Massive Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Huawei H12-721 HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Exam Practice Test

Demo: 32 questions
Total 245 questions

HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Questions and Answers

Question 1

An administrator can view the status of the device components by the following command: The status of the Slot3 board is Abnormal. What are the possible causes of the following faults?

Options:

A.

This slot is not supported in this slot of device A.

B.

interface card is damaged

C.

The pin on the backplane or motherboard is damaged. If the incorrect board is installed, the pin is tilted.

D.

ADSL telephone line failure

Question 2

Man-in-the-middle attacks are: the middleman completes the data exchange between the server and the client. In the server's view, all messages are sent or sent to the client. From the client's point of view, all messages are also sent or sent.

Options:

A.

Packet 1: Source IP 1.1.1.1 Source MAC C-C-C Destination IP 1.1.1.2 Destination MAC B-B-B

B.

Packet 1: Source IP 1.1.1.3 Source MAC C-C-C Destination IP 1.1.1.2 Destination MAC B-B-B

C.

Packet 2: Source IP 1.1.1.2 Source MAC C-C-C Destination IP 1.1.1.1 Destination MAC A-A-A

D.

Packet 2: Source IP 1.1.1.3 Source MAC C-C-C Destination IP 1.1.1.1 Destination MAC A-A-A

Question 3

Is the correct statement about TCP proxy and TCP reverse source probing?

Options:

A.

TCP proxy and TCP reverse source probe can prevent SYN Flood

B.

The principle of the TCP proxy is that the device acts as a proxy for the TCP connection between the two ends. When one end initiates the connection, it must first complete the TCP 3 handshake with the device.

C.

Use TCP proxy mode for attack defense, you must enable the state detection mechanism.

D.

TCP reverse source detection detects the source IP by sending a Reset packet.

Question 4

When attacked, the screenshot of the message captured by a victim host is as follows. According to the analysis, what is the attack?

Options:

A.

SYN Flood

B.

SYN-ACK Flood

C.

ACK-Flood

D.

Connection Flood

Question 5

Both AH and ESP protocols of IPSec support NAT traversal

Options:

A.

TRUE

B.

FALSE

Question 6

Configure the remote packet capture function on the USG to download the device to the device. You can use the FTP server to analyze the packet.

Options:

A.

TRUE

B.

FALSE

Question 7

Which is incorrect about IPSec NAT Traversal?

Options:

A.

Both A AH and ESP support NAT traversal

B.

IPSec NAT traversal does not support IKE main mode (pre-shared mode)

C.

IPSec ESP packets are encapsulated through NAT using UDP packets.

D.

All IKE messages exchanged with the initiator use 4500 port communication

Question 8

The console port password can be restored to the factory settings by pressing and holding the USG device Reset button for 1-3 seconds.

Options:

A.

TRUE

B.

FALSE

Question 9

In the IDC room, a USG firewall can be used to divide into several virtual firewalls, and then the root firewall administrator generates a virtual firewall administrator to manage each virtual firewall.

Options:

A.

TRUE

B.

FALSE

Question 10

Defense against the cache server The main method of DNS request flood is to use the DNS source authentication technology:

Options:

A.

TRUE

B.

FALSE

Question 11

Avoid DHCP server spoofing attacks. DHCP snooping is usually enabled. What is the correct statement?

Options:

A.

connected user's firewall interface is configured in trusted mode

B.

The firewall interface connected to the DHCP server is configured as untrusted mode.

C.

DHCP relay packets received on the interface in the untrusted mode are discarded.

D.

The DHCP relay packet received in the D trusted mode and passed the DHCP snooping check.

Question 12

In the application scenario of IPSec traversal by NAT, the active initiator of the firewall must configure NAT traversal, and the firewall at the other end can be configured without NAT traversal.

Options:

A.

TRUE

B.

FALSE

Question 13

The attacker sends a large number of invite messages to the SIP server, causing the SIP server to refuse service. Which layer of the OSI model is this attack based on?

