F5 Networks Certification Exams

8/3/2019 F5 Networks Certification Exams

1/52

Exam Express EE0-511

Exam Express EE0-511 F5 BIG-IP V9 Local trafficManagement

Practice TestVersion 1.0


2/52

A c t u

a l T e s t s . c o m

QUESTION NO: 1

Monitors can be assigned to which three resources? (Choose three.) A. SNATsB. pool members

C. PoolsD. iRulesE. NATsF. NodesG. virtual servers Answer: B,C,F

QUESTION NO: 2

When defining a monitor based on the HTTP template, which two options can be specified?(Choose two.) A. Pool associationB. Send stringC. Server nameD. Pool member associationE. Timeout value Answer: B,E

QUESTION NO: 3

Which user-type has access to change member states, but not to add or delete objects from the

configuration? A. OperatorsB. GuestsC. AdministratorsD. Power Users Answer: A

QUESTION NO: 4

Exam Express EE0-511: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2


3/52

A c t u


Given the rule below, which two statements are true? (Choose two.) rule ExampleRule {when HTTP_REQUEST {if { [HTTP::uri] contains "f5" } {pool pool1}else {pool pool2}}} A. The following request would be sent to pool2

http://www.f5.com/f5training/index.htmlB. The following request would be sent to pool1http://www.f5.com/ffivetraining/index.htmlC. The following request would be sent to pool1http://www.f5.com/f5training/index.htmlD. The following request would be sent to pool1http://www.f5.com/f5/training/index.htmlE. The following request would be sent to pool1

http://www.f5.com/training/index.html Answer: C,D

QUESTION NO: 5

When initially configuring the BIG-IP System using the config tool, which three parameters can beset? (Choose three.) A. the IP address of the management portB. the netmask of the management portC. the default route for the management portD. the port lockdown of the management portE. the host name of the management port Answer: A,B,C

QUESTION NO: 6




4/52

A c t u


If a client's browser does not accept cookies, what occurs when the client connects to a virtualserver using cookie persistence? A. The connection request is sent to the backup pool member.B. The connection request is refused and the client is sent a "server not available" message.C. The connection request is load-balanced to an available pool member.

D. The connection request is not processed. Answer: C

QUESTION NO: 7

Which three statements concerning virtual servers are true? (Choose three.)

A. Virtual servers support session persistence.B. Virtual servers can translate the virtual server address to a chosen pool member's addresswhen processing traffic.C. Virtual servers can decrypt and re-encrypt SSL packets.D. Virtual servers can decrypt and re-encrypted SSH packets. Answer: A,B,C

QUESTION NO: 8

Which two can be a part of a virtual server's definition? (Choose two.) A. load-balancing methodB. monitor(s)C. rule(s)D. pool(s)

E. node address(es) Answer: C,D

QUESTION NO: 9

The current status of a given pool is ffline?(red). Which condition could explain that state? Assumethe descriptions below include all monitors assigned for each scenario. A. Neither the pool nor it's members or nodes has any monitor assigned.B. A system-wide monitor has tested all nodes successfully, but the pool's members have nospecific monitor assigned to them.




5/52

A c t u


C. The pool has a monitor assigned to it, and some of the pool's members have failed themonitor's test.D. The pool has a monitor assigned to it, and all of the pool's members have failed the monitor'stest. Answer: D

QUESTION NO: 10

What is the purpose of floating self-IP addresses? A. to define an address that gives network devices greater flexibility in choosing a path to forwardtrafficB. to define an address that grants administrative access to either system at any timeC. to define an address that allows either system to initiate communication at any timeD. to define an address that allows network devices to route traffic via a single IP address Answer: D

QUESTION NO: 11

Where is persistence mirroring configured? A. It is a part of the virtual server definition.B. It is a part of the pool definition.C. It is a part of the persistence profile definition.D. It is not configured; it is a default feature. Answer: C

QUESTION NO: 12

Which two can be a part of a pool's definition? (Choose two.) A. persistence typeB. profile(s)C. monitor(s)D. load-balancing method

E. rule(s) Answer: C,D




6/52

A c t u


QUESTION NO: 13

Click the Exhibit button. A virtual server is defined per the charts. The last five client connections were to members C, D, A,B, B. Given the conditions shown in the exhibit, if a client with IP address 205.12.45.52 opens aconnection to the virtual server, which member will be used for the connection? Exhibit: 511-b-10.jpg

A. 10.10.20.5:80B. 10.10.20.4:80C. 10.10.20.2:80D. 10.10.20.3:80E. 10.10.20.1:80 Answer: B

QUESTION NO: 14

Which two F5 switch platforms always have both a compact flash and a hard drive? (Choose two.) A. 5100B. 6400C. 1500D. 3400E. 2400F. 1000 Answer: B,D

QUESTION NO: 15

Which two profile types would be required with a virtual server so that cookie persistence isenabled? (Choose two.) A. WWWB. TCP




7/52

A c t u


C. HTTPD. UDPE. source address persistence Answer: B,C

QUESTION NO: 16

Which three methods are available for remote authentication of users allowed to administer a BIG-IP system through the Configuration Utility? (Choose three.) A. OCSPB. RadiusC. LDAPD. VASCOE. Active Directory Answer: B,C,E

QUESTION NO: 17

How is MAC masquerading configured? A. Override the manufacturer's address for each floating self-IP address for which you want thisfeature enabled.B. Override the manufacturer's address for each self-IP address for which you want this featureenabled.C. Override the manufacturer's address for each VLAN on the active system. Synchronize thesystems to ensure both BIG-IPs have the same setting.D. Override the manufacturer's address for each VLAN for which you want this feature enabled.

Answer: D

QUESTION NO: 18

Which three files/data items are included in a BIG-IP backup file? (Choose three.) A. the BIG-IP license

B. the BIG-IP administrative addressesC. the BIG-IP log filesD. the BIG-IP host name




8/52

A c t u


Answer: A,B,D

QUESTION NO: 19

Which statement is true concerning iRules? A. iRules use a proprietary syntax language.B. iRules must contain at least one conditional statement.C. iRules must contain at least one event declaration.D. iRules must contain at least one pool assignment statement. Answer: C

QUESTION NO: 20

Which statement is true concerning iRule events? A. All iRule events are appropriate at any point in the client-server communication.B. All client traffic, regardless the service or application, has processes that could be used totrigger iRule events.C. If an iRule references an event that doesn't occur during the client's communication, the client'sconnection will be terminated prematurely.D. All iRule events relate to HTTP processes. Answer: B

QUESTION NO: 21

You need to terminate client SSL traffic at the BIG-IP and also to persist client traffic to the same

pool member based on a BIG-IP supplied cookie. Which four are profiles that would normally beincluded in the virtual server's definition? (Choose four.) A. ClientSSLB. HTTPSC. ServerSSLD. HTTPE. TCPF. Cookie-Based Persistence

Answer: A,D,E,F




9/52

A c t u


QUESTION NO: 22

Click the Exhibit button. A virtual server is defined per the charts. The last five client connections were to members C, D, A,B, B.

