Huawei - H12-721 - 1 File Download

H12-721Huawei

HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network)

http://killexams.com/exam-detail/H12-721

QUESTION: 89 Shown below is an IPSec standby scenario, with main link A and backup link B. Assuming that on link B the next-hop IP address is 10.10.1.2 and 10.10.1.3, and we want to ensure that the primary and redundant backup link via IP-Link is configured.

Which of the following is the correct cstatic routeonfiguration from the headquarters to the branch office?

A. [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 B. [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 ip-link 2 C. [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 track ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 preference 70 track ip-link 2 D. [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 preference 70 track ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 track ip-link 2

Answer: C

QUESTION: 90 An enterprise branch firewall is configured for NAT. As shown in the figure, USG_B is the NAT gateway. In order to extablish an IPSec VPN to USG_B, you need to configure what on USG_B? (Choose two answers)

39

A. Configure a NAT Policy, citing the rule to allow the network segment’s source and destination IP addresses for the ACL. B. Configuration the IKE peer, use name authentication, and remote-address of the interface address on USG_A C. Configure a NAT Policy, where there is first a deny IPsec rule within the enterprise network to protect the data flow from within the headquarters of the network, and then permit the enterprise network to the Internet network data stream. D. Configure a IPSec policy template, citing the IKE peer.

Answer: B, C

QUESTION: 91 In the Enterprise netowrk shown below, Server A and Server B can not access Web services. Troubleshooting has found that there is firewall routing module and that there is a problem with the routing table in USG_A An enterprise network follows, then Server A Server B can not access Web services, administrators troubleshoot and found no firewall routing module A problem has been to establish the appropriate routing table, but Firewall A firewall module is provided with wrong.

40

What troubleshooting method should be used?

A. stratification B. Break Law C. substitution method D. Block Method

Answer: D

QUESTION: 92 An SSL VPN user authenticates, has enabled network expansion on the PC, and has been assigned an IP addresses. However, the user can not access resources within theintermal network server. Which of the following are possible reasons for this? (Choose three)

A. Configuration error in the "Routing Client mode" configuration. B. User access is limited C. The network server is unreachable. D. The PC's physical interface and assigned VPN addresses overlap.

Answer: A, B, C

QUESTION: 93 SSL VPN authentication is successful, and with the use of the file-sharing feature, you can view the directories and files, but you can not upload, delete, or rename files. What are possible reasons? (Choose two answers)

A. If the file server for NFS, the user's UID and GID attribute does not allow users to upload, delete or rename the file operation. B. If the type of file server for SMB, the user currently logged on to the file share resource has only read permission and no write access. C. The SSL firewall configuration file sharing feature allows only viewing. D. Some TCP connections between the gateway and the virtual file server are blocked by the firewall.

Answer: A, B

41

QUESTION: 94 A simple network is connected PC1-USG-Router-PC2. If PC1 sends packets to PC2, and the USG processes fragmented packets, which modes can be used to do this? (Choose three answers)

A. fragment cache B. slice discarded C. fragmentation direct forwarding D. slicing defense

Answer: A, B, C

QUESTION: 95 In IP-link, how many successive packets must not be recived for it to be considered a failure, by default?

A. 1 times B. 2 times C. 3 times D. 5 times

Answer: C

QUESTION: 96 With Blacklist, which part of the packets are examined to determine there is an attack?

A. The source address B. destination address C. Source Port D. destination port

Answer: A

QUESTION: 97 Which statement about IP-link features are correct? (Choose three answers)

42

A. IP-link is a link connectivity detection function B. ARP detection methods only support direct link C. Firewalls will send ICMP or ARP packets to determine if the destination address is reachable to the destination address of a probe D. With IP-link and associated VGMP, when the IP-Link status becomes down, VGMP lowers the default priority management group by 3.

Answer: A, B, C

QUESTION: 98 Refer to the following load balancing configuration: [USG] slb enable [USG] slb [USG-slb] rserver 1 rip 10.1.1.3 weight 32 [USG-slb] rserver 2 rip 14.1.1.4 weight 16 [USG-slb] rserver 3 rip 10.1.1.5 weight 32 [USG-slb] group test [USG-slb-group-test] metric srchash [USG-slb-group-test] add rserver 1 [USG-slb-group-test] add rserver 2 [USG-slb-group-test] add rserver 3 Which of the following statements is correct? (Choose two answers)

A. The load balancing algorithm is the polling algorithm. B. The configuration is a complete load balancing configuration. C. Values of weight determine which data stream path should be used, the smaller weight values should correspond to the real server that has less processing capacity. D. Weight is the weight of a real weight.

