March Special Sale - Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 575363r9

Welcome To DumpsPedia

H12-721 Sample Questions Answers

Questions 4

A user dials to the LNS of the company through L2TP over IPSec using the VPN client, and the final dialup fails. However, the debug ike all and debug l2tp all did not see any information on the LNS. The two stages of establishing ike failed. What are the reasons for the failure?

Options:

A.

Interest traffic ACL configuration error

B.

The firewall (LNS) is connected to the public network. The IPSec policy is not applied to the interface.

C.

IPSec data stream does not reach the firewall

D.

L2TP is not enabled on D LNS

Buy Now
Questions 5

What is the correct statement about the Eth-trunk function?

Options:

A.

Improve the communication bandwidth of the link

B.

Improve data security

C.

traffic load sharing

D.

Improve the reliability of the link

Buy Now
Questions 6

The figure shows the data flow direction of the Bypass interface in the Bypass working mode and the non-Bypass working mode. What are the following statements about the working flow of the electrical Bypass interface?

Options:

A.

When the interface is in the non-bypass state, the traffic flows from the GE0 interface to the USG through Router_a. After the USG processes, the traffic flows from the GE1 interface to Router_B.

B.

When the interface is working in the Bypass state, the traffic is forwarded from the GE0 interface to the USG. The USG does not pass any processing and flows directly from the GE1 interface to Router_B.

C.

When the firewall is configured to implement the security priority, the uplink and downlink services are not interrupted when the interface works in the bypass state. Therefore, the device can be kept in the Bypass state.

D.

The electrical bypass interface can only work in Layer 2 mode and has circuit bypass function.

Buy Now
Questions 7

The testing center is responsible for detecting the traffic and sending the inspection result to the management center. The management center sends the drainage strategy to the cleaning center for drainage cleaning.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 8

The HRP technology can implement the standby firewall without any configuration information. All the configuration information is synchronized by the main firewall to the standby firewall through HRP, and the configuration information is not lost after the restart.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 9

In which of the following cases, IKE negotiation cannot use the main mode?

Options:

A.

IKE is in pre-shared mode, and the peer ID is ID

B.

IKE is in pre-shared mode, and the firewall external network exit uses DHCP to dynamically allocate addresses.

C.

IKE is in pre-shared mode and there is a NAT device on the link.

D.

IKE is in RSA certificate mode, and there is a NAT device on the link.

Buy Now
Questions 10

Based on the following information analysis on the firewall, which of the following options are correct?

Options:

A.

The first packet of this data flow enters from the Trust zone interface and is sent from the Untrust zone interface.

B.

This data stream has been NAT translated

C.

uses NPAT conversion technology

D.

firewall has virtual firewall function enabled

Buy Now
Questions 11

Using the virtual firewall technology, users on the two VPNs can log in to their private VPNs through the Root VFW on the public network to directly access private network resources. What are the following statements about the characteristics of the VPN multi-instance service provided by the firewall?

Options:

A.

security is high, VPN users access through the firewall authentication and authorization, access after access is to use a separate virtual firewall system to manage users, the resources of different VPN users are completely isolated

B.

VPN access mode is flexible and reliable. It can support from public network to VPN, and can also support from VPN to VPN.

C.

is easy to maintain, users can manage the entire firewall (including each virtual firewall) without a system administrator account with super user privileges.

D.

The access control authority is strict. The firewall can control the access rights of the VPN according to the user name and password. This allows different users such as travel employees and super users (need to access different VPN resources) to have different access rights.

Buy Now
Questions 12

As shown in the figure, the firewall is dual-system hot standby. In this networking environment, all service interfaces of the firewall work in routing mode, and OSPF is configured on the upper and lower routers. Assume that the convergence time of OSPF is 30s after the fault is rectified. What is the best configuration for HRP preemption management?

Options:

A.

hrp preempt delay 20

B.

hrp preempt delay 40

C.

hrp preempt delay 30

D.

undo hrp preempt delay

Buy Now
Questions 13

In the application scenario of the virtual firewall technology, the more common service is to provide rental services to the outside. If the virtual firewall VFW1 is leased to enterprise A and the virtual firewall VFW2 is leased to enterprise B, what is the following statement incorrect?

Options:

A.

The A system provides independent system resources for the virtual firewalls VFW1 and VFW2, and does not affect each other.

B.

is transparent to users, and the business between enterprise A and enterprise B is completely isolated, just like using firewalls separately.

C.

Enterprise A and Enterprise B can overlap addresses and use VLANs to separate different VLANs.

D.

Enterprise A and Enterprise B cannot manage their own virtual firewalls independently and must be managed by the administrator of the lessor.

Buy Now
Questions 14

When using the Radius server to authenticate users, (the topology is as shown below), not only must the username and password be stored on the Radius server, but the username and password must also be configured on the firewall.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 15

The following figure shows the data packets captured during the pre-shared key mode master mode exchange process in the first phase of IKE V1. Which packet is captured below?

Options:

A.

IKE first message or second message

B.

IKE third message or fourth message

C.

IKE fifth message or sixth message

D.

IKE seventh message or eighth message

Buy Now
Questions 16

Which of the following is the correct description of the SMURF attack?

Options:

A.

The attacker sends an ICMP request with the destination address or the source address as the broadcast address, causing all hosts or designated hosts of the attacked network to answer, eventually causing the network to crash or the host to crash.

B.

The attacker sends the SYN-ACK message to the attacker's IP address.

C.

The attacker can send UDP packets to the network where the attacker is located. The source address of the packet is the address of the attacked host. The destination address is the broadcast address or network address of the subnet where the attacked host resides. The destination port number is 7 or 19.

D.

