Ace the H12-731-ENU HCIE-Security Exam with Our Up-to-Date H12-731-ENU Dumps

1. The correct statement about UDP Flood and TCP Flood attack prevention is: (Multiple Choice)

2. When the IPsec negotiation fails, turn on the IKE debug switch, and the following information is displayed: got NOTIFY of type INVALID_ID_INFORMATION or drop message from ABCD due to notification type INVALID_ID_INFORMATION, what does it mean?

3. What are the implementation mechanisms of intrusion prevention? (Multiple Choice)

4. Which statement about MTU and PMTU is correct? (Multiple Choice)

5. In NGFW, to use the RBL blacklist, which of the following key options need to be configured by the network administrator? (Multiple Choice)

6. Regarding the relationship between 802.1X and RADIUS, which of the following descriptions is correct?

7. Which of the following aspects are included in the host reinforcement? (Multiple Choice)

8. What functions does content filtering include in the Huawei USG firewall? (Multiple Choice)

9. The intranet IP address of a Web Server deployed in the DMZ area of an enterprise is 10.1.1.3, the port is 8080, the public network address announced to the outside world is 1.1.1.2, and the external port number is 80.

Configure the following commands on the firewall:

[USG6600] security-policy

[[USG6600-policy-security] rule name untrust_to_mz

[USG6600-policy-security-rule-untrust_to_mz] source-zone untrust

[USG6600-policy-security-rule-untrust_to_mz] destination-zone dmz

[USG6600-policy-security-rule-untrust_to_mz] destination-address 1.1.1.2 32

[USG6600-policy-security-rule-untrust_to_mz] service http

[USG6600-policy-security-rule-untrust_to_mz] action permit

[USG6600] nat server webserver protocol tcp global 1.1.1.2 www inside 10.1.1.3 8080

The external network PC cannot access the Web Server at 10.1.1.3 within the enterprise. Please analyze the most likely reasons for this:

10. The whitelist + blacklist mode is adopted in terminal security management. Which of the following are normal behaviors?

11. There are hundreds of people in a medium-sized enterprise network accessing the Internet through the company's firewall, and the company has deployed a corporate portal website in the firewall DMZ. Which of the following criteria should be followed as an IT security officer for purchasing and deploying Internet access auditing products?

12. The centralized networking scheme of three servers, as shown in the figure, the administrator found that only one of the three Agile Controllers in the resource pool was alive.

In this case, which of the following descriptions is correct? (Multiple Choice)

13. For border network security, which of the following options are recommended for planning and deployment priorities? (Multiple Choice)

14. Regarding the description of NAT Server, which of the following is correct?

15. Regarding the way SAC equipment accesses the network, which of the following descriptions are correct? (Multiple Choice)

16. The USG firewall is directly connected to other devices at Layer 3. During commissioning, it was found that the peer IP address directly connected from the firewall could not be pinged. It was confirmed that there was no problem with the peer device. What are the possible reasons? (Multiple Choice)

17. What is the online certificate application method supported by firewall PKI?

18. Which of the following description about SACG certification is correct? (Multiple Choice)

19. When the firewall uses the IPsec function, which protocols and ports need to be opened? (Multiple Choice)

20. The firewall is deployed between the mobile terminal of the wireless user and the WAP gateway, the mobile terminal is in the trust zone, and the WAP gateway is in the untrust zone, and the following configurations are made:

[USG] ad 3000

[USG-acl-adv-3000] rule permit ip destination 202.10.10.2 0

[USG-acl-adv-3000] quit

[USG] fir-all zone trust

[USG-zone-trust] destination-nat 3000 address 200.10.10.2

[USG-zone-trust] quit

Which of the following descriptions are correct?

21. The networking of a certain network is as follows: PC----ADSL router-----USG-----LAN

The key configurations of the USG are as follows:

l2tp enable

interface Virtual-Template1

ppp authentication-mode pap

ip address 4.1.1.1 255.255.255.0

remote address pool 1

l2tp-group 1

mandatory-Icp

allow 12tp virtual-template 1

#

user-ma page user pc1

password admin@123

aaa

domain default

ip pool 1 4.1.1.1 4.1.1.99

Assuming that other configurations are complete and correct, what is the problem with this configuration in actual work?