Given the conditions shown in the exhibit, if a client with IP address 205.12.45.52 opens aconnection to the virtual server, which member will be used for the connection? Exhibit: 511-a-11.jpg A. 10.10.20.3:80B. 10.10.20.5:80C. 10.10.20.4:80D. 10.10.20.1:80E. 10.10.20.2:80 Answer: E

QUESTION NO: 23

You have a pool of servers that need to be tested. All of the servers but one should be testedevery 10 seconds, but one is slower and should only be tested every 20 seconds. How can this bedone? A. It cannot be done. All of the members of a pool must be tested at the same frequency.B. It cannot be done. All monitors test every five seconds.C. It can be done, but will require assigning monitors to each pool member.D. It can be done by assigning one monitor to the pool and a different monitor to the slower server.

Answer: D

QUESTION NO: 24

Assume the bigd daemon fails on the active system. Which three are possible results? (Choosethree.) A. The active system will fail-over and the standby system will go into active mode.

B. The active system will continue in active mode but gather member and node state informationfrom the standby system.C. The active system will restart the bigd daemon and continue in active mode.




10/52

A c t u


D. The active system will reboot and the standby system will go into active mode.E. The active system will restart the tmm daemon and continue in active mode. Answer: A,C,D

QUESTION NO: 25

Click the Exhibit button. A virtual server is defined using a source-address based persistence profile. The last fiveconnections were A, B, C, A, C. Given the conditions shown in the exhibit, if a client with IP address 195.64.45.52 opens a

connection to the virtual server, which member will be used for the connection? Exhibit: 511-b-23.jpg A. 10.10.20.5:80B. 10.10.20.1:80C. 10.10.20.4:80D. 10.10.20.2:80E. 10.10.20.3:80

Answer: E

QUESTION NO: 26

Click the Exhibit button. A virtual server is defined using a source-address based persistence profile. The last fiveconnections were A, B, C, A, C. Given the conditions shown in the exhibit, if a client with IP address 205.12.45.52 opens aconnection to the virtual server, which member will be used for the connection? Exhibit: 511-a-24.jpg A. 10.10.20.5:80

B. 10.10.20.4:80C. 10.10.20.1:80D. 10.10.20.3:80




11/52

A c t u


E. 10.10.20.2:80 Answer: B

QUESTION NO: 27

Which statement is true concerning communication between a redundant pair of BIG-IP devices? A. Data for both connection and persistence mirroring are shared through the same TCPconnection.B. Regardless of the configuration, some data is communicated between the systems at regularintervals.C. Communication between the systems cannot be effected by port lockdown settings.D. Connection mirroring data is shared through the serial fail-over cable unless network fail-over isenabled. Answer: A

QUESTION NO: 28

What is the expected result if the source address persistence mask is changed from 255.255.0.0to 255.255.255.0? A. Larger groups of clients would persist to the same pool members.B. More clients would match existing persistence records.C. A greater number of persistence records would probably be created.D. There would be no direct changes. Answer: C

QUESTION NO: 29

When network fail-over is enabled, what is the interaction with the fail-over cable? A. The fail-over cable voltage always takes precedence over network fail-over.B. The fail-over cable status is ignored. Fail-over is determined by the network status only.C. Either a network failure or loss of voltage across the fail-over cable will cause a fail-over.D. A network failure will not cause a fail-over as long as there is a voltage across the fail-over

cable. Answer: D




12/52

A c t u


QUESTION NO: 30

How is persistence configured?

A. Persistence is a profile type; an appropriate profile is created and associated with virtual server.B. Persistence is a global setting; once enabled, load-balancing choices are superceded by thepersistence method that is specified.C. Persistence is an option within each pool's definition.D. Persistence is an option for each pool member. When a pool is defined, each member'sdefinition includes the option for persistence. Answer: A

QUESTION NO: 31

A site is load-balancing traffic via a pool of routers. Which statement is true concerning BIG-IP'smonitor's ability to verify whether the routers are functioning properly or not? A. BIG-IP monitors can only check servers, they cannot test routers.B. Many BIG-IP monitors can be used to check the router's "near" interface, but there is no way totest any "far" interface.C. BIG-IP monitors can test through a router to a specified destination. Responses from thisdestination indicate the router is functioning.D. Monitors can directly query the router's interfaces via HTTP probes to determine whether theinterfaces are functioning. Answer: C

QUESTION NO: 32

You have created a custom profile named TEST2. The parent profile of TEST2 is named TEST1.If additional changes are made to TEST1, what is the effect on TEST2? A. When TEST1 is changed, the administrator is prompted and can choose whether to propagatechanges to TEST2.B. Changes to TEST1 cannot affect TEST2 once TEST2 is saved.C. Some of the changes to TEST1 may propagate to TEST2.

D. All changes to TEST1 are propagated to TEST2. Answer: C




13/52

A c t u


QUESTION NO: 33

A site needs to terminate client HTTPS traffic at the BIG-IP and forward that traffic unencrypted.Which two are profile types that would normally be associated with such a virtual server? (Choosetwo.) A. ClientSSLB. TCPC. HTTPSD. ServerSSLE. HTTPF. UDP Answer: A,B

QUESTION NO: 34

Which parameters are set to the same value when a pair of BIG-IP devices are synchronized? A. MAC masquerade addressesB. virtual server addressesC. VLAN fail-safe settingsD. host namesE. all self-IP addresses Answer: B

QUESTION NO: 35

Which three are events that can be used to trigger iRule data processing? (Choose three.) A. SERVER_SELECTEDB. HTTP_REDIRECTC. HTTP_REQUESTD. CLIENT_ACCEPTEDE. SERVER_REJECTED

Answer: A,C,D




14/52

A c t u


QUESTION NO: 36

Which is an advantage of terminating SSL communication at the BIG-IP rather than the ultimateweb server? A. Terminating SSL at the BIG-IP eliminates the need to use SSL acceleration hardware anywhere

in the network.B. Terminating SSL at the BIG-IP can eliminate SSL processing at the web servers that reducestheir load.C. Terminating SSL at the BIG-IP eliminates the need to purchase SSL certificates from acertificate authority.D. Terminating SSL at the BIG-IP eliminates all un-encrypted traffic from the network thatenhances security. Answer: B

QUESTION NO: 37

Assume a BIG-IP has no NATs or SNATs configured. Which two scenarios are possible whenclient traffic arrives on a BIG-IP? (Choose two.) A. If the destination of the traffic matches a virtual server, the traffic will be forwarded, but it cannotbe load-balanced since a SNAT has not been configured.B. If the destination of the traffic does not match a virtual server, the traffic will be forwarded basedon routing tables.C. If the destination of the traffic matches a virtual server, the traffic will be processed per thevirtual servers definition.D. If the destination of the traffic does not match a virtual server, the traffic will be discarded. Answer: C,D

QUESTION NO: 38

Assuming there are open connections through an active system's NAT and a fail-over occurs, bydefault, what happens to the connections? A. All open connections are lost, but new connections are initiated by the newly active BIG-IP,resulting in minimal client downtime.B. All open connections will be lost.

C. All open connections will be maintained.D. Long-lived connections such as Telnet and FTP will be maintained while short-livedconnections such as HTTP will be lost.




