Whict product would you sell k a customer who wanted 20Gbps or more of an always-on, in-line

mitigation capacity?

Select one:
a. None of the above

b. APS 2600

c. vAPS
d. APS 2800

When an administrator removes a temporarily blocked host from the list on View Protection Group page:
that host is removed from the temporarily blocked list

Select one:
a. and added to the permanent blacklist

b_ until it fails another category of protection settings

c. until it fails a filter list category of protection settings

 a and added to the permanent whitelist

Which delivery mechanisms are available for notifications?

Select one:
a. Syslog, Email: HTTP

b. HTTP, SNMP, Email

c. Syslog, SNIvlp HTTP

d_ SNMP: Syslog, Email 4/

The Web Traffic by Domain section on the View Protection Group page displays the

Select one:
a. blocked traffic for Web servers

b. top LIIRLs for a domain name

c. blocked traffic for DNS servers

 d. domains with the most Web traffic
 It is a good operational practice to:

Select one:
a. Filter and drop all traffic unnecessary to a Protection Group

b. Use only the default Protection Group and set to the High Protection Level

c. Allow all the traffic destined to a Protection Group to pass through Arbor APS
d. Use only the High Protection Level with ali mitigations enabled

Which of the following statements best describes the Block Malformed DNS Traffic category?

Select one:
a. It blocks any DNS messages (valid or invalid) that are sent to invalid ports

b. It blocks only invalid or blank DNS messages that are sent faster than a certain rate per second

c. It blocks DNS messages that produce NXDomain error responses from the DNS server
 d. It blocks any invalid or blank DNS messages that are sent to port 53 J

The traffic that is inspected by the TCP Connection Reset settings is (Choose all Correct answers)

Select one or more:

 a. dropped to force the client to re-establish the connection X

b. held until it meets the specified thresholds before being forwarded to the server

 c. monitored to identify and block sources that are connected but do not maintain a minimum level of
activity
d. set to a lower Quality Of Service (QoS) level before being forwarded to the server

Solo C

It is a Security best practice to:

Select one:
a. Use telnet because it is very easy to use

 b. Use SSH and HTTPS to access Arbor APS

c. Enable BGP in the enterprise

d. Allow HTTPS from any IP address
To check the available disk space on Arbor APS,

Select one:
a. search the System Events for hardware device alerts

b. look at the bottom of the Summary page

c. use the CLI command I system file show

9
d. use the CLI command / system disk show

The defining characteristic of the hosts that the Application Misbehavior settings block is

Select one:
a. not enough data sent to the server in the past minute

b. an out of order Al packet

c. too many SYN packets sent

 d. too many FIN packets interrupting a server response

Which of the following is the most appropriate time to set the global protection level to medium?

Select one:
a. When highest level of protection is required with no consideration for blocking legitimate traffic

 b. When under significant attack and stricter protection settings are needed. Unusual good traffic may
be dropped.
c. During non-attack time periods for everyday use.
d. When legitimate traffic cannot be blocked.
 How does the TCP SYN Flood Detection category aggregate packet rates?

Select one:
 a. By source IP

b. By source subset
c. By country
d. By TCP po rt

To ensure Cloud Signaling communications, which ports must be able to pass traffic through any tirewalls
between Arbor APS and the Cloud Signaling Server?

Select one:
 a . 4 4 3 a n d 2 0 0 07 X
b. 443

c. 443 25, and 20007

443 and 7550

La D

Which protocol and port are used to download updates from the ATLAS Intelligence Feed (AIF) server?

Select one:
a. SSH (port 22)
b. Cloud Signaling (port 7750)
c. Telnet (port 23)

 d . H TT P S (por t 44 3 ) Which of the following statements about

temporarily blocked hosts is true?

Select one:
 a They can be updated dynamically by the protection settings and manually by users
b. They are only updated manually by users
c. They are only updated dynamically as a result of the protection settings
d. They are added manually and removed dynamically

La C
What U DP port must be open for Cloud Signaling to function?

Select one:
a_ 443

 b. 7550

c. 80
d. 8080

The DNS Rate Limiting settings restrict traffic to a specific number of requests per

Select one:
 a. 1 second

b. 30 seconds

c. 1 minute
d. 5 minutes

Which statement regarding Profile Capture is wrong?