22. Which of the following attack methods are network layer attacks? (Multiple Choice)

23. When the dual-system hot backup network is used, according to this configuration, PC2 sends an ARP request to the Mac of IP10.100.30.8. Which of the following options is correct?

sysname NGFW_A

#

hrp enable

hrp interface GigabitEthernet 0/0/3

#

interface GigabitEthernet0/0/1

ip address 192.168.10.2 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.10.1 active

#

interface GigabitEthernet0/0/2

ip address 10.100.30.2 255.255.255.0

vrrp vrid 2 virtual-ip 10.100.30.1 active

#

Nat address-group 1

section 0 10.100.30.8 10.100.30.9

#

nat-policy

rule name trust to untrust

source-zone trust

destination-zone untrust

source-address 192.2163.10.0 24

action nat address-group 1

24. If the content of the visited web page contains filtered content, what will be the result?

25. The Trust zone of the USG firewall of a certain network is connected to the terminal host, and the Untrust zone is connected to the security controller. If the security controller can issue rules to the USG, which of the following security policies must be configured?

26. When the network traffic is heavy, if you do not want the downstream network to be congested or directly discard many packets due to the excessive data traffic sent upstream, you can limit and cache the traffic on the outbound interface of the upstream device, so that such packets can be blocked. The text is sent out at a relatively uniform speed.

This technique can be:

27. VGMP unified management of VRRP backup group status, VGMP management group Active priority is 65001, Standby priority is 65000. When the VGMP management group detects that the interface is Down through the VRRP backup group or directly, the priority of the VGMP management group is recalculated. When each interface is Down, the priority of the VGMP management group decreases by 2.

28. NGFW_A and NGFW_B, NGFW_A and NGFW_C configure static routes respectively. NGFW_A -> NGFW_B is the primary link, and NGFW_A -> NGFW_C is the backup link. It is required that the traffic can be quickly switched to the backup link when the primary link fails; the traffic can be switched to the primary chromium road after the primary link is restored.

Which of the following configuration is correct? (Multiple Choice)

A. [USG_A] bfd

[USG_A] bfd ab bind peer-ip 10.1.1.2

[USG_A-bfd-session-ab] discriminator local 10

[USG_A-bfd-session-ab] discriminator remote 20

[USG_A-bfd-session-ab] commit

[USG_A] ip route-static 0.0.0.0 0 10.1.1.2 track bfd-session ab

[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100

B. [USG_A] bfd

[USG_A] bfd ab bind peer-ip 10.1.1.2

[USG_A-bfd-session-ab] discriminator local 10

[USG_A-bfd-session-ab] discriminator remote 20

[USG_A-bfd-session-ab] commit

[USG_A] ip route-static 0.0.0.0 0 10.1.1.2

[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100 track bfd-session ab

C. [USG_B] bfd

[BSG_B] bfd ab bind peer-ip 10.1.1.1

[USG_B-bfd-session-ab] discriminator local 20

[USG_B-bfd-session-ab] discriminator remote 10

[USG_B-bfd-session-ab] commit

D. [USG_B] bfd

[BSG_B] bfd ab bind peer-ip 10.1.1.1

[USG_B-bfd-session-ab] discriminator local 10

[USG_B-bfd-session-ab] discriminator remote 20

[USG_B-bfd-session-ab] commit

29. 168.22.122:22 <-- 192.168.22.151:4354

30. What are the possible reasons why the local license cannot be activated? (Multiple Choice)

31. 168.1.2:44012[1.1.1.3:6103] --> 2.2.2.2:2048

Which of the following descriptions are correct? (Multiple Choice)

32. What are the URL matching methods in the URL filtering function in USG? (Multiple Choice)

33. Which of the following functional modules can be used in conjunction with the IP-Link function? (Multiple Choice)

34. As shown in the figure, which illustrates the negotiation process of IPsec, which of the following descriptions are correct? (Multiple Choice)

35. In a new campus network of an enterprise, under an access switch, ordinary PC users and dumb terminal users need to connect to the Internet at the same time.

