is green, what does that indicate?
|
The device is enabled for NSRP, is the master in one or more VSD groups and is not inoperable.
|
JNCIS-FWV Study Guide, p.155
|
|
If the HA LED on a device is yellow, what does that indicate?
|
The device is enabled for NSRP, is not the master in any VSD group, and is not inoperable.
|
JNCIS-FWV Study Guide, p.155
|
|
If the HA LED on a device is red, what does that indicate?
|
The device is enabled for NSRP, but is currently inoperable.
|
JNCIS-FWV Study Guide, p.155
|
|
What is the term used for the amount of time that a VSD group member stays in the initial state?
|
Initial State Hold-Down Time
|
JNCIS-FWV Study Guide, p.155
|
|
What is the default value for the initial state hold-down timer?
|
5
|
JNCIS-FWV Study Guide, p.155
|
|
How do you determine the initial-state hold-down time of a VSD group member?
|
Multiply the initial-state hold-down value by the VSD heartbeat interval.
|
JNCIS-FWV Study Guide, p.155
|
|
What is the minimum value for the initial state hold-down timer?
|
5
|
JNCIS-FWV Study Guide, p.155
|
|
What CLI command would set the initial state hold-down timer to 10 on VSD group 4?
|
set nsrp vsd-group id 4 init-hold 10
|
JNCIS-FWV Study Guide, p.155
|
|
What CLI command will set a member of VSD group 5 to ineligible state?
|
set nsrp vsd-group 5 mode ineligible
|
JNCIS-FWV Study Guide, p.155
|
|
What five pieces of information are included in a VSD heartbeat message?
|
Unit ID
VSD Group ID VSD Group Member Status Device Priority RTO Peer Information |
JNCIS-FWV Study Guide, p.155
|
|
What are the possible values for the VSD heartbeat interval?
|
200, 600, 800, or 1000 milliseconds
|
JNCIS-FWV Study Guide, p.155
|
|
Does the VSD heartbeat interval configuration apply to specific VSD groups, or to all configured groups?
|
All -- it is a global change.
|
JNCIS-FWV Study Guide, p.155
|
|
What CLI command will set the VSD heartbeat interval to 800 milliseconds?
|
set nsrp vsd-group hb-interval 800
|
JNCIS-FWV Study Guide, p.155
|
|
What is the default heartbeat threshold on a ScreenOS device?
|
3
|
JNCIS-FWV Study Guide, p.156
|
|
What CLI command would configure a device so that it can miss 8 NSD heartbeats before it is deemed as failed?
|
set nsrp vsd hb-threshold 8
|
JNCIS-FWV Study Guide, p.156
|
|
Can ScreenOS devices in transparent mode be configured for active/passive failover?
|
Yes.
|
JNCIS-FWV Study Guide, p.156
|
|
What is the main advantage of an active/passive cluster over an active/active cluster?
|
Ease of configuration.
|
JNCIS-FWV Study Guide, p.156
|
|
What CLI command would assign a ScreenOS device to a cluster with ID 4?
|
set nsrp cluster id 4
|
JNCIS-FWV Study Guide, p.156
|
|
What CLI commands would set up authentication and encryption for cluster status traffic?
|
set nsrp auth password <password>
set nsrp encrypt password <password> |
JNCIS-FWV Study Guide, p.156
|
|
What command would configure your cluster to monitor interface ethernet1?
|
set nsrp monitor interface ethernet1
|
JNCIS-FWV Study Guide, p.156
|
|
What CLI command would configure a secondary path through ethernet0 for cluster status traffic, should the primary path fail?
|
set nsrp secondary-path ethernet0
|
JNCIS-FWV Study Guide, p.157
|
|
What CLI command would configure a cluster to send ten gratuitous ARPs when it becomes the new master of a cluster?
|
set nsrp arp 10
|
JNCIS-FWV Study Guide, p.157
|
|
What CLI command can be used to determine if one clustered firewall's configuration is out of sync with the other?
|
exec nsrp sync global-config check-sum
|
JNCIS-FWV Study Guide, p.157
|
|
If a cluster becomes out of sync, what CLI command can be used to resync the members without rebooting?
|
exec nsrp sync global-config run
|
JNCIS-FWV Study Guide, p.157
|
|
If cluster members become out of sync, what CLI command can be run to synchronize the members on the next reboot?
|
exec nsrp sync global-config save
|
JNCIS-FWV Study Guide, p.157
|
|
What two caveats should you observe when attempting to resync your cluster?
|
1) Always resync from the master.