Select one:
a. A rate setting must be configured with a numeric value (i.e. max values)
b. An attack that happened during a profile capture will not impact data accuracy

c. A protection must be enabled to populate the profile data for that protection
 Inaccurate profiled data may result from changing the protection level during capture

La A

TLS Attack Prevention settings can be used to

Select one:
a. block only malformed TLS requests

 b. block malformed SSL and TLS requests ve

c. block malformed SSL and TLS responses

d. block malformed SSL and TLS requests and responses
 When the global protection level is low: Arbor APS should

Select one:
a. prevent all attacks

b. block absolutely no traffic

c. disable automatic Al F updates

 d_ not block legitimate traffic

Arbor Networks APS is targeted to secure

Select one:
a. transit providers networks.

b. distributed router infrastructure.

c. Intranet securik-y systems_
 d. Internet Data Centers

Where can the Arbor APS license key be found?

Select one:
a. Quick Start Card

 b. License Card

c. Appliance lid sticker

d_ License Management area of the Arbor Web site
La A

How does ICIVIP Flood Detection work?

Select one:
a. It blocks all ICMP packets of the protection group

b. It blocks rnalforrned ICMP packets

 c. It temporarily blocks sources that exceed the configured rate limit for ICMP packets "I
d_ It temporarily blocks destinations that receive more ICMP packets than the configured
threshold
 True or False: Outbound threat filtering allows you to apply outbound Server Types to any Protection
Group.

Select one:
True

False

FALSE

Which statement about Traffic Based Alerting is correct?

Select one:
a. It is possible to define maximum thresholds for alert triggering for each baseline type globally

b. You can configure underrate alerts per protection group

 c. It is possible to define minimum thresholds for alert triggering for each baseline type globally
d. You can not disable alert types per protection group

What are the attack mitigation capabilities of the APS 2800?

Select one:
a. 10 20 Gbps
-

b. 1 -2 Gbps

 c. 10 40 Gbps
-

d. 500 laps 20 Gbps

-

Until DNS authentication validates the source of DNS requests, Arbor APS

Select one:
a. blocks the traffic and adds the source to the permanent blacklist

 b. blocks the traffic but not the source

c. blocks the traffic and temporarily blocks the source

d. passes the traffic and temporarily blocks the source
 Regular expressions are used in Arbor AP S to define

Select one:
a. permanent blacklists

b. permanent whitelists

c. attack signatures
 d . p ro te c ti o n g ro u p p re f i x e s

La A

What is ATLAS Intelligence Feed (AI F)?

Select one:
a. A scrolling marquee in the administrative Web interface.

b. An email subscription of attack

news. •
C. A list of regularly-updated attack signatures_
d_ The protocol that is used for Cloud Signaling.

To configure TACACS+ authentication, set the host connection parameters

Select one:
a. on the Configure User Accounts page in the GUI

b. by using the CLI command I services aps authentication

c. on the Configure General Settings page in the GUI

 d. by using the CLI command I services aaa tacacs X
PUEDE SER LA B

How does the HSM handle encrypted traffic for which it does not have a certificate to decrypt?

Select one:
a. The traffic is passed encrypted

b. It proxies a session to gain me certificate

c. When this happens, the HSM is zeroizecl

d. An alert is generated and the traffic its dropped
LA A

Arbor APS provides alerting based on violation of traffic baselines. Which of the following is NOT a
baseline calculated by APS?

Select one:
 a. Non-blocked invalid packets .1

b. Total traffic

c. Botnet traffic
d. Blocked traffic

Nhich one of the following statements about application-layer attacks is true?

select one:
a. They usually have high packet counts

 b. They are prevented by firewalls

C. They exhaust bandwidth

d. They primarily target HTTP and DNS servers
La D

What is displayed when viewing encrypted traffic on the Packet capture page of the UI?

Select one:
a. Only packets that are passed are displayed in English

b. Only packets that are dropped are displayed in English

 c. Only encrypted traffic is displayed, however the drop reason (in English) is shown if the packet
was dropped

d. All traffic displayed is unencrypted

When traffic exceeds either of the configured rates in the Traffic Shaping category, that traffic is

Select one:
a. passed

b. remarked with a different DSCP

c. re di re ct ed
 d. blocked

The IP Location section on the View Protection Group page displays the

Select one:
a. top IPs for the protection group
b_ blocked traffic for the protection group
c. prefix for the protection group
 d_ countries with the most traffic for the protection group

Where do temporarily blocked hosts appear in the GUI?