15/52

A c t u


E. The "Mirror" option must be chosen on the NAT and the setting synchronized prior to theconnection establishment. Answer: C

QUESTION NO: 39

Assume a virtual server is configured with a client-side SSL profile. What would the result be if thevirtual server's destination port were not 443? A. SSL termination could not be performed if the virtual server's port was not port 443.B. Virtual servers with a ClientSSL profile are always configured with a destination port of 443.C. As long as client traffic was directed to the alternate port, the virtual server would work asintended.D. Since the virtual server is associated with a ClientSSL profile, it will always process traffic sentto port 443. Answer: C

QUESTION NO: 40

Which three properties can be assigned to nodes? (Choose three.) A. connection limitsB. health monitorsC. load-balancing modeD. ratio valuesE. priority values Answer: A,B,D

QUESTION NO: 41

When configuring a pool member's monitor, which three association options are available?(Choose three.) A. assign a monitor to the specific memberB. inherit the node's monitor

C. inherit the pool's monitorD. do not assign any monitor to the specific memberE. configure a default monitor




16/52

A c t u


Answer: A,C,D

QUESTION NO: 42

Where is connection mirroring configured? A. It is not configured; it is default behavior.B. It is an optional feature of each pool.C. It is an optional action within an iRule.D. It is an optional feature of each virtual server. Answer: D

QUESTION NO: 43

When using the setup utility to configure a redundant pair, you are asked to provide a "FailoverPeer IP". Which address is this? A. an address on the current system used to initiate mirroring and network fail-over heartbeatmessagesB. an address used by the current system to listen for fail-over messages from the partner BIG-IPC. the address used by the current system to send messages to monitoring stationsD. an address of the other system in a redundant pair configuration Answer: D

QUESTION NO: 44

Which VLANs must be enabled for a SNAT to perform as desired (translating only desired

packets)? A. The SNAT must be enabled for the VLANs where desired packets arrive on the BIG-IP.B. The SNAT must be enabled for the VLANs where desired packets arrive and leave the BIG-IP.C. The SNAT must be enabled for all VLANs.D. The SNAT must be enabled for the VLANs where desired packets leave the BIG-IP. Answer: A

QUESTION NO: 45




17/52

A c t u


A site has six members in a pool. All of the servers have been designed, built, and configured withthe same applications. It is known that each client's interactions vary significantly and can affectthe performance of the servers. If traffic should be sent to all members on a regular basis, whichload-balancing method is effective if the goal is to maintain a relatively even load across allservers?

A. Round RobinB. PriorityC. Ratio MemberD. Observed Answer: D

QUESTION NO: 46

Which two statements are true concerning communication between a redundant pair of BIG-IPdevices? (Choose two.) A. Connection mirroring data is shared via a TCP connection using port 1028.B. Synchronization occurs via a TCP connection using ports 683 and 684.C. Connection mirroring data is shared through the serial fail-over cable unless network fail-over isenabled.

D. Persistence mirroring data is shared via a TCP connection using port 1028. Answer: A,D

QUESTION NO: 47

Which statement accurately describes the relation between the two load-balancing modesspecified as "member" and "node"?

A. There is no difference; the two terms are referenced for backward compatibility purposes.B. Load-balancing options referencing "nodes" are available only when the pool members aredefined for the "any" port.C. When the load-balancing choice references "node", the address' parameters are used to makethe load-balancing choice rather than the member's parameters.D. When the load-balancing choice references "node", priority group activation is unavailable. Answer: C




18/52

A c t u


QUESTION NO: 48

Assuming other fail-over settings are at their default state, what would occur if the fail-over cablewere to be disconnected for two seconds and then reconnected? A. As long as network communication is not lost, no change will occur.

B. When the cable is disconnected, both systems will become active. When the voltage isrestored, unit two will revert to standby mode.C. Nothing. Fail-over due to loss of voltage will not occur if the voltage is lost for less than sixseconds.D. When the cable is disconnected, both systems will become active. When the voltage isrestored, both systems will maintain active mode. Answer: B

QUESTION NO: 49

What is the purpose of MAC masquerading? A. to minimize ARP entries on routersB. to minimize connection loss due to ARP cache refresh delaysC. to prevent ARP cache errorsD. to allow both BIG-IP devices to always use the same MAC address Answer: B

QUESTION NO: 50

A site would like to ensure that a given web server's default page is being served correctly prior tosending it client traffic. Which monitor template would be the simplest to use? A. FTPB. SNMPC. HTTPD. WWWE. ICMP Answer: C

QUESTION NO: 51




19/52

A c t u


Click the Exhibit button. A virtual server is defined using a source-address based persistence profile. The last fiveconnections were A, B, C, A, C. Given the conditions shown in the exhibit, if a client with IP address 205.12.45.52 opens aconnection to the virtual server, which member will be used for the connection? Exhibit: 511-a-28.jpg A. 10.10.20.3:80B. 10.10.20.2:80C. 10.10.20.5:80D. 10.10.20.4:80

E. 10.10.20.1:80 Answer: D

QUESTION NO: 52

Which statement is true about the synchronization process, as performed by the ConfigurationUtility or by typing b config sync all?

A. The process should always be run from the standby system.B. The two /config/bigip.conf configuration files are synchronized (made identical) each time theprocess is run.C. The process should always be run from the system with the latest configuration.D. Multiple files, including /config/bigip.conf and /config/bigip_base.conf, are synchronized (madeidentical) each time the process is run. Answer: B

QUESTION NO: 53

A site needs a virtual server that will use an iRule to parse traffic based on HTTP header values.Which two profile types would normally be associated with such a virtual server? (Choose two.) A. FTPB. FastL4C. TCPD. UDP




20/52

A c t u


E. HTTPF. HTTPS Answer: C,E

QUESTION NO: 54

Which two statements describe differences between the active and standby systems? (Choosetwo.) A. Configuration changes can only be made on the active system.B. Monitors are performed only by the active system.C. Virtual server addresses are hosted only by the active system.D. Floating self-IP addresses are hosted only by the active system.E. Fail-over triggers only cause changes on the active system. Answer: C,D

QUESTION NO: 55

Click the Exhibit button. A virtual server is defined using a source-address based persistence profile. The last fiveconnections were A, B, C, A, C. Given the conditions shown in the exhibit, if a client with IP address 205.12.45.52 opens aconnection to the virtual server, which member will be used for the connection? Exhibit: 511-b-24.jpg

A. 10.10.20.3:80B. 10.10.20.5:80C. 10.10.20.4:80D. 10.10.20.1:80E. 10.10.20.2:80 Answer: C

QUESTION NO: 56

What is the difference between a node and a pool member?




21/52

A c t u


A. A pool member is defined as an IP address:port combination and a node is defined as an IPaddress only.B. A node is defined as an IP address:port combination and a pool member is defined as an IPaddress only.C. There is no difference between a node and a pool member.D. Both are an IP address:port combination, but a node's port is never specified (any port). Answer: A

QUESTION NO: 57

Given that VLAN Fail-Safe is enabled on the external VLAN and the network that the active BIG-IP's external VLAN is connected to has failed, which statement is always true about the results? A. The active system will reboot and the standby system will go into active mode.B. The active system will note the failure in the HA table and may reboot.C. The active system will restart the traffic management module to eliminate the possibility thatBIG-IP is the cause for the network failure.D. The active system will fail-over and the standby system will go into active mode. Answer: B

QUESTION NO: 58

You need to terminate client SSL traffic at the BIG-IP and re-encrypt it after using an iRule tochoose a pool to process the data. Which two are profile types that would normally be associatedwith such a virtual server? (Choose two.) A. UDPB. FTP

C. HTTPSD. ClientSSLE. ServerSSL Answer: D,E

QUESTION NO: 59

Which two must be sent to the license server to generate a new license? (Choose two.) A. the system's registration key




22/52

A c t u


B. the system's dossierC. the system's host nameD. the system's base licenseE. the system's purchase order number Answer: A,B

QUESTION NO: 60

When defining a monitor based on the ICMP template, which option can be specified? A. Server nameB. Timeout valueC. Pool member associationD. Pool associationE. Send string Answer: B

QUESTION NO: 61

Which tool captures a BIG-IP's configuration and logs? A. askf5B. bigtopC. tcpdumpD. qkview Answer: D

QUESTION NO: 62

Which two statements are true about NATs? (Choose two.) A. NATs support UDP, TCP, and ICMP traffic.B. NATs provide a one-to-one mapping between IP addresses.C. NAT addresses can be identical to virtual server IP addresses.D. NATs provide a many-to-one mapping between IP addresses. Answer: A,B




23/52

A c t u


QUESTION NO: 63

A site is load-balancing to a pool of web servers. Which statement is true concerning BIG-IP'smonitor's ability to verify whether the web servers are functioning properly or not? A. Web server monitors always verify the contents of the index.html page.

