LTM (Local Traffic Manager):- Full proxy between
users and application servers. Creates a layer of abstraction to secure,
optimize, and load balance application traffic
GTM ( Global Traffic Manager):-
Automatically routes connections to the closest or best-performing data center in the event of an outage, overload, or other disruption
Automatically routes connections to the closest or best-performing data center in the event of an outage, overload, or other disruption
APM (Access Policy Manager):-
Provides secure,context-aware, and policy-based access control. It centralizes and simplifies AAA management directly on the BIG-IP system.
Provides secure,context-aware, and policy-based access control. It centralizes and simplifies AAA management directly on the BIG-IP system.
ASM ( Application Security Manager):-
Advanced web application firewall that protects critical applications
and their data by defending against application-specific attacks that bypass
conventional firewalls
LTM initial set up steps:-
1. Setup
MGMT port IP address via config utility
2. License
the system through web interface
3. Run the
setup utility
Default LTM MGMT port IP address?
192.168.1.245
To gain a license, you need to use your registration key to
generate what?
a Dossier and they present the dossier to the license server
A base registration key is how many characters?
27
Systems are shipped with your registration key where?
/config/RegKey.license
After generating the dossier, what is it names and where is it
located?
/config/bigip.license
Dedicated:- designed for situations
where only one module is functional on the system, such as GTM
Minimal:- Gives the module its
minimum functional resources and distributes additional resources to the module
if they are available.
Minimum:-Give the module minimum functional resources
and distributes additional resources to other modules.
None:- Designed for situation where another module need dedicated
access to resources
Setup Utility includes the following:-
·
Self-IP Addresses and Netmasks for VLANS
·
Assign interfaces to VLANs
·
IP address of the default route
·
root password for CLI
·
admin password for GUI
·
IP address allowed for ssh
Administrative IP access Files:-
/etc/hsots.allow
Interface and configuration files:-
/config/bigip.conf
/config/bigip_base.conf
/config/BigDB.dat
/config/bigip_base.conf
/config/BigDB.dat
Default terminal settings for console access:-
8-N-1 19,200 bps
File extension for backups:-
*.ucs
Pool members are?
Each of the actual servers used for client traffic.
includes an IP address and port
includes an IP address and port
The devices represented by the IP addresses of pool members are
called what?
Nodes — they may represent multiple pool members
A pool is what?
A group of pool members.
system logs
/var/log/messages
packet filter logs
/var/log/pktfilter
local traffic logs
/var/log/ltm
audit logs
Displays system configuration chagnes by user ad time.
A Full proxy maintains how many session tables?
2
ugger-and-stitch- methodology
Proxy buffers a connection, often through the TCP handshake
process and potentially into the first few packets of application data, but
then stitches a connection to a given server on the back-end using either layer
4 or layer 7 data.
DSR (Direct Server Return):–
Requests are proxied by the device, but the responses do not return the device. Known as a half proxy because only half the connection is proxied.
Requests are proxied by the device, but the responses do not return the device. Known as a half proxy because only half the connection is proxied.
What is a proxy-based design
A full proxy completely understands the protocols, and is itself
an endpoint and an originator for the protocols. The connections between a
client and the full proxy is fully independent of the connection between the
full proxy and the server.
iRules
scripts created using TCL with custom F5 extensions that enable
users to create unique functions triggered by TMOS events.
Single Device HA
Core services being up and running on that device
-VLANs being able to send and receive traffic
-VLANs being able to send and receive traffic
Redundant system configuration HA
Core system services being up and running on one of the two
BIP-IP systems Connection being available between the BIP-IP system and a pool
of routers, and VLANs on the system being able to send and receive traffic.
Hard-wired failover
you enable failover by using a failover cable to physically
connect the two redundant units default setting
Network Failover
Enable failover by configuring the redundant system to use the
network to determine the status of the active unit.
what is ConfigSync
a process where you replicate one unit main config file on the
peer unit.
What does SNAT do?
Secure Network Address Translation
maps the source client IP in a request to a translation address defined on the BIG-IP device.
maps the source client IP in a request to a translation address defined on the BIG-IP device.
what is Intelligent SNAT?
The mapping of one or more original client IP address to a
translation address. However, you implement this type of SNAT mapping within an
iRule Can be based on any piece of packet data you specify.
how to monitor the number of concurrent connections going
through the SNAT?
tmsh show /ltm snat
Auto Last Hop
Is a global setting that is used to track the source MAC address
of incoming connections. Allows the BIG-IP system to send return traffic from
pools to the MAC address that transmitted the request, even though the routing
table points to a different network or interface.
what is a node?