Select one:
 a. View Protection Group page NI (

b. Protection Groups section on the Summary page

c. Blacklist tab on the Configure Protection Groups page
d. Generic Server tab on the Configure Protection Groups page

When an administrator blocks a country in the IP Location section for a DNS Server protection group,

Select one:

a traffic from protected DNS infrastructure to recursive DNS servers located in this country is
blocked

 b. traffic from this country is blocked

c. DNS queries for domains in corresponding TLD are blocked

d. all DNS queries from this countries are replied with NXDomain message
Prue or False: Arbor AP 's out-of-the-box configuration provides an IPv6 Default Protection Group.

S'elect one:
 True X
False

FALSE

Before upgrading the Arbor APS package, the administrator must first

Select one:
a. uninstall the ArbOS package

b. make sure all incoming traffic has stopped

c. contact Arbor support for a new license key

 d. s top the APS se rvice NI

On any page in the system, clicking the Create a PDF icon on the Arbor Smart Bar results in

Select one:
a. a new report being available for download from the Reports page

b. a new diagnostic package being created and available for download

c. a report being generated and emailed to the administrator
 d. a prompt to download a report created from the current page

Which of the following pages displays the total traffic, passed traffic, blocked traffic, and number of blocked
hosts for a protection group?

Select one:
 a. View Protection Group page Ne•

b. Protection Group page, in the Traffic menu

c. Summary page, under Protection Groups

ft Summary page, in the Overview graph

An administrator can view the detailed statistics that are associated with blocked traffic for a protection
group by

Select one:
a. clicking the Details button in the Attack Categories section

b. drilling into the Top Protocols section

 c. viewing the Traffic Summary widget X

41 clicking the Details button in the Top Domains section

La A

Which of the following mitigations applies to both 1Pval and IPv6 traffic?

Select one:
a_ TCP Connection Reset

 b. Payload Regular Expression

c. HTTP Rate Limiting
d. Block Malformed DNS Traffic

An Intrusion Prevention System (IPS) that is deployed behind Arbor AP S may

Select one:
a. be configured to accept traffic from the external mitigation port IP

 b. have a reduced traffic burden_

c. cause false positives in Arbor APS protection.

d. have to be updated with new rules to pass Arbor APS Cloud Signaling traffic.

What should an administrator consider when changing the global protection level?

Select one:
 a. The higher the protection level, the more legitimate traffic might be blocked •

b. The low protection level cannot prevent Malformed HTTP attacks

c. Protection levels have an impact only when the deployment is in monitor mode
d. Prevention of an ongoing attack is never changed if the protection level is lowered
Packets from whitelisted hosts are

Select one:
a. passed only after being inspected by all of the other protection categories
 13_ passed immediately without further inspection
c . d r o p p e d wi t h o ut fu r t h e r i n
d_ passed to the Filter List for further inspection

Which of the following protection settings best protects against an HTTP attack that has no User-Agent
field in~e HTTP header?

Select one:

HTTP Header Regular Expressions

b. AIF Botnet Signatures

 c. Basic Botnet Prevention as it checks for incomplete headers
-

d. Spoofed SYN Flood Prevention

In the Configure General Settings page, which setting is valid for restrictive data retention?

Select one:
 a. 20 clays

b. 5 m in u tes
c . 10 hours

d. 40 years

Which of the following system resources does NOT appear on the Summary page?

Select one:
a. CPU Utilization
b. Memory Utilization
 c. Disk Utilization ve
d. Interface Utilization
 Which of the following statements best describes the Cloud Signaling handshake protocol?

Select one:

a. Arbor APS always initiates a connection to the Cloud Signaling Server on TCP port 443 using SSL
 b. Both the Cloud Signaling Server and Arbor APS initiate connections to each other on TOP port
443 using SSL X
c. Both the Cloud Signaling Server and Arbor APS initiate UDP connections on port 20007

d_ The Cloud Signaling Server always initiates a connection to Arbor APS on TCP port 443 using
SSL

LA A

In a Protection Group for which the ATLAS Intelligence Feed (Al F) Botnet Signature settings are
enabled for each Protection Level, what action must be performed to ensure that every botnet signature
is applied to all traffic destined for that Protection Group?

