Training

Certification

Navigation
JNCIS-FWV Exam Objectives (Exam: JN0-533)

This list provides a general view of the skill set required to successfully complete the specified certification exam.

System Setup and Initial Configuration
Layer 3 Operations
Security Policies
NAT
IPsec VPNs
High Availability
Attack Prevention
System Administration, Management and Monitoring

System Setup and Initial Configuration

  • Identify the concepts and components of ScreenOS software
    • Security architecture components
    • Packet flow and decision process
    • IPv6 packet handling
    • ScreenOS firewall/VPN product lines
    • System components
  • Demonstrate knowledge of how to configure basic elements of ScreenOS software
    • Interfaces
    • Zones
    • Management access and services
    • User accounts and authentication
    • Administrative lockout options
    • DNS configuration
    • NTP configuration
  • Describe how to configure and monitor interfaces
    • VLANs, aggregated Ethernet
    • Management interface
    • Bridge Group
    • Tunnel interfaces
    • Loopback interface
    • Interface modes
    • Redundant Ethernet
  • Identify the concepts and functionality of virtual systems (vsys)
    • vsys interfaces and zones
    • Inter-vsys routing
    • Profiles
    • CPU resource management

Layer 3 Operations

  • Identify the concepts and functionality of Layer 3 operations (IPv4 and IPv6)
    • Routing lookup flow
    • Virtual routers
    • Static and default routing
    • Dynamic routing - RIP, OSPF, BGP
    • Considerations for routing over VPNs
    • Route optimization and aggregation
    • Route redistribution; access lists and route maps
    • Source-based vs. policy-based routing
    • IPv6 modes
  • Demonstrate knowledge of how to configure, monitor and troubleshoot Layer 3 operations (IPv4 and IPv6)
    • Zones
    • Interfaces
    • IP addressing
    • Virtual router
    • Static/default routes, including floating static routes
    • RIP
    • OSPF
    • BGP
    • Redistribution
    • Access lists and route maps
    • Source-based and policy-based routing
    • Layer 3 verification
    • Layer 3 troubleshooting - get vrouter, debug, flow filter, session table

Security Policies

  • Identify the concepts and functionality of security policies
    • Zones and policies
    • Policy components
    • Policy options
    • Policy ordering
    • Policy scheduling
    • Global policies
    • Multicell policies
    • Address books
    • Policing and guaranteed bandwidth
    • Services
  • Demonstrate knowledge of how to configure, monitor and troubleshoot security policies
    • Address books and address groups
    • Services and service groups
    • Policy verification
    • Policy troubleshooting - debug, get session

NAT

  • Identify the concepts and functionality of NAT
    • Interface-based vs. policy-based NAT
    • NAT type usage
    • Source NAT (NAT-src)
    • Dynamic IP addresses (DIP)
    • Destination NAT (NAT-dst)
    • Virtual IP addresses (VIP)
    • Mapped IP addresses (MIP)
    • Precedence
  • Demonstrate knowledge of how to configure, monitor and troubleshoot NAT
    • Policy-based NAT
    • Dynamic IP addresses (DIP)
    • Reachability/Routing
    • VIP and MIP
    • NAT verification
    • NAT troubleshooting - debug, get session, and traffic logs

IPsec VPNs

  • Identify the concepts and functionality of IPsec VPNs
    • Secure VPN characteristics and components
    • Encapsulating Security Payload (ESP)
    • Authentication Header (AH)
    • IPsec tunnel establishment - Internet Key Exchange (IKE)
    • Hub-and-spoke IPsec VPNs
    • Policy-based vs. route-based IPsec VPNs
    • Next-hop tunnel binding (NHTB)
    • Next Hop Resolution Protocol (NHRP)
    • Fixed vs. dynamic peers
    • Tunnel interfaces
    • Preshared keys
    • VPN Monitor
  • Demonstrate knowledge of how to configure, monitor and troubleshoot IPsec VPNs
    • Interfaces
    • Objects
    • IKE
    • Policy
    • Routing
    • VPN Monitor
    • IPsec VPN verification
    • IPsec VPN troubleshooting - system/event log, debug, get ike, get sa

High Availability

  • Identify the concepts and requirements for high availability (HA) in a ScreenOS firewall/VPN environment
    • NetScreen Redundancy Protocol (NSRP) characteristics
    • NSRP modes; usage guidelines
    • Links, ports and zones
    • Virtual security device (VSD), virtual security interfaces (VSI) and VSD groups
    • VSD states
    • Run-time objects (RTOs)
    • HA probes
    • Failover tuning
    • IP tracking
    • Virtual Router Redundancy Protocol (VRRP)
    • Redundant interfaces
    • Links between the firewalls
    • Redundant VPN gateways
  • Demonstrate knowledge of how to configure, monitor and troubleshoot HA
    • HA link
    • Cluster settings
    • Interfaces
    • VSD settings
    • RTO synchronization
    • Tracking and monitoring
    • Redundant interface
    • HA verification
    • HA monitoring for VPNs - IKE heartbeats, dead peer detection
    • HA troubleshooting - debug, get interface, get nsrp stats

Attack Prevention

  • Describe the purpose, configuration and operation of Screens
    • Attack types and phases
    • Screen options
    • Best practices
    • Configuration, verification and troubleshooting
  • Describe the purpose, configuration and operation of deep inspection (DI)
    • Attack object database
    • Custom attack objects
    • Signature database update methods
    • DI policies and actions
    • Licensing
    • Configuration, verification and troubleshooting
  • Describe the purpose, configuration and operation of Unified Threat Management (UTM)
    • Antispam profiles
    • Actions
    • Spam block list (SBL)
    • Antivirus scanning methods and options
    • Antivirus flow process
    • Licensing
    • Web filtering features and solutions
    • Data flow
    • Search order
    • White lists, black lists and categories
    • Configuration, verification and troubleshooting

System Administration, Management and Monitoring

  • Demonstrate knowledge of how to manage and monitor a ScreenOS firewall/VPN environment
    • File management
    • Password recovery
    • Licensing
    • Logs
    • Syslog
    • SNMP
    • Alarms
    • Counters