Options:

A.

application layer

B.

network layer

C.

transport layer

D.

data link layer

Question 14

Static fingerprint filtering function, different processing methods for different messages, the following statement is correct?

Options:

A.

TCP/UDP/custom service can extract fingerprints based on the payload (ie the data segment of the message)

B.

DNS packet extracts fingerprints for Query ID

C.

HTTP message extracts fingerprint for universal resource identifier URI

D.

ICMP message extracts fingerprint by identifier

Question 15

The dual-system hot standby networking environment is as shown in the following figure: VRRP group 1 and 2 are added to the VGMP management group, USG_A is the master device, and USG_B is the standby device. When the USG_A has a fault Status, such as power failure, the USG_B status is switched from Slave to Master. After the USG_A is faulty, its status is switched back to Master and the USG_B status is still Master. What is the reason for this now?

Options:

A.

Two firewalls are in load grouping mode. They are configured as master and slave in the same backup group.

B.

After the fault of the USG_A is restored, the priority of the VRRP backup group is not restored in time.

C.

After the USG_A recovers from the fault, the heartbeat line fails.

D.

is not configured hrp track

Question 16

On the following virtual firewall network, the USG unified security gateway provides leased services to the enterprise. The VPN instance vfw1 is leased to enterprise A. The networking diagram is as follows. The PC C of the enterprise A external network user needs to access the intranet DMZ area server B through NAT. To achieve this requirement, what are the following key configurations?

Options:

A.

[USG] ip vpn-instance vfw1 vpn-id

B.

[USG] ip vpn-instance vfw1 [USG-vpn-vfw1] route-distinguisher 100:1 [USG-vpn-vfw1] quit

C.

[USG] nat server zone vpn-instance vfw1 untrust global 2.1.2.100 inside 192.168.1.2 vpn-instance vfw1

D.

[USG]nat address-group 1 2.1.2.5 2.1.2.10 vpn-instance vfw1

Question 17

In the TCP/IP protocol, the TCP protocol provides a reliable connection service, which is implemented using a 3-way handshake. First handshake: When establishing a connection, the client sends a SYN packet (SYN=J) to the server and enters the SYN_SENT state, waiting for the server to confirm; the second handshake: the server receives the SYN packet and must send an ACK packet (ACK=1) To confirm the SYN packet of the client, and also send a SYN packet (SYN=K), that is, the SYN-ACK packet, the server enters the SYN_RCVD state; the third handshake: the client receives the SYN-ACK packet of the server. Send the acknowledgement packet ACK (SYN=2 ACK=3) to the server. After the packet is sent, the client and server enter the ESTABUSHED state and complete the handshake. Regarding the three parameters in the 3-way handshake process, which one is correct?

Options:

A.

1=J+1 2=J+1 3=K+1

B.

1=J 2=K+1 3=J+1

C.

1=J+1 2=K+1 3=J+1

D.

1=J+1 2=J 3=K+1

Question 18

Which of the following objects can the current limiting policy limit?

Options:

A.

IP connection limit

B.

IP bandwidth limit

C.

P2P protocol data flow restriction

D.

IM protocol data flow restriction

Question 19

The administrator can create vfw1 and vfw2 on the root firewall to provide secure multi-instance services for enterprise A and enterprise B, and configure secure forwarding policies between security zones of vfw1 and vfw2.

Options:

A.

TRUE

B.

FALSE

Question 20

The topology of the BFD-bound static route is as follows: The administrator has configured the following on firewall A: [USG9000_A] bfd [USG9000_A-bfd] quit [USG9000_A] bfd aa bind peer-ip 1.1.1.2 [USG9000_A- Bfd session-aa] discriminator local 10 [USG9000_A-bfd session-aa] discriminator remote 20 Which of the following configurations can be added to the firewall to implement BFD-bound static routes?

Options:

A.

[USG9000_A-bfd session-aa] commit

B.

[USG9000_A]bfd aa bind local-ip 1.1.1.1

C.

[USG9000_A]ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa

D.

[USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 bfd-session aa

Question 21

What actions will be performed when the firewall hot standby sends the active/standby switchover?

Options:

A.

send free ARP

B.

Send proxy ARP

C.

VRRP backup group virtual address is unavailable

D.

related switch automatically updates the MAC table

Question 22

Which of the following is correct about the configuration of the firewall interface bound to the VPN instance?

Options:

A.

ip binding vpn-instance vpn-id

B.

ip binding vpn-instance vpn-instance-name

C.

ip binding vpn-id

D.

ip binding vpn-id vpn-instance-name

Question 23

In the client-initial mode, the L2TP dialup fails. From the debug information below, it can be seen that the most likely cause is the dialup failure.

Options:

A.

username and password are inconsistent with aaa configuration

B.

Ins name configuration error

C.

tunnel password is not configured

D.

is not enabled l2tp

Question 24

In the abnormal traffic cleaning solution of Huawei, in the scenario of bypass deployment, dynamic routing and drainage does not require manual intervention. If an abnormality is detected, the management center generates an automatic drainage task. The traffic is sent to the cleaning device.

Options:

A.

TRUE

B.

FALSE

Question 25

As shown in the figure, the firewall is dual-system hot standby. In this networking environment, all service interfaces of the firewall work in routing mode, and OSPF is configured on the upper and lower routers. Assume that the convergence time of OSPF is 30s after the fault is rectified. What is the best configuration for HRP preemption management?

Options:

A.

hrp preempt delay 20

B.

hrp preempt delay 40

C.

hrp preempt delay 30

D.

undo hrp preempt delay

Question 26

Load balancing implements the function of distributing user traffic accessing the same IP address to different servers. What are the main technologies used?

Options:

A.

virtual service technology

B.

server health test

C.

dual hot standby technology

D.

stream-based forwarding

Question 27

Accessing the headquarters server through the IPSec VPN from the branch computer. The IPSec tunnel can be established normally, but the service is unreachable. What are the possible reasons?

Options:

A.

packet is fragmented, and fragmented packets are discarded on the link.

B.

There is load sharing or dual-machine link, which may be inconsistent with the back and forth path.

C.

route oscillating

D.

DPD detection parameters are inconsistent at both ends

Question 28

Regarding VRRP messages, what are the following statements correct?

Options:

A.

VRRP uses TCP packets.

B.

VRRP uses UDP packets.

C.

The destination address of the C VRRP packet is 224.0.0.18.

D.

The TTL value of the D VRRP packet is 255.

.

Question 29

On the USG, you need to delete sslconfig.cfg in the hda1:/ directory. Which of the following commands can complete the operation?

Options:

A.

cd hda 1:/remove sslconfig.cfg

B.

cd hda 1:/delete sslconfig.cfg

C.

cd hda 1:/rmdir sslconfig.cfg

D.

cd hda 1:/mkdir sslconfig.cfg

Question 30

The preemption function of the VGMP management group is enabled by default, and the delay time is 60s.

Options:

A.

TRUE

B.

FALSE

Question 31

In the application scenario of the virtual firewall technology, the more common service is to provide rental services to the outside. If the virtual firewall VFW1 is leased to enterprise A and the virtual firewall VFW2 is leased to enterprise B, what is the following statement incorrect?

Options:

A.

The A system provides independent system resources for the virtual firewalls VFW1 and VFW2, and does not affect each other.

B.

is transparent to users, and the business between enterprise A and enterprise B is completely isolated, just like using firewalls separately.

C.

Enterprise A and Enterprise B can overlap addresses and use VLANs to separate different VLANs.

D.

Enterprise A and Enterprise B cannot manage their own virtual firewalls independently and must be managed by the administrator of the lessor.

Question 32

Networking as shown in the figure: PC1--USG--Router--PC2. If PC1 sends a packet to PC2, what are the three modes for the USG to process fragmented packets?

Options:

A.

fragment cache

B.

fragmentation

C.

slice direct forwarding

D.

slice defense

Demo: 32 questions
Total 245 questions