Answer: C, D

QUESTION: 99 About BFD detection mechanism, the following statement is correct? (Choose two answers)

A. BFD control packets are encapsulated in TCP packets B. BFD provides two detection modes: asynchronous and synchronous mode

43

C. After the establishment of a BFD session, both systems periodically send BFD control packets D. At the beginning of the session, the two sides negotiate through the control system carried in the packet parameters

Answer: C, D

QUESTION: 100 An attacker sends a large number of SIP INVITE messages to the server, leading to a denial of service attack on the SIP server. This attack occurs on which layer of the seven layer OSI model?

A. Application Layer B. Network Layer C. Transport Layer D. Data Link Layer

Answer: A

44

For More exams visit https://killexams.com/vendors-exam-list

Kill your exam at First Attempt....Guaranteed!

Huawei H12-721

HCNP-Security-CISN (Huawei Certified Network

Professional - Constructing Infrastructure of Security

Network)Version: 4.0

QUESTION NO: 1 The main method of caching servers DNS Request Flood defense is the use of DNS sourceauthentication. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 2 Refer to the following diagram in regards to Bypass mode.

Which of the following statements is correct a few? (Choose two answers) A. When the interface is operating in a non-Bypass state, the flow from the inflow of USGRouter_A interfaces from GE0, GE1 after USG treatment from the interface flow Router_B. B. When the Interface works in Bypass state, traffic flow from the interface by the Router_A GE0USG, USG without any treatment, flows directly Router_B flows from the GE1 interfaces. C. When there are firewall requirements to achieve security policies, while working at the interfaceBypass state to operate without interruption. Therefore, the device can be maintained in theBypass state job. D. Power Bypass interface can work in bridge mode, and can work with the bypass circuit.

Answer: A,B

Explanation:

Huawei H12-721 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

QUESTION NO: 3 With the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, drainageschemes can be used to have? (Choose three answers) A. Dynamic routing drainage B. Static routing strategy drainage C. Static routing drainage D. MPLS VPN cited

Answer: A,B,C

Explanation:

QUESTION NO: 4 Regarding IKE main mode and aggressive modes, which of the following statements is correct? A. In savage mode with the the first phase of negotiation, all packets are encrypted B. All main mode packts under the first phase of negotiation are encrypted C. The DH algorithm is used in aggressive mode D. Whether the negotiation is successful or not, IKE will enter into fast mode

Answer: C

Explanation:

QUESTION NO: 5 A network is shown below.

Huawei H12-721 Exam


A dial customer cannot establish a connection via a VPN client PC and USG (LNS) l2tp vpn. What are valid reasons for this failure? (Choose three answers) A. LNS tunnel tunnel name change is inconsistent with the client name. B. L2TP tunnel authentication failed. C. PPP authentication fails, PPP authentication mode set on the client PC and LNS inconsistent. D. Client PC can not obtain an IP address assigned to it from the LNS.

Answer: B,C,D

Explanation:

QUESTION NO: 6 From the branch offices, servers are accessed from the Headquarters via IPsec VPN. An IPSECtunnel can be established at this time, but communication to the servers fails. What are thepossible reasons? (Choose three answers) A. Packet fragmentation, the fragmented packets are discarded on the link. B. Presence opf dual-link load balancing, where the path back and forth may be inconsistent. C. Route flapping. D. Both ends of the DPD detection parameters are inconsistent.

Answer: A,B,C

Explanation:

QUESTION NO: 7 A user has been successfully authenticated using an SSL VPN. However, users can not accessthe Web-link resources through the Web server.

Huawei H12-721 Exam


Using the information provided, which of the following is correct? A. Network server does not have the Web services enabled. B. Virtual Gateway policy configuration error C. Virtual connection between the gateway and the network server is not normal D. Virtual gateway and network server is unreachable

Answer: A

Explanation:

QUESTION NO: 8 According to the network diagram regarding hot standby, which of the following are correct?(Choose three answers)

A. VRRP backup group itself has preemption. As shown, when USG_A failurs and is restored,USG_A re-use preemption becomes it has master status. B. With VGMP management group preemption and VRRP backup groups, when the managementgroup fails and recovers, the priority management group will also be restored. C. By default, the preemption delay is 0. D. If a VRRP group is added to the VGMP management group, preemption will fail. The VGMPunified management group decides this behavior.

