Saturday 20 July 2019

Most Common F5 101 exam question and Answers




LTM (Local Traffic Manager):- Full proxy between users and application servers. Creates a layer of abstraction to secure, optimize, and load balance application traffic
GTM ( Global Traffic Manager):- 
Automatically routes connections to the closest or best-performing data center in the event of an outage, overload, or other disruption
APM (Access Policy Manager):-
Provides secure,context-aware, and policy-based access control. It centralizes and simplifies AAA management directly on the BIG-IP system.
ASM ( Application Security Manager):-
Advanced web application firewall that protects critical applications and their data by defending against application-specific attacks that bypass conventional firewalls
LTM initial set up steps:-
1.   Setup MGMT port IP address via config utility
2.   License the system through web interface
3.   Run the setup utility
Default LTM MGMT port IP address?
192.168.1.245
To gain a license, you need to use your registration key to generate what?
a Dossier and they present the dossier to the license server
A base registration key is how many characters?
27
Systems are shipped with your registration key where?
/config/RegKey.license
After generating the dossier, what is it names and where is it located?
/config/bigip.license
Dedicated:- designed for situations where only one module is functional on the system, such as GTM
Minimal:- Gives the module its minimum functional resources and distributes additional resources to the module if they are available.
Minimum:-Give the module minimum functional resources and distributes additional resources to other modules.
None:- Designed for situation where another module need dedicated access to resources
Setup Utility includes the following:-
·        Self-IP Addresses and Netmasks for VLANS
·        Assign interfaces to VLANs
·        IP address of the default route
·        root password for CLI
·        admin password for GUI
·        IP address allowed for ssh
Administrative IP access Files:-
/etc/hsots.allow
Interface and configuration files:-
/config/bigip.conf
/config/bigip_base.conf
/config/BigDB.dat
Default terminal settings for console access:-
8-N-1 19,200 bps
File extension for backups:-
*.ucs
Pool members are?
Each of the actual servers used for client traffic.
includes an IP address and port
The devices represented by the IP addresses of pool members are called what?
Nodes — they may represent multiple pool members
A pool is what?
A group of pool members.
system logs
/var/log/messages
packet filter logs
/var/log/pktfilter
local traffic logs
/var/log/ltm
audit logs
Displays system configuration chagnes by user ad time.
A Full proxy maintains how many session tables?
2
ugger-and-stitch- methodology
Proxy buffers a connection, often through the TCP handshake process and potentially into the first few packets of application data, but then stitches a connection to a given server on the back-end using either layer 4 or layer 7 data.
DSR (Direct Server Return):
Requests are proxied by the device, but the responses do not return the device. Known as a half proxy because only half the connection is proxied.
What is a proxy-based design
A full proxy completely understands the protocols, and is itself an endpoint and an originator for the protocols. The connections between a client and the full proxy is fully independent of the connection between the full proxy and the server.
iRules
scripts created using TCL with custom F5 extensions that enable users to create unique functions triggered by TMOS events.
Single Device HA
Core services being up and running on that device
-VLANs being able to send and receive traffic
Redundant system configuration HA
Core system services being up and running on one of the two BIP-IP systems Connection being available between the BIP-IP system and a pool of routers, and VLANs on the system being able to send and receive traffic.
Hard-wired failover
you enable failover by using a failover cable to physically connect the two redundant units default setting
Network Failover
Enable failover by configuring the redundant system to use the network to determine the status of the active unit.
what is ConfigSync
a process where you replicate one unit main config file on the peer unit.
What does SNAT do?
Secure Network Address Translation
maps the source client IP in a request to a translation address defined on the BIG-IP device.
what is Intelligent SNAT?
The mapping of one or more original client IP address to a translation address. However, you implement this type of SNAT mapping within an iRule Can be based on any piece of packet data you specify.
how to monitor the number of concurrent connections going through the SNAT?
tmsh show /ltm snat
Auto Last Hop
Is a global setting that is used to track the source MAC address of incoming connections. Allows the BIG-IP system to send return traffic from pools to the MAC address that transmitted the request, even though the routing table points to a different network or interface.
what is a node?
The physical server itself that will receive traffic from the load balancer.
How is a member different than a node?
a member includes the TCP port of the actual application that will be receiving the traffic.