B. Web server monitors can test the content on any page on the server.C. Web server monitors can test whether the server's address is reachable, but cannot test apage's content.D. Web server monitors can test the content of static web pages, but cannot query pages thatwould require the web server to dynamically find content. Answer: B

QUESTION NO: 64

Why is persistence an important feature of a load-balancing product? A. Client performance is enhanced when clients are sent to the same server over and over again.B. Persistence features allow clients to bypass security features and therefore decrease clientresponse time.C. Some applications behave better when clients return to the same server rather than any serverin the pool.D. Persistence is only important when load-balancing HTTP applications. Answer: C

QUESTION NO: 65

Which statement is true concerning iRules? A. iRules use a proprietary syntax language.B. iRules must contain at least one conditional statement.C. iRules must contain at least one pool assignment statement.D. iRules must contain at least one event declaration. Answer: D

QUESTION NO: 66

Which statement is true concerning cookie persistence?




24/52

A c t u


A. If a client's browser accepts cookies, cookie persistence will always cause a cookie to bewritten on the client system.B. Cookie persistence allows persistence even if the data are encrypted from client to poolmember.C. Cookie persistence uses a cookie that stores the virtual server, pool name, and member IPaddress in clear text.D. Cookie persistence allows persistence independent of IP addresses. Answer: D

QUESTION NO: 67

Assume a virtual server is configured with a client-side SSL profile. What would the result be if the

virtual server's destination port were not 443? A. Virtual servers with a ClientSSL profile are always configured with a destination port of 443.B. Since the virtual server is associated with a ClientSSL profile, it will always process traffic sentto port 443.C. As long as client traffic was directed to the alternate port, the virtual server would work asintended.D. SSL termination could not be performed if the virtual server's port was not port 443.

Answer: C

QUESTION NO: 68

Which action might take place when a failover trigger is detected by the active system? A. The active device will either restart an offending process, fail-over, or reboot.B. The standby device also detects the failure and assumes the active role.

C. The standby device will begin processing virtual servers that have failed, but the active devicewill continue servicing the functional virtual servers.D. The active device will wait for all connections to terminate and then fail-over. Answer: A

QUESTION NO: 69

Assume a client's traffic is being processed only by a NAT; no SNAT or virtual server processingtakes place. Also assume that the NAT definition specifies a NAT address and an origin addresswhile all other settings are left at their defaults. If the client were to initiate traffic to the NATaddress, what changes, if any, would take place when the BIG-IP processes such packets?




25/52

A c t u


A. The client address would not change, but the server address would be translated to the origin'saddresses.B. The client address would not change, but the server address would be translated to the chosenpool member's address.C. The server's address would not change, but the client's address would be translated to theNAT's address.D. The client address would not change, but the server address would be translated to the NAT'saddress. Answer: A

QUESTION NO: 70

How is the load-balancing mode specified? A. within the pool definitionB. within the node definitionC. within the virtual server definitionD. within the pool member definition Answer: A

QUESTION NO: 71

When can a single virtual server be associated with multiple profiles? A. Never. Each virtual server has a maximum of one profile.B. Unlimited. Profiles can work together in any combination to ensure that all traffic types aresupported in a given virtual server.C. Often. Profiles work on different layers and combining profiles is common.

D. Rarely. One combination, using both the TCP and HTTP profile does occur, but it is theexception. Answer: C

QUESTION NO: 72

A BIG-IP has two SNATs, a pool of DNS servers and a virtual server configured to load-balance

UDP traffic to the DNS servers. One SNAT's address is 64.100.130.10; this SNAT is defined for all addresses. The secondSNAT's address is 64.100.130.20; this SNAT is defined for three specific addresses, 172.16.3.54,




26/52

A c t u


172.16.3.55, and 172.16.3.56. The virtual server's destination is 64.100.130.30:53. The SNATsand virtual server have default VLAN associations. If a client with IP address 172.16.3.55 initiates a request to the virtual server, what is the source IPaddress of the packet as it reaches the chosen DNS server?

A. 64.100.130.30B. 172.16.3.55C. 64.100.130.10D. 64.100.130.20 Answer: D

QUESTION NO: 73

Assuming there are open connections through an active system's virtual servers and a fail-overoccurs, by default, what happens to the connections? A. Long-lived connections such as Telnet and FTP are maintained, but short-lived connectionssuch as HTTP are lost.B. All open connections are maintained.C. All open connections are lost.

D. When persistence mirroring is enabled, open connections are maintained even if a fail-overoccurs.E. All open connections are lost, but new connections are initiated by the newly active BIG-IP,resulting in minimal client downtime. Answer: C

QUESTION NO: 74

What is the default IP address on a BIG-IP's management port? A. 192.168.1.245/24B. 192.168.245.245/24C. 192.168.245.245/16D. 192.168.1.245/16 Answer: A




27/52

A c t u


QUESTION NO: 75

Which statement is true concerning iRule context? A. The iRule event declaration determines the context.B. The context must be explicitly declared.

C. The iRule command determines the context.D. The results of the iRule's conditional statement determines the context. Answer: A

QUESTION NO: 76

Which three methods can be used for initial access to a BIG-IP system? (Choose three.)

A. HTTP access to the management portB. serial console accessC. HTTPS access to the management portD. HTTPS access to any of the switch portsE. SSH access to the management portF. HTTP access to any of the switch portsG. SSH access to any of the switch ports

Answer: B,C,E

QUESTION NO: 77

Which three processes or systems can be monitored and used as fail-over triggers in a redundantpair configuration? (Choose three.) A. bandwidth utilizationB. switchboard packet processing abilityC. pool member packet processing abilityD. VLAN communication abilityE. CPU utilization percentage Answer: B,C,D

QUESTION NO: 78

A monitor has been defined using the HTTP monitor template. The send and receive string werecustomized, but all other settings were left at their defaults. Which resources can the monitor be




28/52

A c t u


assigned to? A. only specific pool membersB. any virtual serverC. any nodeD. any pool

Answer: D

QUESTION NO: 79

Which statement is true concerning SSL termination? A. When any virtual server uses a ClientSSL profile, all SSL traffic sent to the BIG-IP is decrypted

before it is forwarded to servers.B. Decrypting traffic at the BIG-IP allows the use of iRules for traffic management, but increasesthe server load.C. A virtual server that has both ClientSSL and ServerSSL profiles can still support cookiepersistence.D. When the ClientSSL and ServerSSL options are combined, SSL processing is reduced on theservers. Answer: C

QUESTION NO: 80

Which two properties can be assigned to a pool? (Choose two.) A. load-balancing modeB. connection limits

C. priority valuesD. ratio valuesE. health monitors Answer: A,E

QUESTION NO: 81

Which three statements describe a characteristic of profiles? (Choose three.) A. A profile can be a child of one profile and a parent of another.