Which authentication method is recommended to be deployed on this switch?

36. Which of the following is a correct description of the stateful inspection firewall forwarding principle? (Multiple Choice)

37. Using the SSL function of the USG gateway, the administrator can quickly and securely access all resources in the enterprise intranet, not only Web resources, but also ensure that the communication between the client and the virtual gateway adopts the SSL security protocol, and must ensure that the SSL client does not affect access to other network resources and can directly access Internet resources _______________.

38. In the abnormal flow cleaning scheme, automatic drainage means that the detection equipment reports abnormal flow to the management center, and the management center automatically generates drainage tasks and automatically sends drainage tasks to the cleaning equipment.

Which specific drainage technology is generally required to achieve automatic drainage?

39. If you use a mobile terminal (Android or Apple system) to access intranet resources through a web proxy, which of the following methods should be recommended?

40. 168.100.28:1036 [58.251.159.112:2048] --> 111.206.79.100:80

Which of the following descriptions is incorrect?

41. Which of the following applications cannot be secured using packet filtering alone? (Multiple Choice)

42. A network needs to replace the dual-system hot-standby USG_A and USG_B due to the network upgrade of the new hardware USG. On the premise of not affecting the business, how to upgrade:

USG_A is the Active device, and USG_B is the Standby device.

Which of the following are the correct cutover steps?

① Connect the 5th line to the new USG_B in sequence.

② Connect lines 1, 2, and 3 from the old USG_A to the new USG A in turn,

③ Power on the new USG_B and the new USG_A, and import the configuration.

④ Enter undo hrp enable in USG_B, and cut off lines 4, 5, and 3 in turn.

⑤ Adjust the routing cost so that all traffic passes through USB_B.

⑥ Enter hrp enable for the new USG_A and new USG_B, and adjust the routing cost to meet the expectations.

43. An enterprise has the following requirements:

The intranet users in the Trust zone are on the 192.168.1.0/24 network segment and can access the Internet. There are a total of 50 hosts (192.168.1.1-192.168.1.50) with a total curtain size of 500M.

Which of the following plans are reasonable?

44. Do the following configuration on the firewall:

[USG-policy-security] rule name Trust Local

[USG-policy-security-rule-Untrust Local] source-zone trust

[USG-policy-security-rule-Untrust Local] destination-zone local

[USG-policy-security-rule-Untrust Local] source-address 192.168.5.2 32

[USG-policy-security-rule-Untrust Local] destination-address 192.168.5.1 32

[USG-policy-security-rule-Untrust Local] service http

[USG-policy-security-rule-Untrust Local] service telnet

[USG-policy-security-rule-Untrust Local] action permit

Please select the correct description below: (Multiple Choice)

45. The IPsecVPN tunnel is successfully established, but the speed of accessing the peer's private network web page is slow or the access is intermittent. The influence of the Internet network quality has been eliminated. The following possible faults are: (Multiple Choice)

46. When using the SSL VPN network extension function, the virtual IP address pool can be set to the same network segment as the IP address of the internal network interface of the device.

If the virtual IP address pool and the IP address of the internal network interface are not on the same network segment, manually configure the route to the address pool on the device. The outbound interface is the internal network interface, and the next hop is the next hop of the internal network interface.

47. When a corporate intranet user accesses the Internet through the USG firewall, a certain URL has been added to the blacklist, but the user can still access it. What are the possible reasons for the failure of the URL filtering function? (Multiple Choice)

48. Which of the following options can be used as a condition for Portal push? (Multiple Choice)

49. Mobile employees access the headquarters through the L2TP over IPsec tunnel. The correct statement about the planning and deployment is: (Multiple Choice)

50. Which of the following statements about dual-system hot standby is correct? (Multiple Choice)