What is a basic load balancing transaction?
1.   Client attempts to connect with the service on the load balancer
2.   LB accepts the connection and changes the destination IP to match the service of the selected host
3.   Host accepts the connection and responds back to the original source, the client, via its default route
4.   The LB intercepts the return packet from the host and now changes the source IP to match the virtual server IP and port, and forward.
Round Robin Algorithm
passes each new connection request to the next server in line, eventually distributing connection evenly across the array of machines being load balanced.
Weighted Route Robin Algorithm(Ratio) Algorithm
The number of connections that each machine receives over time is proportionate to a ratio weight you define for each machine.
Dynamic Round Robin (dynamic ratio) Algorithm
Weights are based on continuous monitoring of the servers and are therefore continually changing. Distributed based on real-time server performance analysis.
Fastest Algorithm
Passes a new connection based on the fastest response time of all
server.
Least Connections Algorithm
The system passes a new connection to the server that has the least number of current connections. Works best with equipment all has similar capabilities.
Observed Algorithm
Uses a combination of the logic used in the Least Connections and Fastest Algorithms to load balance connections to servers. Servers are ranked based on current connections and response time.
Predictive Algorithm
The system analyzes the trend of the ranking over time, determining whether the performance of a server is currently improving or declining.
What is the primary reason for tracking and storing session data?
To ensure that client requests are directed to the same pool member throughout the life of a session, or during subsequent sessions.
what is a Persistence Profile?
a pre-configured object that automatically enables persistence when you assign the profile to a VS.
Cookie persistence
Cookie persistence uses an HTTP cookie stored on a client computer to allow the client to reconnect to the same server previously visited at a web site.
Destination address affinity persistence
Also known as sticky persistence, destination address affinity persistence supports TCP and UDP protocols and directs session requests to the same server based solely on the destination IP address of a packet.
hash persistence
Hash persistence allows you to create a persistence hash based on an existing iRule
Source address affinity persistence
Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols and directs session requests to the same server based solely on the source IP address of a packet.
SSL Persistence
SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID.
Universal persistence
Universal persistence allows you to write an expression that defines what to persist on in a packet. The expression, written using the same expression syntax that you use in iRulesTM, defines some sequence of bytes to use as a session identifier.
What is the Positive Security Model
One that defines what is allowed, and rejects everything else.
What is the Negative Security Model
Defines what is disallowed, while implicitly allowing everything else.
Benefit of the Positive Security Model
Is that new attacks, not anticipated by the admin/developer, will be prevented.
Reset on Timeout
The system sends a reset (RST) and deletes the TCP connection when the connection exceeds the idle timeout value. If disabled, the system will delete the TCP connection when it exceeds the idle timeout value, but will not send an RST to the client.
HTTP Header Methods?
GET
POST
PUT
DELETE
HEAD
With the get method, all query parameters are part of what?
URI
200 OK
This indicates a success
304 Not Modified
This shows that the resource in question has not changed and the browser should load it from its cache instead. This is used only when the browser performs a conditional GET request.
404 Not Found
This suggests that the resource requested cannot be found on the server.
401 Authorization Required
This indicates that the resource is protected and requires valid credentials before the server can grant access.
500 Internal Error
This signifies that the server had a problem processing the request.
most important browser headers?
HTTP Version
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
If-* headers
Cache-Control or Pragma no cache
Most important web server headers?
HTTP Version
connection: Keep-Alive/Close
Encoding: gzip, deflate
Cach-strong headers (max-age)
Content-Type:
Date:
Accept-Ranges: bytes
no-cache meta tag
instructs the browser to not cache the object that contains the meta tag Forces the browser to always get a full download of that object.
refresh meta tag
often used to mimic an HTTP 302 redirect response.
Tells the browser to override the browser’s cache settings and revalidate every object referenced by the refresh tag.
IPSEC
IP layer protocol that enables the sending and receiving of cryptographically protected packets of any times (TCP, UDP, ICMP) without any modification.
What two cryptographic services does IPSec provide?
1.   confidentiality and authenticity (Encapsulated Security Payload)
2.   Or authenticity only. (Authentication Header)
What does Phase 2 do?
Negotiates the cipher and authentication algorithm required to protect further transactions.
