Applies To:

Show Versions Show Versions

Manual Chapter: FirePass® Controller version 5.5 Administrator Guide: Glossary
Manual Chapter
Table of Contents   |   << Previous Chapter



An action is an ordered set of rules for evaluating a remote system. Each action invokes one or more inspectors. The action then uses rules to test the inspectors' findings. See also visual policy editor action.

action pane

See visual policy editor action pane.

active unit

In a redundant system, the active unit is the system that currently load balances connections. If the active unit in the redundant system fails, the standby unit assumes control and begins to load balance connections. See also redundant system.

administrative realm

See realm.

App Tunnels

App Tunnels are connections to a server on a corporate LAN that uses an HTTPS-based, encrypted tunnel through the FirePass controller


Authentication is the process of verifying a user's identity when the user is attempting to log on to a system. See also authentication method, authorization.

authentication method

An authentication method is mechanism that performs authentication or authorization of client traffic. The FirePass system supports the following methods: FirePass internal database, RADIUS authentication, VASCO DigiPass authentication, LDAP authentication, basic HTTP authentication to external server, initial signup on LDAP with subsequent strong internal password, Windows Domain authentication (pre-Windows 2000 compatibility), Active Directory authentication (Windows 2000 and later), HTTP Form-based authentication, client certificate passwordless authentication, and RSA SecurID authentication. See also authentication, authorization.


Authorization is the process of identifying the level of access that a logged-on user has been granted to system resources. See also authentication, authentication method.


A certificate is an online credential signed by a trusted certificate authority and used for SSL network traffic as a method of authentication. See also authentication, authentication method.

certificate authority (CA)

A certificate authority is an external, trusted organization that issues a signed digital certificate to a requesting computer system for use as a credential to obtain authentication for SSL network traffic. See also authentication, authentication method.

certificate revocation list (CRL)

A certificate revocation list is a list that an authenticating system checks to see if the SSL certificate that the requesting system presents for authentication has been revoked. See also authentication, authentication method, authorization.

certificate verification

Certificate verification is the part of an SSL handshake that verifies that a client's SSL credentials have been signed by a trusted certificate authority. Trusted certificates might serve as an authentication method to provide authorization to resources. See also authentication, authentication method, authorization.


See HTTP chunking.


A cipher is an encryption/decryption algorithm that computer systems use when transmitting data using the SSL protocol.

clientless mode

In clientless mode, the inspection process does not download any controls or plug-ins.


A cluster is a group of FirePass controller nodes that provide common user services, and can distribute the load of active sessions across all controllers in the cluster.

connection persistence

Connection persistence is an optimization technique whereby a network connection is intentionally kept open for the purpose of reducing handshaking.

connection pooling

Connection pooling is an optimization feature that pools server-side connections for re-use by other client requests. Connection pooling reduces the number of new connections that must be opened for server-side client requests.

Default master group

The Default master group is a master group that the FirePass system supplies with default setting values. You can use the Default master group as is, or you can modify it. You can also specify it as the source when you elect to copy settings from an existing master group when you create a new group. You cannot delete the Default master group.

domain name

A domain name is a unique name that is associated with one or more IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL, the domain name is

external authentication

External authentication refers to the process of using a remote server to store data for the purpose of authenticating users or applications attempting to access the FirePass system.


Failover is the process whereby a standby unit in a redundant system takes over when a software failure or a hardware failure is detected on the active unit. See also active unit and standby unit.

failover pair

See redundant system.

fallback rule

The fallback rule Is always the last rule in the ordered set of rules. It cannot be moved. It governs all cases that do not satisfy a preceding rule.

health monitor

A health monitor checks to see if a specific hardware item is functioning within its acceptable range. If the value returned is within the range, it is marked OK. If the item fails the check, it is marked ALARM. Different monitors exist for checking different services.

high availability

High availability is the process of ensuring access to resources despite any failures or loss of service in the setup. For hardware, high availability is ensured by the presence of a redundant system.

host virtual server

A host virtual server is a virtual server that represents a specific site, such as an Internet web site or an FTP site, and it load balances traffic targeted to content servers that are members of a pool.

HTTP chunking

HTTP chunking refers to the HTTP/ 1.1 feature known as chunked encoding, which allows HTTP messages to be broken up into several parts. Chunking is most often used by servers when sending responses.

HTTP redirect

An HTTP redirect sends an HTTP 302 Object Found message to clients.

ICMP (Internet Control Message Protocol)

ICMP is an Internet communications protocol used to determine information about routes to destination addresses.


i-mode® is a service created by NTT DoCoMo, Inc., that allows mobile phone users access to the Internet.


