New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Huawei H12-721 Dumps Questions Answers

Page: 1 / 8
Total 245 questions

HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Questions and Answers

Question 1

Which of the following is incorrect about IKE V1 and IKE V2?

Options:

A.

IKE V2 establishes a pair of IPSec SAs. Normally, an IKE SA and a pair of IPSec SAs can be completed by exchanging 4 messages twice.

B.

IKE V2 does not have the concept of master mode and barb mode

C.

To establish a pair of IPSec SAs, only 6 messages need to be exchanged in the IKE V1 master mode.

D.

When the IPSec SA established by D IKE V2 is greater than one pair, each pair of SAs needs only one additional exchange, that is, two messages can be completed.

Buy Now
Question 2

As shown in the following figure, the BFD for OSPF network is as follows: 1. OSPF is running between the three devices: FW_A, FW_B, and FW_C. The neighbors are in the FULL state. The association between BFD and OSPF is complete. BFD is complete. To establish a BFD session, the following instructions are correct?

Options:

A.

When link a fails, BFD first senses, and FWA and FWB will converge immediately.

B.

link switching is switched in seconds

C.

FWA processes the neighbor Down event and recalculates the route. The new route is link b.

D.

When link a finds a fault, OSPF automatically converges and notifies BFD.

Question 3

After the BFD session is established, the two systems periodically send BFD control packets. If a system does not receive any packets from the peer within the detection time, the status of the BFD session is considered to be Down. Which mode of detection is this mode called BFD?

Options:

A.

sync mode

B.

detection mode

C.

asynchronous mode

D.

query mode

Question 4

112. The ESP only verifies the IP payload and can perform NAT traversal, but the ESP encrypts the Layer 4 port information and causes the PAT function to be unusable. This problem can be solved by using the IPSec transparent NAT function, which encapsulates the ESP packet in the UDP header and comes with the necessary port information to make the PAT work normally.

Options:

A.

TRUE

B.

FALSE

Question 5

What is the correct statement about the Eth-trunk function?

Options:

A.

Improve the communication bandwidth of the link

B.

Improve data security

C.

traffic load sharing

D.

Improve the reliability of the link

Question 6

Avoid DHCP server spoofing attacks. DHCP snooping is usually enabled. What is the correct statement?

Options:

A.

connected user's firewall interface is configured in trusted mode

B.

The firewall interface connected to the DHCP server is configured as untrusted mode.

C.

DHCP relay packets received on the interface in the untrusted mode are discarded.

D.

The DHCP relay packet received in the D trusted mode and passed the DHCP snooping check.

Question 7

An intranet has made a network, the old equipment is offline, the new network equipment is brought online, and after the service test, it is found that most of the original service traffic cannot work normally. What is the quickest way to restore the business?

Options:

A.

layering method

B.

segmentation method

C.

replacement method

D.

block method

Question 8

As shown in the figure, the Eth-trunk function is required to bind the interface. On this basis, if you need to implement the load balancing function of each interface, you need to add the following configuration command?

Options:

A.

[USG] load-balance interface eth-trunk 1 packet-all

B.

[USG]interface eth-trunk 1 [USG-eth-trunk 1] load-balance packet-all

C.

[USG] load-balance interface eth-trunk 1 src-dst-ip

D.

[USG]interface eth-trunk 1 [USG-eth-trunk 1] load-balance src-dst-ip

Question 9

The HRP technology can implement the standby firewall without any configuration information. All the configuration information is synchronized by the main firewall to the standby firewall through HRP, and the configuration information is not lost after the restart.

Options:

A.

TRUE

B.

FALSE

Question 10

134. Which of the following is the connection status data to be backed up in the HRP function?

Options:

A.

ServerMap entry

B.

port mapping table

C.

dynamic blacklist

D.

Session entry

Question 11

When an attack occurs, the result of packet capture on the attacked host (1.1.1.1) is as shown in the figure. What kind of attack is this attack?

Options:

A.

Smurf attack

B.

Land attack

C.

WinNuke attack

D.

Ping of Death attack

Question 12

In the USG firewall, which two commands can be used to view the running status and memory/CPU usage of the device components (main control board, board, fan, power supply, etc.)?

Options:

A.

display device

B.

display environment

C.

display version

D.

dir

Question 13

Because the policy in the traffic limiting policy does not restrict the deny rule, you do not need to use the deny rule.

Options:

A.

TRUE

B.

FALSE

Question 14

When using the optical bypass interface, the Bypass link has two working modes, automatic mode and forced mode.

Options:

A.

TRUE

B.

FALSE

Question 15

Which of the following states indicates that a BFD session has been successfully established?

Options:

A.

down

B.

init

C.

up

D.

AdminUp

Question 16

As shown in the figure, the firewall is dual-system hot standby. In this networking environment, all service interfaces of the firewall work in routing mode, and OSPF is configured on the upper and lower routers. Assume that the convergence time of OSPF is 30s after the fault is rectified. What is the best configuration for HRP preemption management?

Options:

A.

hrp preempt delay 20

B.

hrp preempt delay 40

C.

hrp preempt delay 30

D.

undo hrp preempt delay

Question 17

Man-in-the-middle attacks are: the middleman completes the data exchange between the server and the client. In the server's view, all messages are sent or sent to the client. From the client's point of view, all messages are also sent or sent.

Options:

A.

Packet 1: Source IP 1.1.1.1 Source MAC C-C-C Destination IP 1.1.1.2 Destination MAC B-B-B

B.

Packet 1: Source IP 1.1.1.3 Source MAC C-C-C Destination IP 1.1.1.2 Destination MAC B-B-B

C.

Packet 2: Source IP 1.1.1.2 Source MAC C-C-C Destination IP 1.1.1.1 Destination MAC A-A-A

D.