The physical server itself that will receive traffic from the
load balancer.
How is a member different than a node?
a member includes the TCP port of the actual application that
will be receiving the traffic.
What is a basic load balancing transaction?
1. Client
attempts to connect with the service on the load balancer
2. LB
accepts the connection and changes the destination IP to match the service of
the selected host
3. Host
accepts the connection and responds back to the original source, the client,
via its default route
4. The LB
intercepts the return packet from the host and now changes the source IP to
match the virtual server IP and port, and forward.
Round Robin Algorithm
passes each new connection request to the next server in line,
eventually distributing connection evenly across the array of machines being load
balanced.
Weighted Route Robin Algorithm(Ratio) Algorithm
The number of connections that each machine receives over time
is proportionate to a ratio weight you define for each machine.
Dynamic Round Robin (dynamic ratio) Algorithm
Weights are based on continuous monitoring of the servers and
are therefore continually changing. Distributed based on real-time server
performance analysis.
Fastest Algorithm
Passes a new connection based on the fastest response time of
all
server.
server.
Least Connections Algorithm
The system passes a new connection to the server that has the
least number of current connections. Works best with equipment all has similar
capabilities.
Observed Algorithm
Uses a combination of the logic used in the Least Connections
and Fastest Algorithms to load balance connections to servers. Servers are
ranked based on current connections and response time.
Predictive Algorithm
The system analyzes the trend of the ranking over time,
determining whether the performance of a server is currently improving or
declining.
What is the primary reason for tracking and storing session
data?
To ensure that client requests are directed to the same pool
member throughout the life of a session, or during subsequent sessions.
what is a Persistence Profile?
a pre-configured object that automatically enables persistence
when you assign the profile to a VS.
Cookie persistence
Cookie persistence uses an HTTP cookie stored on a client
computer to allow the client to reconnect to the same server previously visited
at a web site.
Destination address affinity persistence
Also known as sticky persistence, destination address affinity
persistence supports TCP and UDP protocols and directs session requests to the
same server based solely on the destination IP address of a packet.
hash persistence
Hash persistence allows you to create a persistence hash based
on an existing iRule
Source address affinity persistence
Also known as simple persistence, source address affinity
persistence supports TCP and UDP protocols and directs session requests to the
same server based solely on the source IP address of a packet.
SSL Persistence
SSL persistence is a type of persistence that tracks
non-terminated SSL sessions, using the SSL session ID.
Universal persistence
Universal persistence allows you to write an expression that
defines what to persist on in a packet. The expression, written using the same
expression syntax that you use in iRulesTM, defines some sequence of bytes to
use as a session identifier.
What is the Positive Security Model
One that defines what is allowed, and rejects everything else.
What is the Negative Security Model
Defines what is disallowed, while implicitly allowing everything
else.
Benefit of the Positive Security Model
Is that new attacks, not anticipated by the admin/developer,
will be prevented.
Reset on Timeout
The system sends a reset (RST) and deletes the TCP connection
when the connection exceeds the idle timeout value. If disabled, the system
will delete the TCP connection when it exceeds the idle timeout value, but will
not send an RST to the client.
HTTP Header Methods?
GET
POST
PUT
DELETE
HEAD
POST
PUT
DELETE
HEAD
With the get method, all query parameters are part of what?
URI
200 OK
This indicates a success
304 Not Modified
This shows that the resource in question has not changed and the
browser should load it from its cache instead. This is used only when the
browser performs a conditional GET request.
404 Not Found
This suggests that the resource requested cannot be found on the
server.
401 Authorization Required
This indicates that the resource is protected and requires valid
credentials before the server can grant access.
500 Internal Error
This signifies that the server had a problem processing the
request.
most important browser headers?
HTTP Version
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
If-* headers
Cache-Control or Pragma no cache
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
If-* headers
Cache-Control or Pragma no cache
Most important web server headers?
HTTP Version
connection: Keep-Alive/Close
Encoding: gzip, deflate
Cach-strong headers (max-age)
Content-Type:
Date:
Accept-Ranges: bytes
connection: Keep-Alive/Close
Encoding: gzip, deflate
Cach-strong headers (max-age)
Content-Type:
Date:
Accept-Ranges: bytes
no-cache meta tag
instructs the browser to not cache the object that contains the
meta tag Forces the browser to always get a full download of that object.
refresh meta tag
often used to mimic an HTTP 302 redirect response.
Tells the browser to override the browser’s cache settings and revalidate every object referenced by the refresh tag.
Tells the browser to override the browser’s cache settings and revalidate every object referenced by the refresh tag.
