Labour Day Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

 
Home > Huawei > Huawei Certified Network Professional HCNP > H12-721

H12-721 HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Question and Answers

Question # 4

SSL VPN authentication is successful. Using the file sharing function, you can view directories and files, but you cannot upload, delete, and rename files. What are the possible reasons?

A.

If the file server type is NFS, the user UID and GID attributes do not allow the user to upload, delete, or rename files.

B.

If the type of the file server is SMB, the currently logged-in user has only read permission for the file share resource, but no write permission.

C.

Only the viewing function is enabled in the SSL file sharing function configuration of the C firewall.

D.

Some TCP connections between the virtual gateways of the D file server are blocked by the firewall

Full Access
Question # 5

What are the correct statements about the IP address scanning attack and prevention principles?

A.

IP address scanning attack is an attacker that uses an ICMP packet (such as ping and tracert) to detect the target address.

B.

IP address scanning attack is an attack method used by an attacker to detect a target address by using TCP/UDP packets.

C.

IP address scanning attack defense detects the rate of address scanning behavior of a host. If the rate exceeds the threshold, it is blacklisted.

D.

If the USG starts the blacklist function and is associated with IP address scanning attack prevention, when the scanning rate of a certain source exceeds the set threshold, the excess threshold will be discarded, and the packets sent by this source will be less than the subsequent time. Threshold, can also be forwarded

Full Access
Question # 6

The ip-link principle is to continuously send ICMP packets or ARP request packets to the specified destination address, and check whether the ICMP echo reply or ARP reply packet of the destination IP response can be received.

A.

TRUE

B.

FALSE

Full Access
Question # 7

The server health check mechanism is enabled on the USG firewall of an enterprise to detect the running status of the back-end real server (the three servers are Server A, Server B, and Server C). When the USG fails to receive the response from Server B multiple times. When the message is received, Server B will be disabled and the traffic will be distributed to other servers according to the configured policy.

A.

TRUE

B.

FALSE

Full Access
Question # 8

Avoid DHCP server spoofing attacks. DHCP snooping is usually enabled. What is the correct statement?

A.

connected user's firewall interface is configured in trusted mode

B.

The firewall interface connected to the DHCP server is configured as untrusted mode.

C.

DHCP relay packets received on the interface in the untrusted mode are discarded.

D.

The DHCP relay packet received in the D trusted mode and passed the DHCP snooping check.

Full Access
Question # 9

Which of the following statements is correct about the IKE main mode and the aggressive mode?

A.

All negotiation packets in the first phase of the aggressive mode are encrypted.

B.

All the negotiation packets of the first phase in the main mode are encrypted.

C.

barbarian mode uses DH algorithm

D.

will enter the fast mode regardless of whether the negotiation is successful or not.

Full Access
Question # 10

Which is incorrect about the IKE DPD statement?

A.

is used for detection of IKE neighbor status

B.

PDUs are sent periodically between B IKE PEERs.

C.

After the DPD function is enabled, the IPSec packet is not received within the interval specified by the interval, and the DPD sends a DPD request to the peer and waits for the response. Text

D.

DPD sends the query only before the encrypted message is sent and the timer expires.

Full Access
Question # 11

The preemption function of the VGMP management group is enabled by default, and the delay time is 60s.

A.

TRUE

B.

FALSE

Full Access
Question # 12

Which of the following is a disadvantage of L2TP VPN?

A.

working on layer 2 cannot be routed

B.

must use L2TP Over IPSec to use

C.

has no authentication function

D.

no encryption

Full Access
Question # 13

On an Eth-Trunk interface, traffic load balancing can be implemented by configuring different weights on member links.

A.

TRUE

B.

FLASE

Full Access
Question # 14

When configuring the USG hot standby, (assuming the backup group number is 1), the configuration command of the virtual address is correct?

A.

vrrp vrid 1 vitual-ip ip address master

B.

vrrp vitual-ip ip address vrid 1 master

C.

vrrp vitual-ip ip address master vrid 1

D.

vrrp master vitual-ip address vrid 1

Full Access
Question # 15

L2TP is a tunneling protocol set up for transparent transmission of PPP packets between users and enterprise servers. Which of the following features are included?

A.

L2TP protocol uses the TCP protocol

B.

supports private address allocation and does not occupy public IP addresses.

C.

and PPP configurations support authentication and work with Radius to support flexible local and remote AAA After combining with IPSec,

D.

supports encryption of packets.

Full Access
Question # 16

An administrator can view the IPSec status information and debugging information as follows. What is the most likely fault?

A.

local ike policy does not match the peer ike policy.

B.

local ike remote namet and peer ikename do not match

C.

local ipsec proposal does not match the peer ipsec proposal.

D.

The local security acl or the peer security acl does not match.

Full Access
Question # 17

The load balancing function is configured on the USG firewall for three FTP servers. The IP addresses and weights of the three physical servers are 10.1.13/24 (weight 16); 10.1.1.4/24 (weight 32); 10.1.1.5 /24 (weight 16), and the virtual server address is 202.152.26.123/24. A PC with the host address of 202.152.26.3/24 initiates access to the FTP server. Run the display firewall session table command on the firewall to check the configuration. Which of the following conditions indicates that the load balancing function is successfully implemented?