Answer: A,B,D

Explanation:

Huawei H12-721 Exam


QUESTION NO: 9 Which of the following are correct regading TCP and TCP proxy on the reverse source detection?(Choose three answers) A. TCP and TCP proxy detection can prevent reverse source SYN Flood. B. TCP proxy acts as a proxy device. TP is connected between both ends, when one end initiatesa connection with the device it must complete the TCP three-way handshake. C. With TCP proxy mode attack prevention, detection mechanism must be turned on. D. TP reverse source probes to detect the source IP packets by sending a Reset.

Answer: A,B,C

Explanation:

QUESTION NO: 10 IPsec tunneling is used as a backup connection as shown below:

Which of the following statements are true about the tunnel interface? (Choose two answers) A. IPsec security policy should be applied to the tunnel interface B. Protocol for the Tunnel Interface must be GRE. C. Tunnel interface needs to be configured on the IP address and the IP address of the gateway.The external network IP address of the outgoing interface must be in the same network segment. D. Tunnel interfaces can be added to any security zone, provided they have the appropriate inter-domain security policies.

Answer: A,D

Explanation:

QUESTION NO: 11

Huawei H12-721 Exam


The DHCP Snooping binding table function needs to maintain its binding table of contents thatinclude? (Choose three answers) A. MAC B. Vlan C. Interface IP D. DHCP Server's

Answer: A,B,C

Explanation:

QUESTION NO: 12 Through the configuration of the Bypass interface, you can avoid network communicationinterruption caused by equipment failure and improve reliability. The power Bypass function canuse any network interfaces to configure the Bypass GE parameters to achieve the Bypassfunction. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 13 Which of the following statements about IPsec and IKE following are correct? (Choose threeanswers) A. With IPsec there are two ways to establish the security association, manual mode (manual) andIKE auto-negotiation (Isakmp) mode. B. IKE aggressive mode can be selected based on negotitations initiated by the tunnel endpoint IPaddress or ID, to find the corresponding authentication word and finalize negotiations. C. The NAT traversal function is used to delete the IKE negotiation verification process for UDPport numbers, while achieving a VPN tunnel to discover the NAT gateway function. If a NATgateway device is used, then the data transfer after the IPsec uses UDP encapsulation. D. IKE security mechanisms include DH Diffie-Hellman key exchange and distribution; improve thesecurity front (Perfect Forward Secrecy PFS), encryption, and SHA1 algorithms.

Answer: A,B,C

Huawei H12-721 Exam


Explanation:

QUESTION NO: 14 In the attack shown below, a victim host packet captures the traffic. According to the informationshown, what kind of attack is this?

A. SYN Flood B. SYN-ACK Flood C. ACK-Flood D. Connection Flood

Answer: C

Explanation:

QUESTION NO: 15 In IPsec VPN with NAT traversal, you must use IKE aggressive mode. A. TRUE B. FALSE

Answer: B

Explanation:

Huawei H12-721 Exam


QUESTION NO: 16 A man in the middle attack refers to an intermediate that sees the data exchange between serverand client. To the server, all messages appear to be sent to or received from the client; and to theclient all the packets appear to have been sent to or received from the server. If a hacker is usingthe man-in-the-middle attack, the hacker will send at least two data packets as shown to achievethis attack.

Which of the following packet 1 and packet 2 Field Description is correct? (Choose two answers) A. Packet 1: Source IP 1.1.1.1 Source MAC C-C-C The purpose of IP 1.1.1.2 The purpose of Mac B-B-B B. Packet 1: Source IP 1.1.1.3 Source MAC C-C-C The purpose of IP 1.1.1.2 The purpose of Mac B-B-B C. Packet 2: Source IP 1.1.1.2 Source MAC C-C-C The purpose of IP 1.1.1.1 The purpose of Mac A-A-A D. Packet 2: Source IP 1.1.1.3

Huawei H12-721 Exam


Source MAC C-C-C The purpose of IP 1.1.1.1 The purpose of Mac A-A-A

Answer: A,C

Explanation:

QUESTION NO: 17 In an Eth-Trunk interface, you can achieve load balancing by configuring different weights on eachmember link. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 18 A SSL VPN login authentication is unsuccessful, and the prompt says "wrong user name orpassword." What is wrong? A. The username and password entered incorrectly. B. There is a user or group filter field configuration error. C. There is a certificates filter field configuration error. D. The administrator needs to configure the source IP address of the terminal restriction policy.