IPSEC
IP layer protocol that enables the sending and receiving of
cryptographically protected packets of any times (TCP, UDP, ICMP) without any
modification.
What two cryptographic services does IPSec provide?
1. confidentiality
and authenticity (Encapsulated Security Payload)
2. Or
authenticity only. (Authentication Header)
What does Phase 2 do?
Negotiates the cipher and authentication algorithm required to
protect further transactions.
What does Phase 1 do?
Performs mutual authentication and produces the encryption key
required to protect Phase 2.
What is SSL?
an application layer protocol. Mostly utilized to protect HTTP
transactions, and has been used for other purposed like IMAP and POP3 Only
compatible with applications running over TCP.
SSL is composed of what 4 protocols?
Handshake protocol
Change Cipher Spec protocol
Alert protocol
Application Data protocol
Change Cipher Spec protocol
Alert protocol
Application Data protocol
What is the handshake protocol used for?
To perform authentication and key exchanges
What is the Change Cipher Spec Protocol used for?
To indicate that the chosen keys will now be used
What is the Alert protocol used for?
Signaling errors and session closure
What is the application data protocol used for?
to transmit and receive encrypted data
Hash algorithms used in SSL “Client Authentication”?
MD5 and SHA-1
IPSec supports the use of Digital Signature ad the use of a
Secret KEy Algorithm, where SSL supports only the use of what?
Digital Signature
What two connection modes what IPSec have?
Tunnel Mode
Transport Mode
Transport Mode
What is Tunnel mode?
Established between gateway-to-gateway, gateway-to-host, and
host-to-host. It established a tunnel between the endpoint and it requires
adding a new IP header to the original packet.
What is Transport mode?
Host-to-host connection. The data between the two entities are
encrypted.
PFS
Perfect Forward Secrecy
Exchanges new DH values each time a session is resumed
Exchanges new DH values each time a session is resumed
SNAT
Security Network Address Translation
Maps the source client IP address in a request to a translation address defined on the BIG-IP device.
Maps the source client IP address in a request to a translation address defined on the BIG-IP device.
(Q) Which three of the metrics listed below can GTM use when
making load balancing decisions for a client?
A.TCP payload
B.IP geolocation
C.Hop count
D.Round trip time
E.Browser user agent
(Q) An LTM object that represents a downstream server contains
the IP address 192.168.9.250 and no port. What is this object?
A.Pool member
B.Virtual server
C.Pool
D.Self IP
E.Node
(Q) When using a routed configuration, the real server must
point to the LTM as the………
A.Default gateway
B.Virtual IP
C.DNS server
D.NTP server
E.WINS server
(Q) Which of the following statements about cookie persistence
is NOT true?
A.The cookie’s timeout value can be customized
B.They are F5’s preferred persistence method
C.No persistence information is placed on LTM
D.Web servers must be configured to send cookies to clients
E.They do not add a performance impact on LTM
(Q)True or false? The LTM “Manager” authentication role can
create iRules.
A.True
B.False
(Q)Which of the following are four of the security benefits of
TMOS?
A.it verifies traffic based on antivirus signatures
B.It provides protection against DDoS
C.It uses SYN cookies and dynamic connection reapers
D.It supplies guidance for poorly developed applications
E.It denies all traffic that hasn’t been defined
F.It can hide confidential information from outbound traffic
(Q)An LTM object represents a downstream server that hosts a
secure Web site and contains the IP address and port combination
192.168.9.250:443. What is this object?
A.Self IP
B.Virtual Server
C.Pool
D.Node
E.Pool Member
True or false, The least connections load balancing method
functions best when all pool members share similar characteristics.
A.True
B.False
If a customer has an application that uses a customized
protocol, what LTM feature can help optimize the traffic from the application?
A.iRules
B.Network virtual servers
C.HTTP classes
D.Packet filtering
E.Transparent virtual servers
Which of the following are the three main business drivers for
placing LTM into a network?
A.Secure the connection between WAN sites
B.Improve application availability and scalability
C.Authenticate and authorize users
D.Boost application performance
E.Include application security
F.Act as a Web application firewall
True or false? Adding more RAM to a GTM device drastically
improves query performance.
A.True
B.False
An administrator is adding GTM to the network infrastructure.
Which of the following requirements would lead them to select an Authoritative
Screening architecture
rather than Delegation?
rather than Delegation?
A.They want GTM to examine all DNS queries
B.They want GTM to make load balancing decisions based on
metrics
C.They have data centers in several countries
D.They are using several operating systems for the local DNS
servers
True or false? Since F5 built GTM on the TMOS platform it can
exist on the same BIG-IP device as LTM
A.True
B.False
True or false? FastCache will NOT work with compressed objects.
