New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

H12-721 HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Questions and Answers

Questions 4

The NAT/ASPF log in the session log and the DPI traffic monitoring log provide a “binary” output technology for this type of log. The use of binary input output can greatly reduce the impact on system performance, but The binary form output needs to be configured with the elog log management system.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 5

DDoS is an abnormal packet that an attacker sends a small amount of non-traffic traffic to the attack target (usually a server, such as DNS or WEB) through the network, so that the attacked server resolves the packet when the system crashes or the system is busy.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 6

In the IDC room, a USG firewall can be used to divide into several virtual firewalls, and then the root firewall administrator generates a virtual firewall administrator to manage each virtual firewall.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 7

As shown in the following figure, the BFD for OSPF network is as follows: 1. OSPF is running between the three devices: FW_A, FW_B, and FW_C. The neighbors are in the FULL state. The association between BFD and OSPF is complete. BFD is complete. To establish a BFD session, the following instructions are correct?

Options:

A.

When link a fails, BFD first senses, and FWA and FWB will converge immediately.

B.

link switching is switched in seconds

C.

FWA processes the neighbor Down event and recalculates the route. The new route is link b.

D.

When link a finds a fault, OSPF automatically converges and notifies BFD.

Buy Now
Questions 8

The virtual firewall forwards multiple instances. The firewall has multiple routing tables and forwarding tables. The addresses are overlapped and are implemented on the same configuration interface. Users with configuration rights can configure and view all data.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 9

The method of defending a FIN/RST flood attack is to perform a session check. The workflow is to discard the packet and then start the session check when the FIN/RST packet rate exceeds the threshold.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 10

What actions will be performed when the firewall hot standby sends the active/standby switchover?

Options:

A.

send free ARP

B.

Send proxy ARP

C.

VRRP backup group virtual address is unavailable

D.

related switch automatically updates the MAC table

Buy Now
Questions 11

When an IPSec VPN is set up on both ends of the firewall, the security ACL rules of both ends are mirrored.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 12

The management control information and service information of the out-of-band management interface are sent on the same channel.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 13

Which of the following is a disadvantage of L2TP VPN?

Options:

A.

working on layer 2 cannot be routed

B.

must use L2TP Over IPSec to use

C.

has no authentication function

D.

no encryption

Buy Now
Questions 14

Accessing the headquarters server through the IPSec VPN from the branch computer. The IPSec tunnel can be established normally, but the service is unreachable. What are the possible reasons?

Options:

A.

packet is fragmented, and fragmented packets are discarded on the link.

B.

There is load sharing or dual-machine link, which may be inconsistent with the back and forth path.

C.

route oscillating

D.

DPD detection parameters are inconsistent at both ends

Buy Now
Questions 15

112. The ESP only verifies the IP payload and can perform NAT traversal, but the ESP encrypts the Layer 4 port information and causes the PAT function to be unusable. This problem can be solved by using the IPSec transparent NAT function, which encapsulates the ESP packet in the UDP header and comes with the necessary port information to make the PAT work normally.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 16

The following are traffic-type attacks.

Options:

A.

IP Flood attack

B.

HTTP Flood attack

C.

IP address scanning attack

D.

ICMP redirect packet attack

Buy Now
Questions 17

The network of an enterprise is as follows. At this time, server A cannot access the web service of server B. The administrator performs troubleshooting and finds that there is no problem in the routing mode of firewall A. The corresponding routing table has been established, but the firewall mode of firewall A is set. error. What is the method used by the administrator to troubleshoot the problem?

Options:

A.

layering method

B.

segmentation method

C.

replacement method

D.

block method

Buy Now
Questions 18

After the link-group is configured on the device, use the display link-group 1 command to obtain the following information. What information can I get?

Options:

A.

GigabitEthernet 0/0/2 interface has failed.

B.

GigabitEthernet 0/0/1 has failed.

C.

GigabitEthernet 0/0/2 is forcibly converted to fault state because other interfaces in the group are faulty.

D.

GigabitEthernet 0/0/1 is forcibly converted to fault state because other interfaces in the group are faulty.

Buy Now
Questions 19

The DHCP snooping function needs to maintain the binding table. What are the contents of the binding table?

Options:

A.

MAC

B.

Vlan

C.

interface

D.

DHCP Server IP

Buy Now
Questions 20

Run the display ike sa command to check the IKE SA information. The following statement is correct?

Options:

A.

phase 1 and phase 2 have been established

B.

negotiates through the IKE V2 protocol

C.

VPN instance name is public

D.

IPSec SA status is Ready

Buy Now
Questions 21

The FTP network diagram is as follows. The FTP server wants to use the 21000 control port to provide external FTP services. The FTP client cannot access the FTP server.

Options:

A.

port mapping function is not used. The packets sent from the FTP client to the FTP server on port 21000 are ordinary packets and are not recognized as FTP packets.

B.

The firewall can only recognize the FTP traffic of port 21 and cannot identify the FTP traffic of port 21000.

C.

is not configured with ASPF function

D.

device dropped all UDP traffic

Buy Now
Questions 22

When configuring the USG hot standby, (assuming the backup group number is 1), the configuration command of the virtual address is correct?