29/52

A c t u


B. While most virtual servers have at least one profile associated with them, it is not required.C. Default profiles cannot be created or deleted.D. All changes to parent profiles are propagated to their child profiles.E. Custom profiles are always based on a parent profile. Answer: A,C,E

QUESTION NO: 82

Which three statements are true about SNATs? (Choose three.) A. SNAT addresses can be identical to virtual server IP addresses.B. SNATs provide bi-directional traffic initiation.C. SNATs support UDP, TCP, and ICMP traffic.D. SNATs provide a many-to-one mapping between IP addresses. Answer: A,C,D

QUESTION NO: 83

The current status of a given pool member is nknown? Which condition could explain that state? A. The member has a monitor assigned to it and the monitor did not succeed during the mostrecent timeout period.B. The member has no monitor assigned to it.C. The member has a monitor assigned to it and the most recent monitor was successful.D. The member's node has a monitor assigned to it and the monitor did not succeed during themost recent timeout period. Answer: B

QUESTION NO: 84

Why is the context of an event significant in iRule processing? A. The context determines the values of commands that vary between client and server.B. The context determines which events are available for iRule processing.C. The context determines which pools are available for load-balancing.

D. While the context explicitly defines the values of commands, there is no ambiguity when thecontext is not known.




30/52

A c t u


Answer: A

QUESTION NO: 85

Which two statements are true concerning differences between BIG-IP platforms? (Choose two.) A. All F5 switch ports are tri-speed; 10, 100 or 1000 Mbps.B. The 1500 and 3400 are in a 1U chassis while the 6400 is in a 2U chassis.C. All BIG-IP platforms use both an ASIC and CPU(s) to process traffic.D. The 1500, 3400 and 6400 have greater SSL capabilities after the initial SSL handshake thanthe 1000, 2400, and 5100.E. The 1500 hosts more ports than the 3400. Answer: B,D

QUESTION NO: 86

Assuming that systems are synchronized, which action could take place if the fail-over cable isconnected correctly and working properly, but the systems cannot communicate over the networkdue to external network problems? A. Whether or not network fail-over is enabled, the standby system will stay in standby mode.B. If network fail-over is enabled, the standby system will go into active mode but only until thenetwork recovers.C. If network fail-over is enabled, the standby system will assume the active mode.D. Whether or not network fail-over is enabled, the standby system will assume the active mode. Answer: A

QUESTION NO: 87

Which tool captures data packets being processed by a BIG-IP? A. bigtopB. qkviewC. tcpdumpD. askf5

Answer: C




31/52

A c t u


QUESTION NO: 88

Which two methods can be used to determine which BIG-IP is currently active? (Choose two.) A. The status (Active/Standby) is embedded in the command prompt.B. The bigtop command displays the status.

C. The ifconfig -a command displays the floating addresses on the active system.D. Only the active system's configuration screens are active. Answer: A,B

QUESTION NO: 89

Given the rule below, which two statements are true? (Choose two.)

rule ExampleRule {when HTTP_REQUEST {if { [HTTP::uri] contains "f5" } {pool pool1}else {pool pool2

}}} A. The following request would be sent to pool1http://www.f5.com/f5/training/index.htmlB. The following request would be sent to pool1http://www.f5.com/ffivetraining/index.htmlC. The following request would be sent to pool1

http://www.f5.com/training/index.htmlD. The following request would be sent to pool1http://www.f5.com/f5training/index.htmlE. The following request would be sent to pool2http://www.f5.com/f5training/index.html Answer: A,D

QUESTION NO: 90




32/52

A c t u


What is the expected result if the source address persistence mask is changed from255.255.255.0 to 255.255.0.0? A. Larger groups of clients would persist to the same pool members.B. There would be no direct changes.C. Fewer clients would match existing persistence records.

D. A greater number of persistence records would probably be created. Answer: A

QUESTION NO: 91

Which cookie persistence method requires the least configuration changes on the web servers tobe implemented correctly? A. hashB. rewriteC. passiveD. insert Answer: D

QUESTION NO: 92

You have created a custom profile named TEST2. The parent profile of TEST2 is named TEST1.If additional changes are made to TEST1, what is the effect on TEST2? A. Changes to TEST1 cannot affect TEST2 once TEST2 is saved.B. Some of the changes to TEST1 may propagate to TEST2.C. All changes to TEST1 are propagated to TEST2.

D. When TEST1 is changed, the administrator is prompted and can choose whether to propagatechanges to TEST2. Answer: B

QUESTION NO: 93

A site has six members in a pool. Three of the servers are new and have more memory and a

faster processor than the others. Assuming all other factors are equal and traffic should be sent toall members, which two load-balancing methods are appropriate? (Choose two.)




33/52

A c t u


A. ObservedB. Ratio MemberC. PriorityD. Round Robin Answer: A,B

QUESTION NO: 94

Which three methods are available for remote authentication of users allowed to administer a BIG-IP system through the Configuration Utility? (Choose three.) A. LDAPB. VASCOC. Active DirectoryD. OCSPE. Radius Answer: A,C,E

QUESTION NO: 95

A site would like to ensure that a given server's IP address is reachable prior to sending it clienttraffic. Which monitor template would be the simplest to use? A. TCPB. PINGC. ICMPD. HTTPE. SNMP

Answer: C

QUESTION NO: 96

A load-balancing virtual server has been associated with a pool with multiple members. Assumingall other settings are left at their defaults, which statement is always true concerning trafficprocessed by the virtual server?

A. The server IP address is unchanged whether the traffic is between the BIG-IP and client or theBIG-IP and server.




34/52

A c t u


B. The client IP address is unchanged whether the traffic is between the BIG-IP and client or theBIG-IP and server.C. The TCP ports used in the client to BIG-IP connection are the same as the TCP ports in theBIG-IP to server connection.D. The IP addresses used in the client to BIG-IP connection are the same as the IP addresses inthe BIG-IP to server connection. Answer: B

QUESTION NO: 97

A BIG-IP has two SNATs, a pool of DNS servers and a virtual server configured to load-balanceUDP traffic to the DNS servers.

One SNAT's address is 64.100.130.10; this SNAT is defined for all addresses. The secondSNAT's address is 64.100.130.20; this SNAT is defined for three specific addresses, 172.16.3.54,172.16.3.55, and 172.16.3.56. The virtual server's destination is 64.100.130.30:53. The SNATsand virtual server have default VLAN associations. If a client with IP address 172.16.3.60 initiates a request to the virtual server, what is the source IPaddress of the packet as it reaches the chosen DNS server?

A. 64.100.130.10B. 64.100.130.20C. 172.16.3.60D. 64.100.130.30 Answer: A

QUESTION NO: 98

Which statement is true regarding fail-over? A. By default, hardware fail-over detects voltage across the fail-over cable and monitors trafficacross the internal VLAN.B. Hardware fail-over can be used in conjunction with network failover.C. If the hardware fail-over cable is disconnected, both BIG-IP devices will always assume theactive role.