What does Phase 1 do?
Performs mutual authentication and produces the encryption key required to protect Phase 2.
What is SSL?
an application layer protocol. Mostly utilized to protect HTTP transactions, and has been used for other purposed like IMAP and POP3 Only compatible with applications running over TCP.
SSL is composed of what 4 protocols?
Handshake protocol
Change Cipher Spec protocol
Alert protocol
Application Data protocol
What is the handshake protocol used for?
To perform authentication and key exchanges
What is the Change Cipher Spec Protocol used for?
To indicate that the chosen keys will now be used
What is the Alert protocol used for?
Signaling errors and session closure
What is the application data protocol used for?
to transmit and receive encrypted data
Hash algorithms used in SSL “Client Authentication”?
MD5 and SHA-1
IPSec supports the use of Digital Signature ad the use of a Secret KEy Algorithm, where SSL supports only the use of what?
Digital Signature
What two connection modes what IPSec have?
Tunnel Mode
Transport Mode
What is Tunnel mode?
Established between gateway-to-gateway, gateway-to-host, and host-to-host. It established a tunnel between the endpoint and it requires adding a new IP header to the original packet.
What is Transport mode?
Host-to-host connection. The data between the two entities are encrypted.
PFS
Perfect Forward Secrecy
Exchanges new DH values each time a session is resumed
SNAT
Security Network Address Translation
Maps the source client IP address in a request to a translation address defined on the BIG-IP device.
(Q) Which three of the metrics listed below can GTM use when making load balancing decisions for a client?
A.TCP payload
B.IP geolocation
C.Hop count
D.Round trip time
E.Browser user agent
(Q) An LTM object that represents a downstream server contains the IP address 192.168.9.250 and no port. What is this object?
A.Pool member
B.Virtual server
C.Pool
D.Self IP
E.Node
(Q) When using a routed configuration, the real server must point to the LTM as the………
A.Default gateway
B.Virtual IP
C.DNS server
D.NTP server
E.WINS server
(Q) Which of the following statements about cookie persistence is NOT true?
A.The cookie’s timeout value can be customized
B.They are F5’s preferred persistence method
C.No persistence information is placed on LTM
D.Web servers must be configured to send cookies to clients
E.They do not add a performance impact on LTM
(Q)True or false? The LTM “Manager” authentication role can create iRules.
A.True
B.False
(Q)Which of the following are four of the security benefits of TMOS?
A.it verifies traffic based on antivirus signatures
B.It provides protection against DDoS
C.It uses SYN cookies and dynamic connection reapers
D.It supplies guidance for poorly developed applications
E.It denies all traffic that hasn’t been defined
F.It can hide confidential information from outbound traffic
(Q)An LTM object represents a downstream server that hosts a secure Web site and contains the IP address and port combination 192.168.9.250:443. What is this object?
A.Self IP
B.Virtual Server
C.Pool
D.Node
E.Pool Member
True or false, The least connections load balancing method functions best when all pool members share similar characteristics.
A.True
B.False
If a customer has an application that uses a customized protocol, what LTM feature can help optimize the traffic from the application?
A.iRules
B.Network virtual servers
C.HTTP classes
D.Packet filtering
E.Transparent virtual servers
Which of the following are the three main business drivers for placing LTM into a network?
A.Secure the connection between WAN sites
B.Improve application availability and scalability
C.Authenticate and authorize users
D.Boost application performance
E.Include application security
F.Act as a Web application firewall
True or false? Adding more RAM to a GTM device drastically improves query performance.
A.True
B.False
An administrator is adding GTM to the network infrastructure. Which of the following requirements would lead them to select an Authoritative Screening architecture
rather than Delegation?
A.They want GTM to examine all DNS queries
B.They want GTM to make load balancing decisions based on metrics
C.They have data centers in several countries
D.They are using several operating systems for the local DNS servers
True or false? Since F5 built GTM on the TMOS platform it can exist on the same BIG-IP device as LTM
A.True
B.False
True or false? FastCache will NOT work with compressed objects.
A.True
B.False
True or false? As a full TCP proxy, LTM acts as the termination point for both requests from the client and responses from the server.
