![](/user_photo/1438_p9ksI.png)
- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb378x1.jpg)
348 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
7What is the minimum memory requirement for TurboACL to work?
A 8 MB
B 100 Kb
C 2.1 MB
D 4 MB
Answer: C
Chapter 8
"Do I Know This Already?" Quiz
1 What port does syslogd listen on by default?
Answer: Syslogd listens on UDP port 514 by default. This can be changed, however.
2What is the total number of logging facilities available for syslog configuration?
Answer: Eight logging facilities are commonly used for syslog—facilities 16 to 23.
3True or false: If the PIX is set to Warning level, critical, alert, and emergency messages are sent in addition to warning messages.
Answer: True
4What is the command for sending syslog messages to Telnet sessions?
Answer: logging monitor
5What is the logging trap command used for?
Answer: It determines what level of syslog messages are sent to the syslog server.
6What is the command used to enable logging on the failover PIX unit?
Answer: logging standby
7Why would you use the timestamp command parameter?
Answer: The timestamp command parameter specifies timestamp values on the syslog messages sent to the syslog server for later analyses of the logs.
8 What is PFSS?
Answer: The PIX Firewall Syslog Server (PFSS) lets you view PIX Firewall event information from the Windows NT system.
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb379x1.jpg)
Chapter 8 349
Q&A
1What is the command for sending syslog messages to the Telnet session?
A logging console
Blogging monitor
Ctelnet logging
Dsend log telnet Answer: B
2 What is the logging trap command used for?
Answer: It determines what level of syslog messages are sent to the syslog server.
3True or false: PFSS stands for PIX Firewall System Solution.
Answer: False. PFSS stands for PIX Firewall Syslog Server.
4PIX Firewall can be configured to send syslog messages to all of the following except which one?
AConsole
BTelnet
CSerial
DSyslog server
Answer: C
5Which of the following is not an example of a severity level for syslog configuration?
A Emergency
B Alert
C Prepare
D Warning
Answer: C
6What is syslogd?
AA message type that forms the syslog services
BA service that runs on UNIX machines
CA hardware subcomponent that is required for syslog configuration on the PIX
DIt gathers information on IT businesses in Japan.
Answer: B
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb380x1.jpg)
350 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
7What port does syslogd use by default?
A UDP 512
B TCP 514
C TCP 512
D UDP 514
Answer: D
8True or false: The default facility number on the PIX Firewall is 18.
Answer: False. The default facility number is 20.
9How are syslog messages organized?
AThey are listed numerically by message code.
BThey are listed by importance level.
CThey are listed by date.
DThey are not organized.
Answer: A
10True or false: It is possible to disable specific syslog messages.
Answer: True
11Windows NT 4.0 server can work as a syslog server with what?
A IIS configured for logging
B PIX Firewall Syslog Server application installed
C PIX Device Manager
D UNIX
Answer: B
Chapter 9
"Do I Know This Already?" Quiz
1 What are some things that trigger a failover event?
Answer: Loss of power, cable errors, memory exhaustion, administratively forcing the standby
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb381x1.jpg)
Chapter 9 351
2What command assigns an IP address to the standby PIX Firewall?
Answer: failover ip address if_name ip_address
3How many PIX Firewall devices can be configured in a failover configuration?
Answer: Two
4What is the benefit of using LAN-based failover?
Answer: The serial cable distance restriction of 6 feet is no longer a factor. Also, an alternative path for stateful information can be communicated in the event of a failure by the failover interface.
5What is some of the information that is updated to the standby unit in a stateful failover configuration?
Answer: TCP connection table, translation table (xlate), negotiated H.323 UDP ports, port allocation table bitmap for PAT
6What command forces replication to the standby unit?
Answer: failover active
7What command configures a LAN-based failover?
Answer: failover lan interface interface_name
8What is the default failover poll in seconds?
Answer: 15 seconds
Q&A
1 Which two of the following cause a failover event?
AA reboot or power interruption on the active PIX Firewall
BLow HTTP traffic on the outside interface
CThe failover active command is issued on the standby PIX Firewall
DBlock memory exhaustion for 15 consecutive seconds or more on the active PIX
Answer: A, D
2What is the command to view failover configuration?
A show failover
B failover
C view failover
D show me failover Answer: A
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb382x1.jpg)
352 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
3Which of the following is/are replicated during a stateful failover?
A Configuration
B TCP connection table, including timeout information for each connection
C Translation (xlate) table
D Negotiated H.323 UDP protocols
E All of the above
Answer: E
4Which of the following is not replicated in a stateful failover?
AUser authentication (uauth) table
BISAKMP and IPSec SA table
CARP table
DRouting information
EAll of the above
Answer: E
5What is the command to force configuration replication to the standby unit?
A write standby
B copy to secondary
C force secondary
D force conf Answer: A
6Which of the following is a stateful failover hardware restriction?
AThe stateful failover configuration is supported only by PIX 535 models.
BOnly fiber connections can be used in a stateful failover hardware configuration.
CA PIX with two FDDI cards cannot use stateful failover, because an additional Ethernet interface with FDDI is not supported.
DThere is no hardware restriction for stateful failover configuration.
Answer: C
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb383x1.jpg)
Chapter 9 353
7What command assigns an IP address to the standby Cisco PIX Firewall?
A secondary ip address ip address
B failover ip address if_name ip_address
C ip address ip address secondary
D ip address ip address failover
Answer: B
8What is the command to configure a LAN-based failover?
Aconf lan failover
Bfailover ip LAN
Cfailover lan interface if_name
Dlan interface failover Answer: C
9 What is an advantage of a LAN-based failover?
AIt quickly fails over to a peer when a power failure on the active unit takes place.
BIt does not have the 6-foot cable distance limitation for failover communication.
CIt is preconfigured on the PIX.
DAll of the above
Answer: B
10What is the default failover poll in seconds?
A 10 seconds
B 15 seconds
C 30 seconds
D 25 seconds
Answer: B