D. Hardware fail-over is disabled by default. Answer: B




35/52

Exam Express EE0-515

EE0-515 FirePass v6 exam

Practice TestVersion 3.0


36/52

A c t u


QUESTION NO: 1

User1's logon has access and the share path is . Which two FirePass WindowsFiles favorites would link the user to User1's share? (Choose two.) A. Logged into Windows as "User1", logged intoFirePass as "User2", FirePass link

\\Server\%winlogin%.B. Logged into Windows as "User2", logged intoFirePass as "User1", FirePass link

\\Server\%winlogin%.C. Logged into Windows as "User1", logged intoFirePass as "User2", FirePass link

\\Server\%username%.D. Logged into Windows as "User2", logged intoFirePass as "User1", FirePass link.E. Logged into Windows as "User2", logged intoFirePass as "User2", FirePass link \\Server\User1and when prompted enter User1's Windows login and password. Answer: D,E

QUESTION NO: 2

Which two statements are true about Resource and Master Groups? (Choose two.) A. Master Groups contain authentication parameters.B. Resource Groups contain authentication parameters.C. Master Groups contain both authentication parameters and links to features.D. Both Resource and Mastergroups are a required part of a FirePass configuration. Answer: A,D

QUESTION NO: 3

Which two statements are true about initial access to the FirePass 1200 Controller? (Choose two.) A. The Admin has limited access through a serial terminal using "maintenance" at the consolelogin.B. The Admin has Unix command line access through a serial terminal using root / default as theuserid and password.C. The Admin has web configuration access to https://192.168.1.99/admin/ using admin / admin asthe userid and password.

D. The Admin has web configuration access to https://192.168.1.245/admin/ using admin / adminas the userid and password.E. The Admin has Unix command line access through a keyboard and monitor using root / defaultas the userid and password.




37/52

A c t u


Answer: A,C

QUESTION NO: 4

Which statement is true about the NAPT option when a Network Access connection to FirePass isused? A. When enabled, NAPT translates theFirePass virtual address to the application Server Address.B. The NAPT option is used when connecting to the Portal Access feature and translates the clientsource address to the FirePass Address.C. The NAPT option is used when connecting to the Network Access feature and translates theclient source address to the FirePass Address.D. The NAPT option is used when connecting to the Application Access feature and translates the

client source address to the FirePass Address. Answer: C

QUESTION NO: 5

Which two statements are true about Clustering on FirePass? (Choose two.) A. The configuration is synched from the Slave to the Master automatically.B. The configuration is synched from the Master to the Slave automatically.C. The configuration is synched from the Slave to the Master manually by an Administrator.D. The configuration is synched from the Master to the Slave manually by an Administrator.E. If using failover pairs, the Standby Slave gets its configuration directly from the Master box.F. If using failover pairs, the Standby Slave gets its configuration from its Active failover partner. Answer: B,F

QUESTION NO: 6

Which statement is true about configuring the IP Address Pool? A. Only one IP Address pool may be configured on theFirePass Controller.B. Different user groups may be configured to use different IP Address pools.C. IP Address Pools are used for both Network Access and Application Access.D. The IP Address range for the pool may include one or more of the configured FirePass

interface addresses. Answer: B




38/52

A c t u


QUESTION NO: 7

Which statement is true regarding Portal Access: Access Control Lists?

A. ACL's can be applied to the Master Group and Favorites.B. ACL's can prevent favorites from being viewable from theWebtop.C. ACL's require that an Active X component be downloaded and installed automatically when theuser clicks on a favorite.D. Un-checking "show administrator defined favorites only" on the Master Group settings page willallow the user to browse to any URLregardless of the configured ACL's. Answer: A

QUESTION NO: 8

From which three sources can users be directly imported into FirePass? (Choose three.) A. CSV fileB. remote Radius ServerC. remote VASCO ServerD. remote LDAP Server directoryE. remote Active Directory ServerF. localFirePass Server Master Password file Answer: A,D,E

QUESTION NO: 9

At logon time, dynamic group mapping associates users with which groups? A. One Master Group and zero or more Resource GroupsB. One Master Group and at least one or more Resources GroupsC. One or more Master Groups and zero or more Resource GroupsD. One or more Master Groups and at least one or more Resource Groups Answer: A

QUESTION NO: 10




39/52

A c t u


Which type of connection to application servers CANNOT be accomplished by the FirePassApplication Access feature set? A. ssh access to Unix hostB. telnet access toUnix hostC. telnet access to mainframe host

D. serial terminal access toUnix hostE. Terminal Server access to Windows Terminal Server Answer: D

QUESTION NO: 11

Which two sequences include the "required" steps, in the correct order, for configuring Failover onthe FirePass Controller? (Choose two.) 1.restart First (Primary) 2.restart Second (Secondary)3.enable Failover option on First 4.enable Failover option on Second 5.configure virtual IPAddress on First 6. configure virtual IP Address on Second A. 3, 1, 5, 4, 2, 6B. 3, 1, 4, 2, 5, 6C. 3, 1, 5, 1, 4, 2, 6, 2D. 3, 1, 4, 2, 5, 1, 6, 2

E. 5, 1, 3, 1, 6, 2, 4, 2F. 5, 1, 6, 2, 3, 1, 4, 2 Answer: C,D

QUESTION NO: 12

A FirePass snapshot can be accomplished in which way?

A. A snapshot may be saved to a local PC using the web configuration Admin console.B. A snapshot may be saved to the local PC using the command line "maintenance" script.C. A snapshot may be saved to theFirePass hard-drive using the web configuration Adminconsole.D. A snapshot may be saved to theFirePass hard-drive using the command line "maintenance"script. Answer: D




40/52

A c t u


QUESTION NO: 13

Which two statements are true about FirePass Portal Access connections? (Choose two.) A. For Mobile Email connections, the FirePass Server converts Mail Server protocols to htmlbefore presenting to the client.

B. For Mobile Email connections, the FirePass Server downloads an ActiveX control that convertsnative Mail Server data to html.C. For Windows File connections, the FirePass Server converts native Windows Server file data tohtml before presenting to the client.D. For Windows File connections, the FirePass Server downloads a Java control that convertsnative Windows Server file data to html. Answer: A,C

QUESTION NO: 14

Which is a valid way to tell whether the Admin is connected to the Master as opposed to the SlaveNode in a cluster of FirePass Controllers? A. Admin console /Clustering option is absent.B. Admin console /Clustering option is present.C. Admin console / Portal Access option is present.D. Admin console / Network Access option is present. Answer: C

QUESTION NO: 15

Which is a valid method to limit FirePass configuration access to the GUI Admin Console? A. Limit to SSH.B. Limit by IP Subnet.C. Limit by MAC Address.D. Limit to client operating system. Answer: B

QUESTION NO: 16

A new FirePass V6 setup environment has the following default settings: One Resource Group isstatically mapped to one Master Group with two Dynamic AppTunnel Favorites configured. One for




41/52

A c t u


the putty application to access 172.16.20.2 and a second for telnet to 172.16.20.3. For the wholeResource Group there is an Allow List entry for the 172.16.0.0/16 network. In this situation, if theAppTunnels are open, which two statements are true? (Choose two.) A. As the default action for the Master Group is Deny, no access is possible.B. Users of that Master Group have access to the whole 172.16./16 network.