A.True
B.False
When an optimized TCP connection exists between LTM and the pool member, LTM can accept server responses faster than the client. What is the name of this
feature?
A.HTTP caching
B.OneConnect
C.TCP connection queuing
D.Content spooling
E.Priority activation
You can use an HTTP class profile to forward traffic that matches which three of these types of criteria?
A.Port
B.HTTP header
C.URI path
D.User name
E.Protocol
F.Host name
Why does deploying LTM into an existing network immediately improve security?
A.Only requests for specific ports are allowed through LTM
B.All traffic through LTM is checked for DDoS attacks
C.No traffic A allowed through LTM until it has been specified
D.All users must authenticate before accessing applications through LTM
E.Only LAN administrators can access resources through LTM
Which of the following is NOT included on the F5 DevCentral site?
A.Subscription purchasing options
B.Actual iRules was written by other customers
C.iRules reference materials
D.Forums
E.The F5 iRule editor
True or false? GTM can load balance to LTM in addition to non-BIG-IP hosts.
A.True
B.False
What happens when the data center that GTM recommends for a client is unavailable
A.GTM uses cached information to determine an alternate route
B.GTM queries the local DNS server
C.GTM sends subsequent queries to the next preferred data center
D.GTM directs the client to use its DNS cache to select an alternate location
E.The client continues to attempt to access the preferred data center
Which four of the monitoring methods listed below can GTM use to determine the status and performance of BIG-IP and servers?
A.ping
B.Application monitors
C.Inband monitors
D.SSH
E.iQuery
F.SNMP
GTM uses the F5………….protocol to synchronize performance metrics between GTM
devices. (Fill in)
Answer: iQuery
True or false? DNSSEC is a GTM add-on licensing feature.
A.True
B.False
Which three of the following must be done in order for GTM to properly communicate LTM?
A.Connect the GTM and LTM with a network crossover cable
B.Synchronize the big3d versions between GTM and LTM
C.Add the LTM object to the GTM configuration
D.Configure the GTM and LTM to we MAC masquerading
E.Ensure that GTM and LTM use the same floating IP address
F.Exchange SSL certificates between the two devices
……..object maps an FQDN to virtual servers. (Fill in)
Answer: Wide IP
A top-level DNS zone uses a CNAME record to point to a sub-zone. Which of the following is an example of a sub-zone?
A.www.F5.com/sub
B.www.F5.com
C.www.gslb.F5.com
D..com
E.f5.com
The layer 3 security feature….. Cookies protects against SYN floods, DoS, and DDoS attacks. (Fill in)
Answer: contain / include
True or false? The least connections load balancing method functions best when all pool members share similar characteristics.
A.True
B.False
True or false, Customers can purchase LTM as a stand-alone product, or layer it with additional software modules to increase the functionality of the BIG-IP device
A.True
B.False
Which three of these software modules can you layer on top of LTM on a BIG-IP device?
A.Web Accelerator
B.APM
C.ARX
D.GTM
E.Firepass
F. Enterprise Manager
Which of the following is a benefit of using iRules?
A.They can be used as templates for creating new applications
B.They provide an automated way to create LTM objects
C.They can use Active Directory to authenticate and authorize users
D.They provide a secure connection between a client and LTM
E.They enable granular control of traffic
True or false, Using IP Geolocation, an organization can always direct a client request from France to a data center in Dublin.
A.True
B.False
GTM solves which three of these standard DNS limitations?
A.It can verify that a host is available before resolving a host name for a client
B.It can use HTTPS for the connection between itself and the client
C.It can ensure that clients remain at the same data center for stateful applications
D.It can verify that a client does not have any viruses before sending the IP address
E.It has more complex load balancing methods
Which two of these statements about OneConnect are true?
A.It decreases the CPU load on LTM
B.It aggregates multiple client connections into a single server connection
C.It decreases the amount of traffic between multiple clients and LTM
D.It requires SNAT to be configured
E.It decreases the CPU load on pool members
True or false? LTM can only load balance outbound traffic by using iRules
A.True
B.False
True or false? TCP Express is licensed separately from LTM
A.True
B.False
When using a routed configuration, the real server must point to the LTM as the…..
A.NTP Server
B.DNS Server
C.Virtual IP
D.WINS server
E.Default gateway


No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...