Select one:
a. Enable the Basic Botnet Prevention setting in that protection group

 b. Verify that Arbor APS is in active mode X

c. Set the protection level for the group to high
d. Verify that an AIF revisions occurred in the last 24 hours

La A

Which combination of protocols does Cloud Signaling use?

Select one:
a. TCP handshake and TCP heartbeats and signaling
 b. TCP handshake and LDP heartbeats and signaling .4(

C. UDP handshake and UDP heartbeats and signaling

d. UDP handshake and TCP heartbeats and signaling

 The Web site is down. The View Protection Group page in Arbor APS shows an abnormally high level of
trek from Iran, but very few attack categories are blocking traffic. The traffic level has not reached the
Cloud Signaling threshold_ Which of the following remedies is most appropriate?

Select one:
a. Set the global protection level to high

b. Select and block URLs in the Web Traffic By LJRL section of the View Protection Group page

c. Block Iran in the IP Location section of the View Protection Group page
 d.. Initiate a Cloud Signaling request for mitigation X

LA C
h
When you restore protection settings for a standard server type to their default values

Select one:

a. the settings of any related custom server types that used this standard server type as its base
server type are not affected

b. the settings of any related custom server types that used this standard server type as its base
server type are set to match the settings of another generic server type

c. the settings of any related custom server types that used this standard server type as its base
server type are set to match the settings of another custom server type

 d. the settings of any related custom server types that used this standard server type as its base
server type are returned to their default settings

La A

Which CLI command is used to show Arbor A PS's current bypass status?

Select one:
 a . s e r v i c e s a p s b yp a s s s h o w

b. services bypass show status

c. aps bypass status show all

d. bypass status
 What happens to a host that exceeds the Rate-based Blocking thresholds?

Select one:
a. The source host is added to the Temporarily Blocked Hosts list

b. Traffic is rate-shaped according to the Traffic Shaping settings

c. The source host is added to the global permanent blacklist

 d_ Traffic above the threshold rate is blocked

LA A

What port is not inspected by TCP Connection Reset prevention?

Select one:
a. 443 (HTTPS)

b. 22 (SSH)

 c. 25 (SMTP)
d. 80 {HTTP)

La B
What are the attack mitigation capabilities of the APS 2600?

Select one:
a. 10- 20 Gbps

 b. 1 -2 Gbps

c. 10 40 Gbps
-

d_ 100 Mbps 20 Gbps

-

LA D
 Which of the following services can the TCP SYN Flood Detection settings protect?

Select one:
a TFTP

b_ LWAPP

c. NTP
 d. HTTID

What information does the Blo:keil Hosts Log page provide?

Select one:

a. A record of all of the destination hosts that have been blocked, including the temporarily blocked
destinations

b. A record of all of the source hosts that have been blocked, excluding the temporarily blocked
sources
9
c. A record of all of the source and destination hosts that have been blocked, including the
temporarily blocked hosts X

cl_ A record of all of the source hosts that have been blocked, including the temporarily blocked
sources

La D

Which of the following are best practices?

Select one:

 a. Use radiusitacacs authentication. Use NTP to ensure all devices have their time synchomized.
Restrict the use of 0.0.0.010 when defining access lists .1
b. Leave the default password configured for the Admin account

c. Don't generate backups but, if they are required, be sure to store them locally on the
appliance d_ Do not use RadiusrTacacs authentication and NTP_ Use 0.0.0.010 when creating
access lists

Select the value proposition(s) for the Virtual APS (vAPS) product.

Select one:
a. Via Cloud Signaling it can be fully integrated with in-cloud DDoS protection (e.g., Arbor Cloud) for
comprehensive DDoS protection

b. Allows the customer to take advantage of the benefits of a virtual environment

c. Virtual, Cloud-based licensing enables easy turn up/down of vAPS services

 d. All the Above 5,0(
 Which of the following is a Arbor APS deployment mode?