C. Configuration of a Resource Group Allow List and a specific Favorite Allow List is not possible.D. Users of all Master Groups with that Resource Group mapped have access to 172.16.20.2:22and 172.16.20.3:23. Answer: B,D

QUESTION NO: 17

Which CANNOT be used to determine a user's access to FirePass features? A. client SSL CertificateB. client network connection speedC. client running Virus scan softwareD. client selecting Protected WorkspaceE. configuring the "Don't Use" option in User Experience Answer: B

QUESTION NO: 18

Which statement is true about the Failover Synchronization process on FirePass? A. The configuration is synched from Active to Standby automatically.B. The configuration is synched from Standby to Active automatically.

C. The Synchronization process can be configured using a virtual IP Address.D. The configuration is synched from Active to Standby manually by an Administrator.E. The configuration is synched from Standby to Active manually by an Administrator. Answer: A

QUESTION NO: 19

FirePass controller Admins CANNOT be configured to control which of the following? A. The whole box.




42/52

A c t u


B. Only one Master group.C. Only one Resource group.D. Select features within theFirePass controller.E. User revocation on an Active Directory authentication server. Answer: E

QUESTION NO: 20

When are the EndPoint Security checks performed on the client machine that determine whether aclient has access to certain resources or not? A. after user logonB. prior to every user logonC. prior to the first user logon, but not for subsequent logons from the same browser sessionD. after user logon but before selecting a Portal Access connection withEndPoint protectionenabledE. after user logon but before selecting a Network Access connection withEndPoint protectionenabled Answer: B

QUESTION NO: 21

Network Access connections can be made to which three types of clients? (Choose three.) A. clients running LinuxB. clients running WindowsC. clients running MAC OS9D. clients running MAC OSX

E. any WAP cell phone with browser access Answer: A,B,D

QUESTION NO: 22

Which two statements are true about Static AppTunnels? (Choose two.)

A. OneAppTunnel connection can be configured to connect the client to two different ApplicationServers.B. An AppTunnel connection and Legacy Host connection can be configured to connect to thesame IP Address.




43/52

A c t u


C. An AppTunnel connection and Legacy Host connection cannot be configured to connect to thesame Host Server.D. Code is downloaded to the client and this code listens for connections to the clients 127 loopback adaptor address.E. An AppTunnel connection and Mobile Email connection cannot be configured to connect to thesame Windows Exchange Server. Answer: B,D

QUESTION NO: 23

Which two statements are true concerning Network Access Policy Checking? (Choose two.) A. Policy checks can prevent network routing changes to the client.B. Policy checks can prevent system registry changes to the client.C. Policy checks can disconnect Network Access from a client when routing tables are altered.D. Policy checks can be applied to Network Access resources and Application Tunnel resources.E. Policy checks can terminate Network Access connections if selected processes are stopped orstarted on the client. Answer: C,E

QUESTION NO: 24

Which statement is true about FirePass Administrators accounts? A. Administrator logons can be authenticated externally toFirePass.B. FirePass Full Access Administrator can access the FirePass user webtop.C. FirePass Administrator Realm accounts can change Full Access account passwords.D. FirePass Administrators with the sufficient rights can change any FirePass user's password.

Answer: A

QUESTION NO: 25

Which statement is FALSE about FirePass Portal Access connections and the Web Applicationstrace?

A. The Web Applications trace output is a zip file.B. After being formatted, the Web Applications trace output can be viewed using a browser.C. The Web Applications trace output shows only server side html in order to see the html theserver is sending to the client.




44/52

A c t u


D. The Web Applications trace output shows both client side and server side html in order to seehow FirePass is translating html links before sending to the client. Answer: C

QUESTION NO: 26

Which two statements are true about EndPoint security Protected Configuration? (Choose two.) A. A Protected Configuration can be defined in Master group settings.B. A Protected Configuration can be defined in Resource group settings.C. Particular Network IP subnets can be defined to protect resources in a Protected Configuration.D. A resource can be protected by two different checks defined in two different pre-logonsequences.E. A Process check can be defined in Protected Configuration for resource protection without aprocess check definition in pre-logon sequence. Answer: B,C

QUESTION NO: 27

A backup or restore of the FirePass configuration can be accomplished in which way? A. A backup file is automatically saved to theFirePass hard-drive each night by default.B. A backup file may be saved to a local PC using the web configuration Admin console.C. A backup file may be saved to the local PC using the command line "maintenance" script.D. A backup file may be saved to theFirePass hard-drive using the web configuration Adminconsole.E. A backup file may be saved to theFirePass hard-drive using the command line "maintenance"script.

Answer: B

QUESTION NO: 28

Which three ways can users be authenticated to FirePass? (Choose three.) A. Remote LDAP Server

B. LocalFirePass LDAP ServerC. RemoteFirePass LDAP ServerD. Remote Active Directory Server




45/52

A c t u


E. LocalFirePass Internal DatabaseF. LocalFirePass Master Password File Answer: A,D,E

QUESTION NO: 29

Which three are valid options for EndPoint security checks? (Choose three.) A. file presentB. processes presentC. client MAC addressD. client network access speedE. McAfee Antivirus running certain version of Scan Engine Answer: A,B,E

QUESTION NO: 30

Which statement is true about Signup templates? A. Signup templates only apply to externally maintained user groups that are authenticated by theexternal server.B. Signup templates only apply to externally maintained user groups that are authenticated bytheFirePass server.C. Signup templates only apply to user groups maintained locally onFirePass but authenticated byan external server.D. Signup templates only apply to user groups maintained locally onFirePass and authenticated bythe FirePass server.

Answer: C

QUESTION NO: 31

Which statement is true concerning the Split Tunnel option for a Network Access connection? A. When enabled, all client network traffic is split out and setup in an encrypted tunnel session withtheFirePass server.

B. When enabled, only traffic from the client destined to a particular IP Address range is forwardedto theFirePass server.C. When enabled, all client network traffic is load balanced across two encrypted tunnel sessionswith theFirePass server.




46/52

A c t u


D. When enabled, traffic from theFirePass server to a particular Application Server is split out andset up in an encrypted tunnel session.E. When enabled, priority traffic is sent through a higher speed tunnel connection to theFirePassserver and secondary traffic is sent on a second lower speed tunnel connection. Answer: B

QUESTION NO: 32

Which three statements correctly reflect the number of concurrent users in the different FirePasshardware models? (Choose three.) A. A standaloneFirePass 1200 can support a maximum of 100 users.B. A standaloneFirePass 1200 can support a maximum of 250 users.C. A standaloneFirePass 4100 can support a maximum of 2000 users.D. A standaloneFirePass 4100 can support a maximum of 5000 users.E. Using theFirePass clustering feature, a cluster of FirePass 1200's can support 2500 users.F. Using theFirePass clustering feature, a cluster of FirePass 4100's can support 10,000 users. Answer: A,C,F

QUESTION NO: 33

Which of the following CANNOT be accomplished on a FirePass controller? A. FirePass can generate client SSL certificates.B. FirePass can generate server SSL certificates.C. FirePass can deny access based on an invalid client machine certificate.D. FirePass can import a server SSL certificate purchased from a Certificate Authority.E. FirePass can allow access to users logging in from devices that do not have valid client side

certificates, but deny selected resources. Answer: C

QUESTION NO: 34

Which three of the following are valid troubleshooting options for the FirePass controller? (Choosethree.)

