| Question 1 | When two PIX firewalls are configured for failover, what is sent across the serial cable? |
| A1: | Answer C is correct. The serial cable connects two PIX firewalls to replicate RAM configuration and tests the power status of the other unit. Answers A, B, and E are incorrect because xlate and connection tables are not sent across the serial connection; they are sent across a dedicated Ethernet interface if stateful failover is configured. Answer D is incorrect because only the RAM configuration is sent across the link, not the flash configuration. |
| Question 2 | If a primary PIX firewall is the active unit, what happens to the current IP addresses if its interface fails? -
A. The IP addresses on the primary and secondary are both set to the standby IP addresses. -
B. All IP addresses are removed, and the primary is put in a secondary state. -
C. The IP addresses become those of the standby PIX firewall. -
D. The primary shuts down. |
| A2: | Answer C is correct. When the IP address interface fails on the primary active unit, the primary inherits the secondary IP addresses and the secondary inherits the primary unit's address and becomes the active unit. Answer A is incorrect because the secondary inherits the primary address and becomes active. Answer B is incorrect because the IP addresses change to that of the secondary. Answer D is incorrect because the unit does not shut down when it becomes a secondary unit; it just inherits the secondary unit's IP and MAC addresses. |
| Question 3 | When designing a stateful failover topology, what is required? (Select two.) -
A. One interface interconnecting the firewalls -
B. A special PIX serial cable -
C. Token-Ring connections -
D. Four interfaces interconnecting the firewalls |
| A3: | Answers A and B are correct. To establish stateful failover with the answers provided, a special serial interface cable is needed to link the primary and secondary units. This cable identifies which unit is the primary and which is the secondary. It also is used to detect power status and transfer configuration information between the firewalls. Next , each PIX needs a dedicated Fast Ethernet interface to interconnect them so stateful information can be passed. Answer C is incorrect because Token-Ring is not supported for failover. Answer D is incorrect because four interfaces are not needed to support stateful failover; only two are needed, at the most. |
| Question 4 | If a serial-based failover topology is configured, how is the configuration set up on the secondary firewall? -
A. The primary unit is configured and replicated to the standby unit. -
B. The standby unit is configured and replicated to the primary unit. -
C. The primary unit sends the configuration after a failure is detected . -
D. The standby unit configuration is manually entered. |
| A4: | Answer A is correct. As changes are made on the primary unit, they are automatically replicated to the secondary unit, although they can also be forced with the write standby command. Answer B is incorrect because changes are never replicated from the secondary unit to the primary unit. Answer C is incorrect because the configuration is always replicated before a failover occurs. Answer D is incorrect because the secondary is configured from the primary and replicated across. |
| Question 5 | Configuration information is replicated automatically from the primary to the secondary PIX firewall. |
| A5: | Answer A is correct. When set up in failover mode, the primary unit automatically sends configuration settings to the secondary unit's RAM. Therefore, answer B is incorrect. |
| Question 6 | What is required to make standard serial failover work? (Select two.) -
A. The same software on both -
B. Different software on both -
C. One primary model and one secondary hardware model -
D. The same hardware for both primary and secondary |
| A6: | Answers A and D are correct. For failover to work, several items need to be exactly the same between the two firewalls: RAM size, flash size, software versions, the number of interfaces, and the hardware model. Answer B is incorrect because software versions should be exactly the same for maximum compatibility. Answer C is incorrect because Cisco does not use different hardware for the primary and secondary units. Cisco uses licensing to unlock primary and secondary capabilities on the PIX firewalls. |
| Question 7 | What happens to the active connections when firewalls are configured for non-stateful failover? -
A. Only TCP connections are dropped. -
B. Only UDP connections are dropped. -
C. All the connections are dropped. -
D. Configuration is not replicated. |
| A7: | Answer C is correct. When configured for non-stateful failover, all the connections are dropped because the xlate and connection tables are not replicated across. Therefore, answers A, B, and D are incorrect. |
| Question 8 | When using the special serial failover cable, what function does it provide? (Select three.) -
A. It sends stateful connection information. -
B. It checks the power status of the other firewall. -
C. It designates the units' identifications. -
D. It routes IP traffic when outside interfaces fail. -
E. It provides communication between the units. |
| A8: | Answers B, C, and E are correct. The special serial cable is labeled with primary and secondary to help identify which unit is designated for which purpose and to provide communication between the units. Answer A is incorrect because the serial cable does not send stateful information; the dedicated interface is used for that function. Answer D is incorrect because the serial cable does not route traffic. |
| Question 9 | The Cisco PIX 506E supports failover capabilities. |
| A9: | Answer B is correct. Only the PIX 515, 525, and 535 support failover capabilities, not the PIX 506 or 501. Therefore, answer A is incorrect. |
| Question 10 | Before using stateful failover what is required? (Select three.) -
A. A special Cisco serial cable -
B. Special failover IOS software -
C. Two dedicated Ethernet interfaces -
D. Unrestricted software licensing |
| A10: | Answers A, C, and D are correct. To support stateful failover, a special serial cable, two dedicated interfaces (one on each PIX), and unrestricted software licensing are all valid requirements. Answer C is correct because, in the case of LAN-based failover, two dedicated interfaces are needed. Answer B is incorrect because no software is needed; only the activation in licensing is necessary. |
| Question 11 | When hello message packets are sent, how many can be missed before failover starts? |
| A11: | Answer B is correct. If two hello messages are missed, the sequence of failover starts. Hello messages, by default, are sent out every 15 seconds. So, in 30 seconds the secondary unit initiates the process of becoming active if two messages are missed. Therefore answers A, C, and D are incorrect. |
| Question 12 | Which command enables failover? -
A. failover active -
B. failover enable -
C. failover on -
D. active failover |
| A12: | Answer A is correct. The command to enable failover is failover active . Answers B, C, and D are all invalid commands and are therefore incorrect. |
| Question 13 | What happens during the network activity test? (Select two.) -
A. The PIX monitors for ARP requests for 5 seconds. -
B. The PIX monitors for valid frames for 5 seconds. -
C. If no activity is found, the PIX moves into standby mode. -
D. If no activity is found, the PIX moves on to the next test. |
| A13: | Answers B and D are correct. In the network activity test, the PIX monitors for any valid frame, not just ARP requests. If activity is found, the failover testing is aborted and the system goes back to normal. If the test fails, the PIX moves on to the next test, which is the ARP test. Therefore, answer C is incorrect. Answer A is incorrect because it states that only ARP requests are monitored , making it less correct than answer B. |
| Question 14 | When a failover to a standby PIX occurs, what needs to be done to client computers? -
A. Change their default gateway addresses. -
B. Reboot to autodetect the new active firewall. -
C. Receive new addresses from the DHCP server. -
D. Nothing. |
| A14: | Answer D is correct. When the secondary firewall becomes active, it inherits the IP address and MAC addresses of the primary firewall. The clients are unaffected by this change, and no modifications are needed on their computers. Answers A, B, and C are therefore incorrect. |
| Question 15 | When configuring for stateful failover, what basic commands are required? (Select three.) -
A. failover active -
B. failover enable -
C. failover ip address inside 192.168.8.2 -
D. failover stateful st_fal -
E. failover secondary ip address inside 192.168.8.2 -
F. failover link st_fal |
| A15: | Answers A, C, and F are correct. Only three of these commands are valid commands. The failover active command enables failover; the failover ip address inside 192.168.8.2 command sets the secondary standby IP address; and the failover link st_fal command defines the interface named st_fal as the interface to be used for stateful replication. Therefore, answers B, D, and E are incorrect. |