Options:

A.

vrrp vrid 1 vitual-ip ip address master

B.

vrrp vitual-ip ip address vrid 1 master

C.

vrrp vitual-ip ip address master vrid 1

D.

vrrp master vitual-ip address vrid 1

Buy Now
Questions 23

In which of the following cases, IKE negotiation cannot use the main mode?

Options:

A.

IKE is in pre-shared mode, and the peer ID is ID

B.

IKE is in pre-shared mode, and the firewall external network exit uses DHCP to dynamically allocate addresses.

C.

IKE is in pre-shared mode and there is a NAT device on the link.

D.

IKE is in RSA certificate mode, and there is a NAT device on the link.

Buy Now
Questions 24

What are the correct statements about the IP address scanning attack and prevention principles?

Options:

A.

IP address scanning attack is an attacker that uses an ICMP packet (such as ping and tracert) to detect the target address.

B.

IP address scanning attack is an attack method used by an attacker to detect a target address by using TCP/UDP packets.

C.

IP address scanning attack defense detects the rate of address scanning behavior of a host. If the rate exceeds the threshold, it is blacklisted.

D.

If the USG starts the blacklist function and is associated with IP address scanning attack prevention, when the scanning rate of a certain source exceeds the set threshold, the excess threshold will be discarded, and the packets sent by this source will be less than the subsequent time. Threshold, can also be forwarded

Buy Now
Questions 25

Which of the following is incorrect about IKE V1 and IKE V2?

Options:

A.

IKE V2 establishes a pair of IPSec SAs. Normally, an IKE SA and a pair of IPSec SAs can be completed by exchanging 4 messages twice.

B.

IKE V2 does not have the concept of master mode and barb mode

C.

To establish a pair of IPSec SAs, only 6 messages need to be exchanged in the IKE V1 master mode.

D.

When the IPSec SA established by D IKE V2 is greater than one pair, each pair of SAs needs only one additional exchange, that is, two messages can be completed.

Buy Now
Questions 26

In the TCP/IP protocol, the TCP protocol provides a reliable connection service, which is implemented using a 3-way handshake. First handshake: When establishing a connection, the client sends a SYN packet (SYN=J) to the server and enters the SYN_SENT state, waiting for the server to confirm; the second handshake: the server receives the SYN packet and must send an ACK packet (ACK=1) To confirm the SYN packet of the client, and also send a SYN packet (SYN=K), that is, the SYN-ACK packet, the server enters the SYN_RCVD state; the third handshake: the client receives the SYN-ACK packet of the server. Send the acknowledgement packet ACK (SYN=2 ACK=3) to the server. After the packet is sent, the client and server enter the ESTABUSHED state and complete the handshake. Regarding the three parameters in the 3-way handshake process, which one is correct?

Options:

A.

1=J+1 2=J+1 3=K+1

B.

1=J 2=K+1 3=J+1

C.

1=J+1 2=K+1 3=J+1

D.

1=J+1 2=J 3=K+1

Buy Now
Questions 27

An administrator can view the IPSec status information and Debug information as follows. What is the most likely fault?

Options:

A.

local IKE policy does not match the peer IKE policy.

B.

local ike remote name does not match peer ike name

C.

local ipsec proposal does not match the peer ipsec proposal

D.

The local security acl or the peer security acl does not match.

Buy Now
Questions 28

Which of the following protocol messages cannot be propagated in an IPSec tunnel by default?

Options:

A.

TCP

B.

UDP

C.

ICMP

D.

IGMP

Buy Now
Questions 29

The ip-link sends a probe packet to the specified IP address. By default, after 3 probe failures, the link to this IP address is considered faulty.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 30

With regard to the Radius agreement, what are the following statements correct?

Options:

A.

uses the UDP protocol to transmit Radius packets.

B.

authentication and authorization port number can be 1812

C.

Encrypt the account when transferring user accounts and passwords using the Radius protocol

D.

authentication and authorization port number can be 1645

Buy Now
Questions 31

When using the SSL VPN client to start the network extension, the prompt "Connection gateway failed", what are the possible reasons for the failure?

Options:

A.

If the proxy server is used, the proxy server settings of the network extension client are incorrect.

B.

The route between the B PC and the virtual gateway is unreachable.

C.

TCP connection between the network extension client and the virtual gateway is blocked by the firewall

D.

username and password are incorrectly configured

Buy Now
Questions 32

As shown in the figure, the firewall is dual-system hot standby. In this networking environment, all service interfaces of the firewall work in routing mode, and OSPF is configured on the upper and lower routers. Assume that the convergence time of OSPF is 30s after the fault is rectified. What is the best configuration for HRP preemption management?

Options:

A.

hrp preempt delay 20

B.

hrp preempt delay 40

C.

hrp preempt delay 30

D.

undo hrp preempt delay

Buy Now
Exam Code: H12-721
Exam Name: HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network)
Last Update: Dec 27, 2024
Questions: 245
H12-721 pdf

H12-721 PDF

$25.5  $84.99
H12-721 Engine

H12-721 Testing Engine

$30  $99.99
H12-721 PDF + Engine

H12-721 PDF + Testing Engine

$40.5  $134.99