2) Perform an "unset all" on the target to clear previous configuration. |
JNCIS-FWV Study Guide, p.157
|
|
What CLI command would synchronize a single file, called bob.txt between cluster members?
|
exec nsrp sync file name bob.txt from peer
|
JNCIS-FWV Study Guide, p.158
|
|
What CLI command would synchronize all files between cluster members?
|
exec nsrp sync file from peer
|
JNCIS-FWV Study Guide, p.158
|
|
By default, do NSRP cluster members synchronize Run-Time Objects?
|
No.
|
JNCIS-FWV Study Guide, p.158
|
|
What CLI command enables RTO synchronization?
|
set nsrp rto-mirror sync
|
JNCIS-FWV Study Guide, p.158
|
|
What CLI command will resync RTO data manually, if RTO sync is disabled then re-enabled?
|
exec nsrp sync rto all
|
JNCIS-FWV Study Guide, p.159
|
|
What are the RTO components eligible to sync independently in an NSRP cluster?
|
arp
auth-table dhcp dns l2tp phase1-sa pki rm session vpn |
JNCIS-FWV Study Guide, p.159
|
|
What CLI command would change the interval of the RTO heartbeat to 10?
|
set nsrp rto-mirror hb-interval 10
|
JNCIS-FWV Study Guide, p.159
|
|
What CLI command would change the threshold for missed RTO heartbeats to 5?
|
set nsrp rto-mirror hb-threshold 5
|
JNCIS-FWV Study Guide, p.159
|
|
What CLI command will disable RTO synchronization entirely?
|
set nsrp rto-mirror session off
|
JNCIS-FWV Study Guide, p.159
|
|
What CLI command would disable clock synchronization between cluster members?
|
set ntp no-ha-sync
|
JNCIS-FWV Study Guide, p.159
|
|
Why is it recommended to disable NSRP time synchronization and use NTP instead?
|
NSRP time sync occurs at the second level, but NTP occurs at the sub-second level.
|
JNCIS-FWV Study Guide, p.159
|
|
When two interfaces are used for NSRP HA, what are each of the interfaces used for?
|
One is used for control messages, and the other is used for data messages.
|
JNCIS-FWV Study Guide, p.160
|
|
If you have two FastEthernet interfaces used as NSRP HA interfaces, and one fails, what type of data will transfer over the remaining HA interface?
|
Control messages only
|
JNCIS-FWV Study Guide, p.160
|
|
If you have two gigabit interfaces used as NSRP HA interfaces, and one fails, what type of data will transfer over the remaining HA interface?
|
Both control and data messages.
|
JNCIS-FWV Study Guide, p.160
|
|
What two types of control messages are transmitted by an NSRP cluster member?
|
Heartbeats and HA messages
|
JNCIS-FWV Study Guide, p.160
|
|
What three types of heartbeats are used by an NSRP cluster member?
|
VSD group heartbeats, RTO heartbeats, and HA physical link heartbeats
|
JNCIS-FWV Study Guide, p.160
|
|
What type of NSRP cluster traffic are broadcast messages from the HA interfaces of both firewalls to monitor the status of the actual HA interfaces?
|
HA physical link heartbeats.
|
JNCIS-FWV Study Guide, p.160
|
|
What two types of HA messages does an NSRP cluster member transmit?
|
Configuration messages and RTO messages
|
JNCIS-FWV Study Guide, p.160
|
|
What happens to an IP packet that arrives on a device that is the backup of the VSD group?
|
The packet is forwarded over the HA link to the master.
|
JNCIS-FWV Study Guide, p.160
|
|
What solution allows a HA device to tell if the corresponding HA port of its peer has failed, even if using a switch to connect the two devices?
|
Link Probes
|
JNCIS-FWV Study Guide, p.160
|
|
What CLI command will send 10 link probes out interface ethernet0 on a HA member, destined to MAC address AA:AA?
|
exec nsrp probe ethernet0 AA:AA count 10
|
JNCIS-FWV Study Guide, p.161
|
|
What CLI command will configure automatic link probing on a cluster member, and send link probes every 10 seconds, with a threshold of 3 link probes?
|
set nsrp ha-link probe interval 10 threshold 3
|
JNCIS-FWV Study Guide, p.161
|
|
Can firewalls in transparent mode be configured in an active/active cluster?
|
No.
|
JNCIS-FWV Study Guide, p.161
|
|
Can you cluster together two firewalls of different models?
|
No.
|
JNCIS-FWV Study Guide, p.161
|
|
What are the valid values for the device/VSD group failover threshold?
|
1-255
|
JNCIS-FWV Study Guide, p.165
|
|
What is the default value of the device/VSD group failover threshold?
|
255
|
JNCIS-FWV Study Guide, p.165
|
|
What CLI command would set the NSRP failover threshold for a device to 100?
|
set nsrp monitor threshold 100
|
JNCIS-FWV Study Guide, p.165
|
|
What CLI command would configure NSRP interface monitoring on ethernet0, with a weight of the minimum allowed value?
|
set nsrp monitor interface ethernet0 weight 1
|
JNCIS-FWV Study Guide, p.165
|
|
What CLI command would configure NSRP zone monitoring for the Untrust zone, with the maximum allowable weight?
|
set nsrp monitor zone Untrust weight 255
|
JNCIS-FWV Study Guide, p.165
|
|
What CLI command would configure NSRP IP address monitoring to monitor IP 1.1.1.1 with weight of 100?
|
set nsrp track-ip 1.1.1.1 weight 100
|
JNCIS-FWV Study Guide, p.165
|
|
Out of the different components that you can monitor with NSRP, which one has a threshold that can be manually changed?
|
IP address monitoring
|
JNCIS-FWV Study Guide, p.165
|
|
What CLI command would change the NSRP IP address monitoring threshold to 10?