Select one:
a. Monitor
 b. Active X
c. Passive
d. In acti ve

La A

The primary reason that Arbor APS uses UDP for its heartbeats is so that it can

Select one:
 a. signal upstream during a volumetric attack

b. keep TCP ports open for other protocols

c. modify encryption details

d. keep message sizes smaller

The lol Protection Level affects

Select one:
a. only the default protection group

 b. all of the protection groups except those that have their own protection level configured
sipi

c. all of the protection groups regardless of any other settings

d. Only standard server types

Which of the following documentation contains the instructions for upgrading the Arbor APS software?

Select one:
a_ Deployment Guide
b. Quick Start Card

c. License Email
 d. User Guide Nt
 If the administrator forgets the administrative password to Arbor APS,

Select one:
a. The appliance must be physically returned to Arbor Networks

b. It can be recovered by booting from CD-ROM and following a reset process

c. It can be recovered by booting from flash and following a reset process

 d. The appliance must be physicafly returned to the reseller to be re-imaged X

La C

A regular expression can best be described as

Select one:
a. a way to distinguish HTTP requests from each other

b. validation that a network client is not an attacker

 c. a concise and flexible way to match strings of text Al

d. a way to match an exact sequence of standard deviations

Blacklist and Whitelist are synced using handshake communications when? (select all correct answers)

Select one or more:

a. Every 12 Hours

b. The Global BlacklistrWhitelist is changed

c. Cloud-Signaling configuration. settings are changed

d_ Connecting to new SP deployment

La B

What do the TCP SYN Flood Detection settings measure?

Select one:
a. HTTP requests per second

 b . P a c k e ts p e r s e c o n d
c. Bits per second

d. Flows per second

What happens when DNS traffic exceeds the criteria that are defined in the DNS Rate Limiting settings?

Select one:

a_ The traffic above the limit is dropped

 P. The traffic is blocked but the source is not blocked X
c. The traffic is passed and the source is temporarily blocked
d. The traffic is blocked and the source is added to the permanent blacklist

LA D

How is HSM configuration performed?

Select one:
 a. Via the CLI

b. The HSM arrives preconfigured from the factory

c. Via both the CLI and LII

d. Via the U

When a source host is automatically blocked by an inbound mitigation, traffic to that same source in the
outbound direction:

Select one:
a. Is blocked only if the outbound threat filter determines it should be blocked

P. Is modified to include a spoofed source address flag

 c. Is automatically blocked X
d. Is never blocked

LA A o D

Which of the follow' is a valid location in the GUI for blocking and unblocking traffic coming from one or
more countries?

Select one:

a Inbound Blacklists configuration page

 Administration > Blacklists

c. IP Location management page

d. Whitelist configuration page

la C
 Which resource of a network or host does a TCP SYN flood attack attempt to exhaust?

Select one:
a. A R P T a b le

b. Partitioning table

 c. Connections table
d_ Routing Table

What is the correct workflow (order of tasks) to set or optimize rate-based countermeasure settings using
Profile Capture?

Select one:
a_ 1_ Fine Tune Protection Settings, 2_ Analyze Profile Data, 3_ Capture Profile Data

 b_ 1_ Analyze Profile Data, 2_ Capture Profile Data, 3_ Fine Tune Protection Settings

c. 1. Capture Profile Data, 2. Analyze Profile Data, 3. Fine Tune Protection Settings

d_ 1. Disable Traffic Alerting, 2. Capture Profile Data, 3. Analyze Profile Data

La C

Which section of the View Protection Group page can be used to block traffic from a specific country?

Select one:
a. Top Protocols

b. Top Services
c. Temporarily Blocked Sources
 d_ IP Location ...I

The display timeframe of traffic graphs for a protection group is

Select one:
a. customizable via the command line during installation

b. decided by the Arbor APS system depending on uptime

c. changed for all traffic graphs at the top of the View Protection Group page

d. changed for each traffic graph independently above the relevant graph X

La C
 The DNS Regular Expression settings are most appropriate for blocking

Select one:
 a. a specific HTTP request

EL the traffic that exceeds NXDoniain rate-based limits

C. the traffic that exceeds DNS rate-based limits

d. a specific DNS request

La D

What statement is true when you blacklist or wilitelist from within a page that contains protection group-
level information?