Packet 2: Source IP 1.1.1.3 Source MAC C-C-C Destination IP 1.1.1.1 Destination MAC A-A-A

Question 18

The figure shows the data flow direction of the Bypass interface in the Bypass working mode and the non-Bypass working mode. What are the following statements about the working flow of the electrical Bypass interface?

Options:

A.

When the interface is in the non-bypass state, the traffic flows from the GE0 interface to the USG through Router_a. After the USG processes, the traffic flows from the GE1 interface to Router_B.

B.

When the interface is working in the Bypass state, the traffic is forwarded from the GE0 interface to the USG. The USG does not pass any processing and flows directly from the GE1 interface to Router_B.

C.

When the firewall is configured to implement the security priority, the uplink and downlink services are not interrupted when the interface works in the bypass state. Therefore, the device can be kept in the Bypass state.

D.

The electrical bypass interface can only work in Layer 2 mode and has circuit bypass function.

Question 19

Which of the following protocols does the USG firewall hot standby not include?

Options:

A.

HRP

B.

VRRP

C.

VGMP

D.

IGMP

Question 20

In the IPSec active/standby link backup application scenario, gateway B uses IPSec tunneling technology and gateway A to establish an IPSec VPN.

Options:

A.

TRUE

B.

FALSE

Question 21

An administrator can view the status of the device components by the following command: The status of the Slot3 board is Abnormal. What are the possible causes of the following faults?

Options:

A.

This slot is not supported in this slot of device A.

B.

interface card is damaged

C.

The pin on the backplane or motherboard is damaged. If the incorrect board is installed, the pin is tilted.

D.

ADSL telephone line failure

Question 22

The IPSec establishment of a device is unsuccessful. The debug print information is as follows. What are the possible causes of the fault?

? %%01IKE/4/WARING(1):phase2:proposal mismatch,please check ipsec proposal configuration 0 34476900 %%01IKE/7/DEBUG(d) dropped message from 3.3.3.1 due to notification type NO_PROPOSAL_CHOSEN

Options:

A.

IKE proposal parameters are inconsistent

B.

IPSec proposal parameters are inconsistent

C.

ike peer configuration error

D.

Security acl configuration error

Question 23

Accessing the headquarters server through the IPSec VPN from the branch computer. The IPSec tunnel can be established normally, but the service is unreachable. What are the possible reasons?

Options:

A.

packet is fragmented, and fragmented packets are discarded on the link.

B.

There is load sharing or dual-machine link, which may be inconsistent with the back and forth path.

C.

route oscillating

D.

DPD detection parameters are inconsistent at both ends

Question 24

The static fingerprint filtering function is to defend the attack traffic by configuring a static fingerprint to process the packets that hit the fingerprint. Generally, the anti-DDoS device capture function can be used to input fingerprint information to static fingerprint filtering.

Options:

A.

TRUE

B.

FALSE

Question 25

Run the display ike sa command to check the IKE SA information. The following statement is correct?

Options:

A.

phase 1 and phase 2 have been established

B.

negotiates through the IKE V2 protocol

C.

VPN instance name is public

D.

IPSec SA status is Ready

Question 26

The server health check mechanism is enabled on the USG firewall of an enterprise to detect the running status of the back-end real server (the three servers are Server A, Server B, and Server C). When the USG fails to receive the response from Server B multiple times. When the message is received, Server B will be disabled and the traffic will be distributed to other servers according to the configured policy.

Options:

A.

TRUE

B.

FALSE

Question 27

What is the correct statement about the ip-link feature?

Options:

A.

ip-link is a function to detect link connectivity

B.

ARP detection mode only supports detecting direct links (or forwarding through Layer 2 devices in the middle)

C.

The firewall sends ICMP or ARP packets to a probe destination address to determine whether the destination address is reachable.

D.

ip-link is associated with VGMP, the ip-link status is down, and the VGMP management group priority is lowered by default.

 

Question 28

Which attack method is CC attack?

Options:

A.

denial of service attack

B.

scan snooping attack

C.

malformed packet attack

D.

System-based vulnerability attacks

Question 29

In dual-system hot backup, the backup channel must be the primary interface on the interface board. Which type is not supported?

Options:

A.

Ethernet

B.

GigabitEthernet

C.

E1

D.

Vlan-if

Question 30

The ip-link principle is to continuously send ICMP packets or ARP request packets to the specified destination address, and check whether the ICMP echo reply or ARP reply packet of the destination IP response can be received.

Options:

A.

TRUE

B.

FALSE

Question 31

In the TCP/IP protocol, the TCP protocol provides a reliable connection service, which is implemented using a 3-way handshake. First handshake: When establishing a connection, the client sends a SYN packet (SYN=J) to the server and enters the SYN_SENT state, waiting for the server to confirm; the second handshake: the server receives the SYN packet and must send an ACK packet (ACK=1) To confirm the SYN packet of the client, and also send a SYN packet (SYN=K), that is, the SYN-ACK packet, the server enters the SYN_RCVD state; the third handshake: the client receives the SYN-ACK packet of the server. Send the acknowledgement packet ACK (SYN=2 ACK=3) to the server. After the packet is sent, the client and server enter the ESTABUSHED state and complete the handshake. Regarding the three parameters in the 3-way handshake process, which one is correct?

Options:

A.

1=J+1 2=J+1 3=K+1

B.

1=J 2=K+1 3=J+1

C.

1=J+1 2=K+1 3=J+1

D.

1=J+1 2=J 3=K+1

Question 32

When an IPSec VPN is set up on both ends of the firewall, the security ACL rules of both ends are mirrored.

Options:

A.

TRUE

B.

FALSE

Page: 1 / 8
Total 245 questions