A.

display firewall session table Current total sessions: 1 ftp VPN: public-->public 202.152.26.3:3327-->10.1.1.4:21

B.

display firewall session table Current total sessions:3 ftp VPN: public 202.152.26.3:3327--> 202.152.26.123:21[10.1.1.3:21] ftp VPN:public-->public 202.152.26.3:3327 -->202.152.26.123:21[10.1.1.4:21] ftp VPN: public-->public 202.152.26.3:3327-->202.152.26.123:21[10.1.1.5:21]

C.

display firewall session table Current total sessions: 1 ftp VPN: 202.152.26.3:3327-->202.152.26.123:21

D.

display firewall session table Current total sessions: 3 ftp VPN: ftp VPN: public 202.152.26.3:3327--> 202.152.26.123:21[10.1.1.3:21] ftp VPN: public-->public 202.152. 26.3:3327-->10.1.1.4:21 ftp VPN:public-->public 202.152.26.3:3327-->10.1.1.4:21 ftp VPN:public-->public 202.152.26.3:3327-->10.1. 1.5:21

Full Access
Question # 18

The following figure shows the data packet of the pre-shared key mode main mode exchange process in the first phase of IKE V1. What is captured below?

A.

exchange D-H public value and various auxiliary data

B.

SA suggested strategy

C.

authentication

D.

encryption transformation strategy

Full Access
Question # 19

What are the following attacks that are special message attacks?

A.

Ping of Death attack

B.

Super large ICMP packet attack

C.

Tracert packet attack

D.

ICMP unreachable packet attack

Full Access
Question # 20

Based on the following information analysis on the firewall, which of the following options are correct?

A.

The first packet of this data flow enters from the Trust zone interface and is sent from the Untrust zone interface.

B.

This data stream has been NAT translated

C.

uses NPAT conversion technology

D.

firewall has virtual firewall function enabled

Full Access
Question # 21

To ensure the normal forwarding of large traffic, a network administrator of a company uses two firewalls to implement hot standby. As shown in the following figure, when the configuration is complete, it is found that when A of the two firewalls fails, the data stream being transmitted before the fault has been seriously lost, but the newly transmitted data stream can work normally after the fault. What could be the cause of this phenomenon?

A.

The HRP preemption time configured on the firewall is smaller than the convergence time of OSPF.

B.

is not configured to adjust the COST value of OSPF according to the HRP status.

C.

The session fast backup function is not configured on the USG. The packets cannot be forwarded normally if the back and forth paths are inconsistent.

D.

does not enable hrp track on the upstream and downstream interfaces of the firewall.

Full Access
Question # 22

Which of the following methods is used to switch between active and standby links in the IPSec backup and backup system?

A.

hot standby

B.

link-group

C.

Eth-trunk

D.

ip-link

Full Access
Question # 23

The branch firewall of an enterprise is configured with NAT. As shown in the figure, USG_B is the NAT gateway. The USG_B is used to establish an IPSec VPN with the headquarters. Which parts of the USG_B need to be configured?

A.

Configure the nat policy. The reference rule is to allow the source and destination of the intranet to be all ACLs.

B.

Configure the IKE peer, use the name authentication, and remote-address is the outbound interface address of the headquarters.

C.

Configure the nat policy. The reference rule is to protect the data flow from the enterprise intranet to the headquarters intranet in the first deny ipsec, and then permit the data flow from the intranet to the internet.

D.

Configure an ipsec policy template and reference ike peer

Full Access
Question # 24

In the IPSec active/standby link backup application scenario, gateway B uses IPSec tunneling technology and gateway A to establish an IPSec VPN.

A.

TRUE

B.

FALSE

Full Access
Question # 25

In the client-initial mode, the L2TP dialup fails. From the debug information below, it can be seen that the most likely cause is the dialup failure.

A.

username and password are inconsistent with aaa configuration

B.

Ins name configuration error

C.

tunnel password is not configured

D.

is not enabled l2tp

Full Access
Question # 26

Which of the following protocols does the USG firewall hot standby not include?

A.

HRP

B.

VRRP

C.

VGMP

D.

IGMP

Full Access
Question # 27

Networking as shown in the figure: PC1--USG--Router--PC2. If PC1 sends a packet to PC2, what are the three modes for the USG to process fragmented packets?

A.

fragment cache

B.

fragmentation

C.

slice direct forwarding

D.

slice defense

Full Access
Question # 28

What are the correct statements about link-group below?

A.

supports interface state management across switches

B.

supports interface state management across interface boards

C.

supports remote interface state management

D.

support interface board hot swap

Full Access
Question # 29

The firewall device defends against the SYN Flood attack by using the technology of source legality verification. The device receives the SYN packet and sends the SYN-ACK probe packet to the source IP address host in the SYN packet. If the host exists, it will Which message is sent?

A.

RST message

B.

FIN message

C.

ACK message

D.

SYN message

Full Access
Question # 30

The network administrator of a company discards traffic that exceeds the throughput of the device. The USG discards the traffic that exceeds the device throughput. The USG discards the traffic that exceeds the device throughput. The following command can achieve this function?

A.

utm bypass enable

B.

undo utm bypass enable

C.

ips bypass enable

D.

undo ips bypass enable

Full Access
Question # 31

The DHCP snooping function needs to maintain the binding table. What are the contents of the binding table?

A.

MAC

B.

Vlan

C.

interface

D.

DHCP Server IP

Full Access
Question # 32

IP address scanning attack defense not only prevents ICMP packet detection target addresses, but also prevents TCP/UDP scanning detection target addresses.

A.

TRUE

B.

FALSE

Full Access
Copyright myexamcollection.com. All Right Reserved.