The attacker uses the network or the host to receive unreachable ICMP packets. The subsequent packets destined for this destination address are considered unreachable, thus disconnecting the destination from the host.

Buy Now
Questions 17

By default, GigabitEthernet0/0/0 can be used as an out-of-band management interface in the USG2200 series.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 18

The first packet discarding technology of Huawei Anti-DDoS devices can defend against attack packets that continuously change the source IP address or source port number. The following is incorrect about the first packet discarding technology?

Options:

A.

UDP protocol does not have a retransmission mechanism, so the first packet drop technique cannot be used.

B.

The first packet is discarded in combination with source authentication to prevent false source attacks.

C.

matches the packet based on the triplet (source IP address, source port, protocol), and judges the first packet by the interval of the packet.

D.

The packet sending interval is lower than the first packet detection rate lower limit, or the packet higher than the first packet detection rate upper limit is considered to be the first packet.

Buy Now
Questions 19

Which is incorrect about the IKE DPD statement?

Options:

A.

is used for detection of IKE neighbor status

B.

PDUs are sent periodically between B IKE PEERs.

C.

After the DPD function is enabled, the IPSec packet is not received within the interval specified by the interval, and the DPD sends a DPD request to the peer and waits for the response. Text

D.

DPD sends the query only before the encrypted message is sent and the timer expires.

Buy Now
Questions 20

Which part of the attack packet is matched by the blacklist to achieve attack prevention?

Options:

A.

source address

B.

destination address

C.

source port

D.

destination port

Buy Now
Questions 21

Configure the remote packet capture function on the USG to download the device to the device. You can use the FTP server to analyze the packet.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 22

What are the correct statements about the following VRRP and VGMP protocol messages?

Options:

A.

VGMP Hello packet communication between the A VGMP management group and the VRRP backup group

B.

VGMP management group communicates through VGMP Hello messages.

C.

VGMP management group communicates through VRRP packets

D.

VGMP packet communication between the V VGMP management group and the VRRP backup group

Buy Now
Questions 23

USG dual-machine hot standby must meet certain conditions and can be used below. What are the following statements correct?

Options:

A.

major and backup equipment must have the same product model

B.

The software version of the active and standby devices must be the same.

C.

The interface IP of the active and standby devices must be the same.

D.

The primary device must be configured, and the standby device does not require any configuration.

Buy Now
Questions 24

The key steps for configuring a virtual firewall include the following steps: 1. Configure the IP address of the interface; 2. Create a VPN instance and assign a route ID to the VPN instance; 3. Add the interface to the security zone; 4. Configure the interzone default package. Filtering rules; 5. Binding interfaces to VPN instances What is the correct order for configuration?

Options:

A.

2- 1- 3- 4- 5

B.

1- 3- 4- 2 -5

C.

2- 5- 1- 3- 4

D.

1- 2- 5- 3- 4

Buy Now
Questions 25

The hot standby and IPSec functions are combined. Which of the following statements is correct?

Options:

A.

USG supports IPSec hot standby in active/standby mode.

B.

IPSec hot standby is not supported in load balancing mode.

C.

must configure session fast backup

D.

must be configured to preempt

Buy Now
Questions 26

In IPSec VPN, which one is incorrect about the difference between the barbaric mode and the main mode?

Options:

A.

main mode does not support NAT traversal in pre-shared key mode, but aggressive mode support

B.

main mode negotiation message is 6, and barb mode is 3

C.

In the NAT traversal scenario, the peer ID cannot use the IP address.

D.

main mode encrypts the exchange of identity information, while barbaric mode does not encrypt identity information

Buy Now
Questions 27

What are the correct statements about link-group below?

Options:

A.

supports interface state management across switches

B.

supports interface state management across interface boards

C.

supports remote interface state management

D.

support interface board hot swap

Buy Now
Questions 28

What are the three elements of an abnormal flow cleaning solution?

Options:

A.

cleaning center

B.

Testing Center

C.

Management Center

D.

Collection Center

Buy Now
Questions 29

Both AH and ESP protocols of IPSec support NAT traversal

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 30

The branch firewall of an enterprise is configured with NAT. As shown in the figure, USG_B is the NAT gateway. The USG_B is used to establish an IPSec VPN with the headquarters. Which parts of the USG_B need to be configured?

Options:

A.

Configure the nat policy. The reference rule is to allow the source and destination of the intranet to be all ACLs.

B.

Configure the IKE peer, use the name authentication, and remote-address is the outbound interface address of the headquarters.

C.

Configure the nat policy. The reference rule is to protect the data flow from the enterprise intranet to the headquarters intranet in the first deny ipsec, and then permit the data flow from the intranet to the internet.

D.

Configure an ipsec policy template and reference ike peer

Buy Now
Questions 31

Static fingerprint filtering function, different processing methods for different messages, the following statement is correct?

Options:

A.

TCP/UDP/custom service can extract fingerprints based on the payload (ie the data segment of the message)

B.

DNS packet extracts fingerprints for Query ID

C.

HTTP message extracts fingerprint for universal resource identifier URI

D.

ICMP message extracts fingerprint by identifier

Buy Now
Questions 32

The firewall device defends against the SYN Flood attack by using the technology of source legality verification. The device receives the SYN packet and sends the SYN-ACK probe packet to the source IP address host in the SYN packet. If the host exists, it will Which message is sent?

Options:

A.

RST message

B.

FIN message

C.

ACK message

D.

SYN message

Buy Now
Exam Code: H12-721
Exam Name: Huawei Certified ICT Professional - Constructing Infrastructure of Security Network
Last Update: Mar 22, 2024
Questions: 217
$64  $159.99
$48  $119.99
$40  $99.99
buy now H12-721