Select one:
a. If you select all protection groups, it only applies to all protection groups of the same server
type

b. It can only apply to the specific protection group you are examining

c. It will always apply to all protection groups

d. You can choose whether you want it to apply to this protection group or to all protection groups

If the GUI is not accessible, which CLI command can an administrator use to check the status of the Arbor
APS hard drives?

Select one:
a. service aps alerts show

b. service log alerts

c. system hardware show

 d. system disks show hf

 The HM supports which private key format?

Select one:

 a. RSA PEM-encoded
b. PKCS7
c. PKCS12
d. DER

True or False: A unique username and password needs to be specified for each Cloud Signaling Server
that is added in Arbor APS's UI?

Select one:
 True

False

FALSE

Arbor APS attempts to match administrator specified HTTP regular expressions to traffic when
-

Select one:

a. the protection group type is DNS Server

 b. the value for the HTTP request limit is exceeded X

c. the global protection level is medium or high
d. any HTTP traffic is received

La D

Which virtual system platforms are supported for vAPS?

Select one:
 a. KVIVI, VMware Hypervisor

b. VMware Hypervisor, VirtualBox

c. Microsoft Hyper-V, KVM

d. Virtual Box, KVM
To view the destination protocols that have the highest amount of traffic: display the

Select one:
a. View Protection Group page

b. List Protection Groups page

 c. System Overview on the Summary page X
d. Attack Categories for a protection group

LA A

Which of the following is NOT supported by Arbor APS for IPv6 traffic?

Select one:
a. Host Filtering on the Block Hosts Page

b. Inbound BlackNniteJisting

 c. Outbound Black(Whitelisting
d. Packet capture processing

If a valid and trusted Partner site was reported as having connectivity problems, an Administrator can

Select one:
a. Enable AIF Botnet Protection

b. Add a payload regular expression for the Partners address on the Configure Protection Group
page

c. Whitelist the site

d. Add an HTTP regular expression for the Partners address

Which CLI command checks the status of the APS service?

Select one:
a / services aps show

b. / show aps services

c. I system hardware
/ system aps show
LA A

What is not a Best Practice in configuring Arbor APS when protecting a Data Center?
Select one:
a. Configure Filter Lists to drop UDP traffic to all Protection Groups
b. While in Inactive Mode change protection levels to see if you see blocked hosts that you may want
to Whitelist in advance
c. Allow Internal traffic
d. Configure Filter Lists to drop unnecessary traffic into a Protection Group

LA A

In which of the following locations can an administrator block or unblock a country?

Select one:

a. View Protection Group page, Temporarily Blocked Sources section

b. Configure Protection Group page, DNS Regular Expression category
c. View Protection Group page, IP Location section
d. Configure Protection Group page, Whitelist tab
 LA C

Which of the following can NOT be configured for Threshold based alerting?
Select one:
a. Blocked Traffic Threshold
b. Whitelisted Traffic Threshold
c. Total Traffic Threshold
d. Botnet Traffic Threshold

LA B

Which of the following does Arbor APS use to identify reputation-based threats?
Select one:
a. Pre-defined payload signatures that are delivered with the software package

 b. Virtual sandbox technology

c. Query to cloud-based reputation service

d. IP Address and DNS name

LA C

To enable DNS NXDomain protection, the administrator must configure a threshold to limit
the number of DNS requests that fail due to
Select one:
a. an invalid header

 b. a lack of responses from the server

c. a spoofed source address

 d. an unknown domain

La C

What statement is true when you run a backup?

Select one:
a. You can only run one automatic backup at a time. If an automatic backup is in progress,
you can start a manual backup
 b. You can run multiple automatic and manual backups at the same time
 c. You can only run one backup at a time. If an automatic backup is in progress, you
cannot start a manual backup
d. You can only run one manual backup at a time. If an automatic backup is in progress,
you can start another automatic backup

LA C

What CLI command is used to verify the versions of the AIF Feed components?
Select one:

a. / services aps aif versions show [feed_name]

b. / versions show aps aif [feed_name]
c. / system aps aif versions show [feed_name]
d. /aps aif versions show [feed_name]

Which delivery mechanisms are available for notifications?

Select one:
C a. Syslog, SNMP, HTTP

b. SNMP, Syslog, Email

c. Syslog, Email, HTTP
C. d. HTTP, SNMP, Email

LA B