Answer: D

Explanation:

QUESTION NO: 19 SSL works at the application layer and is encrypted for specific applications, while IPsec operatesat which layer and provides transparent encryption protection for this level and above? A. The data link layer B. Network Layer

Huawei H12-721 Exam


C. Transport Layer D. Presentation Layer

Answer: B

Explanation:

QUESTION NO: 20 The IP-MAC address binding configuration is as follows: [USG] firewall mac-binding 202.169.168.1 00e0-fc00-0100 When the data packets travel through the Huawei firewall device, and other strategies such aspacket filtering, attack prevention are not considered, the following data ttravels hrough the firewalldevice? (Choose two answers) A. Packet source IP: 202.169.168.1 Packet source MAC: FFFF-FFFF-FFFF B. Packet source IP: 202.169.168.2 Packet source MAC: 00e0-fc00-0100 C. Packet source IP: 202.1.1.1 Packet source MAC: 00e0-fc11-1111 D. Packet source IP: 202.169.168.1 Packet source MAC: 00e0-fc00-0100

Answer: C,D

Explanation:

QUESTION NO: 21 Dual hot standby load balancing service requires three interfaces, one for the line connecting therouter, and two USG facilities mutual backup, configuration commands are “hrp track master” and“hrp track slave” A. TRUE B. FALSE

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 22 IP-link probe packets will be sent to the specified IP address by default when the probe fails threetimes, enabling this interface if the main link fails. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 23 Two endpoints cannot build a successful IPsec VPN session. Which of the following firewallconfiguation errors could be the problem? (Choose three answers) A. A device does not have a route to the peer within the network. B. A gateway configuration on both ends with the referenced ACL security policy C. The gateway configuration on both ends of the IPsec proposal is inconsistent. D. Both ends are not configured for DPD.

Answer: A,B,C

Explanation:

QUESTION NO: 24 Testing Center is responsible for flow testing, and test results sent to the management center. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 25 Which of the following are scanned snooping attack??

Huawei H12-721 Exam


A. SIP Flood attacks B. HTTP Flood Attack C. IP address scanning attack D. ICMP redirect packet attack

Answer: C

Explanation:

QUESTION NO: 26 Which of the following VPN protocols do not provide encryption? (Choose three answers) A. ESP B. AH C. L2TP D. GRE

Answer: B,C,D

Explanation:

QUESTION NO: 27 When a Haiwei Secure VPN client connection initializes using L2TP, the L2TP packet uses asource port of 1710, and a destination port of 1710. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 28 A user logs into the Virtual Gateway Web Page but receives a "can not display the webpage"message. What are possible causes for this? (Choose two answers) A. Virtual Gateway Router unreachable from user PC. B. Virtual Gateway IP address has been changed.

Huawei H12-721 Exam


C. Using a Shared Web Gateway D. Client browser set up a proxy server.

Answer: A,B

Explanation:

QUESTION NO: 29 See the following firewall information:

Based on the output, which of the following answers are correct? (Choose three answers) A. The first packet interface to enter this data stream from the Trust zone, issuing from the Untrustzone interfaces B. This data stream has been NATed C. NAPT conversion technology is being used D. The virtual firewall feature is enabled firewall

Answer: A,B,C

Explanation:

QUESTION NO: 30 In the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, the re-injectionscheme can be used to have which of the following? (Choose three answers) A. routing strategy B. MPLS VPN tunnel mode C. routing D. Layer 2 VPN mode

Huawei H12-721 Exam


Answer: A,B,C

Explanation:

QUESTION NO: 31 When an attack occurs, the attacked host (1.1.129.32) was able to capture many packets asshown. Based on the information shown, what kind of attack is this?