Inspectors consist of Active X controls or Java plug-ins that collect information about the client system.


A physical port on an F5 system is called an interface.


IPsec (Internet Protocol Security) is a communications protocol that provides security for the network layer of the Internet without imposing requirements on applications running above it.

JAR file

A JAR file is a file in JavaTM Archive (JAR) file format that enables you to bundle multiple files into a single archive file. Typically, a JAR file contains the class files and auxiliary resources associated with applets and applications.


JDBC is a JavaTM technology. It is an application programming interface that provides database management system (DBMS) connectivity across a wide range of SQL databases, as well as access to other tabular data sources, such as spreadsheets or flat files.

LDAP (Lightweight Directory Access Protocol)

LDAP is an Internet protocol that email programs use to look up contact information from a server.

LDAP authentication module

An LDAP authentication module is a user-created module that you implement on a FirePass system to authenticate client traffic using a remote LDAP server.

LDAP client certificate SSL authentication module

An LDAP client certificate SSL authentication module is a user-created module that you implement on a FirePass system to authorize client traffic using SSL client credentials and a remote LDAP server.

loopback adapter

A loopback adapter is a software interface that is not associated with an actual network card. The FirePass controller routing configuration uses loopback adapters on servers.

MAC (Media Access Control)

MAC is a protocol that defines the way workstations gain access to transmission media, and is most widely used in reference to LANs. For IEEE LANs, the MAC layer is the lower sublayer of the data link layer protocol.

MAC address

A MAC address is used to represent hardware devices on an Ethernet network.

master group

A master group is a collection of users that contains authentication settings, overall security configuration settings for groups of users, network access filtering policies, user experience, and user accounts.


Member is a reference to a system when it is included in a particular cluster. Clusters typically include multiple members.

name resolution

Name resolution is the process by which a name server matches a domain name request to an IP address, and sends the information to the client requesting the resolution.

NAT (Network Address Translation)

A NAT is an alias IP address that identifies a specific node managed by the FirePass system to the external network.

OCSP (Online Certificate Status Protocol)

OCSP is a protocol that authenticating systems can use to check on the revocation status of digitally-signed SSL certificates. The use of OCSP is an alternative to the use of a certificate revocation list (CRL). See also certificate revocation list (CRL).

OCSP authentication module

An OCSP authentication module is a user-created module that you implement on an LTM system to authenticate client traffic using a remote OCSP responder. The purpose of an OCSP authentication module is to check on the revocation status of a client SSL certificate.

OCSP responder

An OCSP responder is an external server used for communicating SSL certificate revocation status to an authentication server.

packet rate

The packet rate is the number of data packets per second processed by a server.

performance monitor

A performance monitor gathers statistics and checks the state of a target device.


See connection persistence or session persistence.

persistence profile

A persistence profile is a configuration tool for implementing a specific type of session persistence. An example of a persistence profile type is a cookie persistence profile.


Pipelining is a feature of HTTP/1.0 that allows clients to make requests even when prior requests have not yet received a response from the server.


A port can be represented by a number that is associated with a specific service supported by a host.

pre-logon sequence

A pre-logon sequence is a named set of inspectors, rules, and actions, which evaluates each endpoint system presented for log on to the FirePass-controlled network.

primary node

A primary node handles incoming connections, and then redirects each session to an available secondary node, or services the connection itself.

protected configuration

A protected configuration uses information that the inspectors gather. If the system meets the requirements configured in the protected configuration, the user is granted access to the resource requested. See also inspectors.

Quality of Service (QoS) level

The Quality of Service (QoS) level is a means by which network equipment can identify and treat traffic differently based on an identifier. Essentially, the QoS level specified in a packet enforces a throughput policy for that packet.

RADIUS (Remote Authentication Dial-in User Service)

RADIUS is a service that performs remote user authentication and accounting. Its primary use is for Internet Service Providers, though it can also be used on any network that needs a centralized authentication and/or accounting service for its workstations. See also RADIUS authentication method.

RADIUS authentication method

A RADIUS authentication method is a option that you can select on a FirePass system to authenticate client traffic using a remote RADIUS server. See also RADIUS (Remote Authentication Dial-in User Service).


A realm is a complete set of roles, master groups, and resource groups, which extends the role-based administration and simplifies FirePass controller administration by providing an organizational structure for master groups and their associated resource groups.

redundant system

Redundant system refers to a pair of units that are configured for failover. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over and manages connection requests.

resource group

A resource group is a collection of resources, which includes your company intranet servers, applications, and network shares.

responder object

See OCSP responder object.

reverse proxy

A reverse proxy acts as a gateway to the internal HTTP servers by being the final IP address for requests from the outside. This is the function of the FirePass controller. From the client's point of view, the reverse proxy is the actual HTTP server.