A.True
B.False
True or false? As a full TCP proxy, LTM acts as the termination
point for both requests from the client and responses from the server.
A.True
B.False
When an optimized TCP connection exists between LTM and the pool
member, LTM can accept server responses faster than the client. What is the
name of this
feature?
feature?
A.HTTP caching
B.OneConnect
C.TCP connection queuing
D.Content spooling
E.Priority activation
You can use an HTTP class profile to forward traffic that
matches which three of these types of criteria?
A.Port
B.HTTP header
C.URI path
D.User name
E.Protocol
F.Host name
Why does deploying LTM into an existing network immediately
improve security?
A.Only requests for specific ports are allowed through LTM
B.All traffic through LTM is checked for DDoS attacks
C.No traffic A allowed through LTM until it has been specified
D.All users must authenticate before accessing applications
through LTM
E.Only LAN administrators can access resources through LTM
Which of the following is NOT included on the F5 DevCentral
site?
A.Subscription purchasing options
B.Actual iRules was written by other customers
C.iRules reference materials
D.Forums
E.The F5 iRule editor
True or false? GTM can load balance to LTM in addition to
non-BIG-IP hosts.
A.True
B.False
What happens when the data center that GTM recommends for a
client is unavailable
A.GTM uses cached information to determine an alternate route
B.GTM queries the local DNS server
C.GTM sends subsequent queries to the next preferred data center
D.GTM directs the client to use its DNS cache to select an
alternate location
E.The client continues to attempt to access the preferred data
center
Which four of the monitoring methods listed below can GTM use to
determine the status and performance of BIG-IP and servers?
A.ping
B.Application monitors
C.Inband monitors
D.SSH
E.iQuery
F.SNMP
GTM uses the F5………….protocol to synchronize performance metrics
between GTM
devices. (Fill in)
devices. (Fill in)
Answer: iQuery
True or false? DNSSEC is a GTM add-on licensing feature.
A.True
B.False
Which three of the following must be done in order for GTM to
properly communicate LTM?
A.Connect the GTM and LTM with a network crossover cable
B.Synchronize the big3d versions between GTM and LTM
C.Add the LTM object to the GTM configuration
D.Configure the GTM and LTM to we MAC masquerading
E.Ensure that GTM and LTM use the same floating IP address
F.Exchange SSL certificates between the two devices
……..object maps an FQDN to virtual servers. (Fill in)
Answer: Wide IP
A top-level DNS zone uses a CNAME record to point to a sub-zone.
Which of the following is an example of a sub-zone?
A.www.F5.com/sub
B.www.F5.com
C.www.gslb.F5.com
D..com
E.f5.com
The layer 3 security feature….. Cookies protects against
SYN floods, DoS, and DDoS attacks. (Fill in)
Answer: contain / include
True or false? The least connections load balancing method
functions best when all pool members share similar characteristics.
A.True
B.False
True or false, Customers can purchase LTM as a stand-alone
product, or layer it with additional software modules to increase the
functionality of the BIG-IP device
A.True
B.False
Which three of these software modules can you layer on top of
LTM on a BIG-IP device?
A.Web Accelerator
B.APM
C.ARX
D.GTM
E.Firepass
F. Enterprise Manager
Which of the following is a benefit of using iRules?
A.They can be used as templates for creating new applications
B.They provide an automated way to create LTM objects
C.They can use Active Directory to authenticate and authorize
users
D.They provide a secure connection between a client and LTM
E.They enable granular control of traffic
True or false, Using IP Geolocation, an organization can always
direct a client request from France to a data center in Dublin.
A.True
B.False
GTM solves which three of these standard DNS limitations?
A.It can verify that a host is available before resolving a host
name for a client
B.It can use HTTPS for the connection between itself and the
client
C.It can ensure that clients remain at the same data center for
stateful applications
D.It can verify that a client does not have any viruses before
sending the IP address
E.It has more complex load balancing methods
Which two of these statements about OneConnect are true?
A.It decreases the CPU load on LTM
B.It aggregates multiple client connections into a single server
connection
C.It decreases the amount of traffic between multiple clients
and LTM
D.It requires SNAT to be configured
E.It decreases the CPU load on pool members
True or false? LTM can only load balance outbound traffic by
using iRules
A.True
B.False
True or false? TCP Express is licensed separately from LTM
A.True
B.False
When using a routed configuration, the real server must point to
the LTM as the…..
A.NTP Server
B.DNS Server
C.Virtual IP
D.WINS server
E.Default gateway
No comments:
Post a Comment