A. Smurf attack B. Land Attack C. WinNuke D. Ping of Death attack

Answer: B

Explanation:

QUESTION NO: 32 Refer to the following NIP firewall intrusion detection actions: 1 records the invasion process, alarm logging 2. NIP attack detection 3 reconfigure the firewall

Huawei H12-721 Exam


4 Termination invasion Which of the following is the correct sequence of events? A. 1 -> 2 -> 3 -> 4 B. 2 -> 1 -> 3 -> 4 C. 3 -> 1 -> 2 -> 4 D. 1 -> 2 -> 4 -> 3

Answer: B

Explanation:

QUESTION NO: 33 An administrator views the status information and IPsec Debug information as follows:

What is the most likely reason for failure? A. The end ike ike peer strategies and policies do not match B. The end ike remote name and peer ike name does not match C. The end ipsec proposal and peer ipsec proposal does not match D. The end of the Security acl or does not match the peer Security acl

Huawei H12-721 Exam


Answer: D

Explanation:

QUESTION NO: 34 PCA has an IP address of 192.168.3.1 in the Trust area. In the Untrust zone users cannot accessthe Internet server.

Based on the configuration of the Trust and Untrust fields above, what is the most likely cause ofthe failure? A. A misconfigured security policies, the direction should be Outbound. B. Since the first rule of the firewall is the default packet-filter deny, the configuration is notimplemented. C. The policy source of 192.168.3.0 0.0.0.255 is incorrect; you need to modify a policy source192.168.3.0 0.0.255.255. D. The policy destination any is incorrect; you must define a clear destination IP address.

Answer: A

Explanation:

QUESTION NO: 35 Which of the following is a drawback of an L2TP VPN? A. It cannot be routed in two layers B. You must use L2TP Over IPsec C. No authentication

Huawei H12-721 Exam


D. No encryption

Answer: D

Explanation:

QUESTION NO: 36 Regarding the Radius authentication process, refer to the following steps: 1. Network device Radius client (network access server) receives the user name and password,and sends an authentication request to the Radius server. 2. When a user logs into the USG access servers and other network devices, the user name andpassword will be sent to the network access server. 3. After the Radius server receives a valid request to complete the request and the required userauthorization information is sent back to the client. Which of the following is a correct sequence? A. 1-2-3 B. 2-1-3 C. 3-2-1 D. 2-3-1

Answer: B

Explanation:

QUESTION NO: 37 With IP-link, information is sent to the destination address specified with continuous ICMP packetsor ARP request packets, and checks whether you can receive the destination IP response icmpecho reply packets or ARP reply packets. A. TRUE B. FALSE

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 38 With the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, dynamicrouting drainage occurs without human intervention. When an abnormality is detected, themanagement center will generate a draining task automatically, and the task is done directly afterthe drainage cleaning equipment is issued if testing equipment. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 39 Which of the following statements is wrong regarding IPsec? A. Under Transfer Mode, ESP does not validate the IP header B. AH can not verify that the data uses encrypted packets C. ESP can support NAT traversal D. The AH protocol uses the 3DES algorithm for data validation

Answer: D

Explanation:

QUESTION NO: 40 Malformed packet attack techniques would use some legitimate packet data for networkreconnaissance or testing. Tthese packets are legitimate for the application type; while normalnetwork packets are rarely used. A. TRUE B. FALSE

Answer: B

Explanation:

Huawei H12-721 Exam


QUESTION NO: 41 Which ofthe following statements is correct about the blacklist? (Choose three answers) A. When you log into a device and incorrectly enter the username/password three times, the IPaddress of the administrator will be added to the blacklist via Web or Telnet. B. Blacklist is divided into static and dynamic. C. When the device is perceived to have behavioral characteristics of packets to a user's attemptto attack a specific IP address, it will use a dynamic IP address blacklist technology. D. When the packet reaches the firewall, the first thing to check for is packet filtering, and then itwill match the blacklist.

Answer: A,B,C

Explanation:

QUESTION NO: 42 In a stateful standby failover switchover what will the firewall do? (Choose two answers) A. Send a gratuitous ARP B. Send proxy ARP C. The VRRP backup group virtual address will be unavailable D. The switchover automatically updates the relevant MAC table

Answer: A,D

Explanation:

QUESTION NO: 43 In L2TP over IPsec scenarios, The USG device will first use the original data packet that isencrypted using IPsec, and then encapsulates the data packets using L2TP. A. TRUE B. FALSE

Answer: B

Explanation:

Huawei H12-721 Exam


QUESTION NO: 44 The Huawei abnormal flow cleaning solution must be deployed in an independent testing center. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 45 Regarding IKE DPD, which statement is incorrect? A. IKE is used to detect the state of a neighbor B. DPD regularly send messages between IKE peers. C. When DPD messages are not received within the specified time DPD sends a request to theremote side and waits for response packets. D. DPD sends encrypted queries only when the timer expires.