RFC 1918 addresses

An RFC 1918 address is an address that is within the range of non-routable addresses described in the IETF RFC 1918.


RTSP (Real-Time Streaming Protocol) establishes and controls one or more time-synchronized streams of continuous media such as audio or video.


In the visual policy editor, a rule determines the flow of actions. The outcome of the evaluation in a rule grants or denies access or sends the flow to the next action. A rule uses data from variables returned by inspectors to determine user access criteria.


A sequence is a set of actions and rules that act in concert to collect information about the end-user's system before granting or denying access to the FirePass controller.

server-side SSL

A server-side SSL profile is an SSL profile that controls SSL traffic going between a FirePass system and a destination server system.


Service refers to services such as TCP, UDP, HTTP, and FTP.

SNMP (Simple Network Management Protocol)

SNMP is the Internet standard protocol, defined in STD 15, RFC 1157, developed to manage nodes on an IP network.

source address affinity persistence

Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the source IP address of a packet.

source processing

Source processing means that the interface rewrites the source of an incoming packet.

split tunneling

Split tunneling allows a remote VPN user to access a public network at the same time that the user is allowed to access resources on the VPN. This allows the user to access remote devices while accessing the public network. See tunnel.


SSH is a protocol for secure remote login and other secure network services over a non-secure network.

SSL (Secure Sockets Layer)

SSL is a network communications protocol that uses public-key technology as a way to transmit data in a secure manner.

SSL server certificate

An SSL server certificate identifies your server to any connecting client browser.

SSL persistence

SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID.

standby unit

A standby unit in a redundant system is a unit that is always prepared to become the active unit if the active unit fails.


A subdomain is a sub-section of a higher level domain. For example, .com is a high level domain, and is a subdomain within the .com domain.


A subsequence is defined sequence that runs when processing encounters a branch in the sequence. Subsequences do not pass control back to the parent sequence from a subsequence; the flow continues through to the subsequence ending, or to another subsequence.


Tcl (Tools Command Language) is an industry-standard scripting language. On the LTM system, users use Tcl to write iRulesTM.

trusted CA file

A trusted CA file is a file containing a list of certificate authorities that an authenticating system can trust when processing client requests for authentication. A trusted CA file resides on the authenticating system and is used for authenticating SSL network traffic.


A tunnel is a secure connection between computers or networks over a public network. See also split tunneling.

Type of Service (ToS) level

The Type of Service (ToS) level is another means, in addition to the Quality of Service (QoS) level, by which network equipment can identify and treat traffic differently based on an identifier.

virtual address

A virtual address is an IP address associated with one or more virtual servers managed by the FirePass system.

visual policy editor

The visual policy editor consists of a graphical area in which you click to add and delete actions and rules to use when inspecting the client system to determine whether it meets certain conditions.

visual policy editor action

In a visual policy editor, the action contains one or more rules that specify the criteria that you plan to evaluate, and an ending that follows depending on the outcome of the evaluation.

visual policy editor action pane

The action pane is where you can type a description for the action, add and modify the action's inspectors, and define rules for the action to use.


VLAN stands for virtual local area network. A VLAN is a logical grouping of network devices. You can use a VLAN to logically group devices that are on different network segments.

VLAN name

A VLAN name is the symbolic name used to identify a VLAN. For example, you might configure a VLAN named marketing, or a VLAN named development. See also VLAN.


A webifyer is functionality that uses a browser to provide nonbrowser-based application functionality. The FirePass controller uses webifyers to present the Portal Access applications Windows Files and Mobile E-Mail, as well as the Application Access applications Legacy Hosts, Terminal Servers, and so on.

Web Application Favorites

Web Application Favorites is the FirePass controller implementation of reverse proxy. As opposed to a forward proxy, that is, a gateway for the client's browser, a reverse proxy acts as a gateway to the internal HTTP servers by being the final IP address for requests from the outside. From the client's point of view, the reverse proxy is the actual HTTP server.


The webtop is the user's home page, which contains links that are configured as favorites for that user's master group. Along the left side of the webtop are icons representing various functionality. Depending on how the webtop is configured, users may be able to add their own favorites by clicking an icon and adding links.

WKS (well-known services)

Well-known services are protocols on ports 0 through 1023 that are widely used for certain types of data. Some examples of some well-known services (and their corresponding ports) are: HTTP (port 80), HTTPS (port 443), and FTP (port 20).

Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)