|
set nsrp monitor track-ip threshold 10
|
JNCIS-FWV Study Guide, p.165
|
|
What CLI command can be used to prevent both firewalls from going into standby mode if a monitored IP address goes down?
|
set nsrp vsd-group master-always-exist
|
JNCIS-FWV Study Guide, p.166
|
|
Is bandwidth management configuration synchronized across a cluster?
|
No.
|
JNCIS-FWV Study Guide, p.152
|
|
Is user account information synchronized across a cluster?
|
No.
|
JNCIS-FWV Study Guide, p.152
|
|
If both NTP and NSRP time sync are enabled?
|
The time may become unsyncrhonized -- it is recommended to disable NSRP and use NTP.
|
JNCIS-FWV Study Guide, p.170
|
|
What does the name of a Layer 2 security zone have to begin with?
|
"L2-"
|
Concepts and Examples ScreenOS Reference Guide, p.129
|
|
When creating a Layer 2 security zone, what should the VLAN ID number be?
|
1
|
Concepts and Examples ScreenOS Reference Guide, p.129
|
|
What needs to be done before you can remove a zone?
|
Unbind all interfaces bound to that zone.
|
Concepts and Examples ScreenOS Reference Guide, p.129
|
|
What CLI commands would change the name of the zone "Zone1" to "Zone2"?
|
unset zone Zone1
set zone name Zone2 |
Concepts and Examples ScreenOS Reference Guide, p.129
|
|
What CLI command would enable Intra-Zone blocking on zone "Zoney"?
|
set zone Zoney block
|
Concepts and Examples ScreenOS Reference Guide, p.129
|
|
What CLI command would delete zone "Zoney" ?
|
unset zone Zoney
|
Concepts and Examples ScreenOS Reference Guide, p.129
|
|
What components make up the name of a physical interface?
|
Media type, slot number, and index number.
|
Concepts and Examples ScreenOS Reference Guide, p.134
|
|
What would the name be of the wireless interface with the lowest index in the lowest slot?
|
wireless0/0
|
Concepts and Examples ScreenOS Reference Guide, p.134
|
|
To what zone can a wireless interface NOT be bound?
|
Untrust
|
Concepts and Examples ScreenOS Reference Guide, p.134
|
|
What is the terminology for a group that allows you to group multiple Ethernet and wireless interfaces together?
|
A bridge group (bgroup)
|
Concepts and Examples ScreenOS Reference Guide, p.135
|
|
How many IP addresses are assigned to a bgroup interface?
|
One.
|
Concepts and Examples ScreenOS Reference Guide, p.135
|
|
What type of VPN tunnel interface must be assigned to a specific physical interface from which it borrows its IP address?
|
An unnumbered tunnel interface.
|
Concepts & Examples ScreenOS Reference Guide, p.137
|
|
Why is it a good practice to put all tunnel interfaces into a zone with their own virtual router?
|
So that if the VPN fails, traffic is dropped instead of being redirected to a route that would send it clear-text.
|
Concepts & Examples ScreenOS Reference Guide, p.138
|
|
What types of tunnel interfaces can support policy-based NAT?
|
Only a tunnel interface with an IP address/netmask.
|
Concepts & Examples ScreenOS Reference Guide, p.139
|
|
What are the four logical link states possible for a tunnel interface?
|
up, down, ready and inactive
|
Concepts & Examples ScreenOS Reference Guide, p.140
|
|
Before deleting a tunnel interface that hosts MIPs or DIPs, what must be done?
|
Delete any policies referencing the NAT objects, and delete the MIPs and DIP pools from the tunnel interface.
|
Concepts & Examples ScreenOS Reference Guide, p.140
|
|
What is the only type of WAN interface that can be bound to an L2 security zone?
|
ADSL
|
Concepts & Examples ScreenOS Reference Guide, p.143
|
|
Can a subinterface be bound to an L2 security zone?
|
No -- a subinterface requires an IP address, so cannot be bound to an L2 security zone.
|
Concepts & Examples ScreenOS Reference Guide, p.143
|
|
Before adding an interface to a group, what security zone does that interface need to be assigned to?
|
Null.
|
Concepts & Examples ScreenOS Reference Guide, p.143
|
|
What CLI command would set interface e1/1 to be administratively down?
|
set interface e1/1 phy link-down
|
Concepts & Examples ScreenOS Reference Guide, p.147
|
|
In which L3 zone can you NOT assign multiple secondary IP addresses to an interface?
|
Untrust
|
Concepts & Examples ScreenOS Reference Guide, p.149
|
|
What CLI command would add a secondary IP of 1.1.1.1/24 to interface ethernet1/1?
|
set interface ethernet1/1 ip 1.1.1.1/24 secondary
|
Concepts & Examples ScreenOS Reference Guide, p.150
|
|
What is the lowest numbered loopback interface that can exist on a ScreenOS device?
|
loopback.1
|
Concepts & Examples ScreenOS Reference Guide, p.156
|
|
What is the highest numbered loopback interface that can exist on a ScreenOS device?
|
This is platform specific.
|
Concepts & Examples ScreenOS Reference Guide, p.156
|