A. Capture a dataset from the GUI Admin console.B. Capturenetstat and ifconfig commands from the GUI Admin console.




47/52

A c t u


C. Capture a network packet dump (tcpdump) from the GUI Admin console.D. Capture network diagnostics from the command line maintenance script.E. Capture a network packet dump (tcpdump) from the command line maintenance script. Answer: A,C,D

QUESTION NO: 35

If a working Active / Standby pair of FirePass Controllers has been configured correctly forFailover, which observation by itself would allow the Admin to tell which FirePass box is is theActive member of the pair? A. https:///admin/ / Welcome screen says "In Failover Active Mode".B. https:///admin/ / Welcome screen says "In Failover ActiveMode".C. https:///admin/ / Current Settings screen option Current FailoverStatus set to "Active".D. https:///admin/ / Current Settings screen option Current FailoverStatus set to "Active". Answer: B

QUESTION NO: 36

Based on the pre-logon sequence in the exhibit, which two statements are true? (Choose two.)

A. If the file c:\logon.txt exists, and the process calc.exe is not running, the client will be presentedwith a logon screenB. If the filec:\logon.txt exists, and the process calc.exe is not running, the client will be logged intothe FirePass controller




48/52

A c t u


C. If the filec:\logon.txt does not exist, and the process calc.exe is running, the client will bepresented with a logon screenD. If the filec:\logon.txt does not exist, and the process calc.exe is not running, the client will bepresented with a logon screenE. If the filec:\logon.txt does not exist, and the process calc.exe is running, the client will be loggedinto the FirePass controllerF. If the filec:\logon.txt does not exist, and the process calc.exe is not running, the client will belogged into the FirePass controller Answer: A,C

QUESTION NO: 37

Which CANNOT be used to limit logon access to FirePass? A. client SSL CertificateB. client source IP AddressC. client Ethernet MAC AddressD. client running Virus scan softwareE. client selecting Protected Workspace Answer: C

QUESTION NO: 38

Which two statements are true concerning Network Access Packet Filtering? (Choose two.) A. When packet filtering is enabled, a default rule of Deny All is created to run after all Globalrules.B. When packet filtering is enabled, a default rule of Accept All is created to run after all Global

rules.C. Global packet filter rules will be applied first. If a Global rule matches the packet and has anaction of Continue, then the Resource Groupfilter rules will be applied.D. Resource packet filter rules will be applied first. If a Resource rule matches the packet and hasan action of Continue, then the Global Groupfilter rules will be applied. Answer: A,C




49/52

A c t u


QUESTION NO: 39

If a user's machine does NOT have the matching Client SSL Certificate installed, which twostatements are true? (Choose two.) A. The user's password is disabled.

B. The user's login access can be deniedC. The user's access speed can be limited.D. The user's access toFirePass features can be limited. Answer: B,D

QUESTION NO: 40

Which statement is FALSE about an EndPoint security Protected Configuration? A. All resources are protected by at least one pre-logon checkB. Different resources can be protected by different pre-logon checksC. Resources can be required to pass more than one pre-logon checkD. Within one pre-logon sequence some checks can be used to protect resources and otherchecks can restrict access to the logon screen Answer: A

QUESTION NO: 41

Which three statements are true about Network Access versus Portal Access? (Choose three.) A. The FirePass Admin can limit application resources the client can reach for a Portal Accessconnection.B. The FirePass Admin can limit application resources the client can reach for a Network Accessconnection.C. Portal Access connections utilize moreFirePass system resources than Network Accessbecause of the conversion of user screens to html.D. Network Access connections utilize moreFirePass system resources than Portal Accessbecause of the download of code to client machines.E. Portal Access connections utilize moreFirePass system resources than Network Accessbecause of the download of code to client machines.

Answer: A,B,C




50/52

A c t u


QUESTION NO: 42

Which statement is true for users in a group when the "Show administrator-defined favorites only"option is enabled? A. They cannot configure their own user favorites.

B. They only see links setup by theFirePass Admin and can access other sites with sufficientprivileges.C. They see links setup by theFirePass Admin and links to web servers on the same network asFirePass.D. They only see links setup by theFirePass Admin but can access other sites by typing in theweb-site address. Answer: A

QUESTION NO: 43

Which of the following CANNOT be used to grant or deny access using the pre-logon sequence? A. Username and passwordB. The presence of a specific fileC. Operating system of the client computer.D. Time of day the user is attempting to logonE. Day of the week the user is attempting to logon Answer: A

QUESTION NO: 44

Which two statements are true concerning the Network Access SSL VPN tunnel connection?

(Choose two.) A. The user cannot un-install the Network Access client software.B. For Windows clients, Network Access installs a network adaptor.C. For Windows clients, a set of ActiveX controls is installed on the client machine.D. For all clients, a Java client must be installed on the client machine prior to Network Accessclient download. Answer: B,C

QUESTION NO: 45




51/52

A c t u


Which of the following is NOT a valid EndPoint security check? A. Operating system typeB. Norton Antivirus presentC. Windows client registry entry presentD. Unix client process present or process absent

E. Windows client process present or process absent Answer: D

QUESTION NO: 46

Which statement regarding Portal Access is FALSE?

A. Virus Scanning can be enabled on a Windows file transfer using Portal Access.B. Supported Portal Access options include Windows Files, Web Applications and WindowsTerminal Server.C. The FirePass controller has safeguards against buffer overflow attacks, SQL injection attacksor cross site scripting.D. FirePass Portal Access connections are compatible with Microsoft Outlook Web Access,Microsoft SharePoint, and IBM Lotus Domino Web Access. Answer: B

QUESTION NO: 47

Which three types of applications are supported by the Application Access Legacy Host feature onFirePass? (Choose three.) A. TN3270 access to mainframe

B. TN3270ssh access to mainframeC. TN5250 access to IBM AS/400 systems (Systemi)D. Java client download for VT100ssh access to Unix HostE. full featured ActiveX client download for VT100ssh access to Unix Host Answer: A,C,D

QUESTION NO: 48

Which two statements are true about the options available from the FirePass command line"maintenance" script? (Choose two.)




52/52

A c t u


A. It can be used to shutdown and restart theFirePass Controller.B. It can be used to reset theFirePass Controller to factory defaults.C. It can be used to add Administratoruserids to the FirePass Controller.D. It can be used to reset any user's password for theFirePass Controller. Answer: A,B

QUESTION NO: 49

Dynamic group mapping does NOT work with which of the following? A. LDAPB. Landing URIC. Active DirectoryD. Client CertificateE. Internal Database Answer: E

QUESTION NO: 50

Which two statements are true about the FirePass 1200 Controller Quick Setup Wizard? (Choosetwo.) A. The steps include setting the license for theFirePass server.B. The steps include settingssh access to the FirePass server.C. The steps include setting theSuperUser userid and password for the FirePass server.D. The steps include setting a basic IP configuration including 1FirePass NIC IP Address, aGateway and a DNS server.E. The steps include setting a basic IP configuration including 3FirePass NIC IP Addresses, a

Gateway and a DNS server. Answer: C,D


Date post:	06-Apr-2018
Category:	Documents
Upload:	bulentbk
View:	228 times
Download:	3 times

F5 Networks Certification Exams

Documents