Answer: B

Explanation:

QUESTION NO: 46 Refer to the following hot standby and IP-link linkage networking environment shown below:

Huawei H12-721 Exam


Which configuration will enable hot standby configuration key linkage? A. hrp mirror ip-link 1 B. hrp track ip-link 1 master C. hrp track ip-link 1 slave D. ip-link check enable

Answer: B

Explanation:

QUESTION NO: 47 Virtual firewall technology does not include which of the following characteristics? A. Provides multi-instance routing, security, multi-instance, multi-instance configuration, NATmulti-instance, VPN multi-instance application flexibility to meet a variety of networking needs. B. Each virtual firewalls can support four separate security zones TRUST, UNTRUST, DMZ, etc.,flexible interface partitioning and allocation. C. It guarantee that every virtual system and a separate firewall instance, and can be safelyimplement access between each virtual system. D. Each virtual system provides independent administrator privileges.

Answer: C

Explanation:

QUESTION NO: 48 Which statement is correct regarding load checks and fingerprint learning with UDP Flooddefenses. A. UDP packet data segments are exactly the same content that can be used to check the loaddefense. B. Fingerprint learning is dynamically generated by cleaning equipment, the attack packets afterlearning some salient features of the fingerprint, fingerprint matching packets will be dropped. C. Load inspection checks all UDP packets of data. D. Load checks need to set the offset number of bytes, fingerprint learning does not need to setthe offset number of bytes.

Answer: D

Explanation:

Huawei H12-721 Exam


QUESTION NO: 49 When there is a lot BFD sessions in a system, in order to prevent periodic OFD control packetsfrom affecting the normal operation of the system, you can use what mode of BFD? A. Synchronous Mode B. Detection Mode C. Asynchronous Mode D. Query Mode

Answer: D

Explanation:

QUESTION NO: 50 Three FTP servers are configured with load balancing on a USG firewall. The address andweights of the three real servers are 10.1.1.3/24 (weight 16), 10.1.1.4/24 (weight 32), 10.1.1.5 / 24(weight 16), while the virtual server address is 202.152.26.123/24. A host address with the IPaddress 202.152.26.3/24 initiates access to the FTP server. On the firewall running the display firewall session table command detection configuration, whichof the following situations illustrate the successful implementation of load balancing? A. <USG> display firewall session table Current total sessions: 1 ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.4:21 B. <USG> display firewall session table Current total sessions: 3 ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21 [10.1.1.3:21] ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21 [10.1.1.4:21] ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21 [10.1.1.5:21] C. <USG> display firewall session table Current total sessions: 1 ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21 D. <USG> display firewall session table Current total sessions: 3 ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.3:21 ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.4:21 ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.5:21

Huawei H12-721 Exam


Answer: B

Explanation:

QUESTION NO: 51 Which of the following attack is SYN Flood attack? A. An attacker sends a large number of SYN packets, resulting in a large number of not fullyestablished TCP connections, occupying resources. B. It refers to the attacker and the attacked object the establishment of a normal full TCPconnection, but no follow-up messages. C. It refers to the attacker sending a large number of ICMP packets (such as Ping) consuming linkbandwidth. D. It refers to the attacker sending a large number of UDP packets to the server consuming linkbandwidth.

Answer: A

Explanation:

QUESTION NO: 52 In a Link-group with three physical interfaces, when either one of the interfaces fail, which of thefollowing descriptions of what happens is correct? (Choose two answers) A. With any interface failure within the group, the system will set the other interface state to Down. B. When any interface group fails, the other interface status within the group does not change. C. When the group returned to normal with one of the interfaces up, the interface status within theentire group will be re-set to Up. D. When the group returns to normal after all the interfaces are up, the interface status within theentire group was re-set to Up.

Answer: A,D

Explanation:

QUESTION NO: 53 Load balancing to ensure that the same user traffic will access the IP address assigned to differentservers uses what technology? (Choose three answers)

Huawei H12-721 Exam


A. Virtual Services Technology B. Server Health Check C. Hot Standby Technology D. Flow-based forwarding

Answer: A,B,D

Explanation:

QUESTION NO: 54 USG firewall supports which of the load balancing algorithms? (Choose three answers) A. The source address hashing algorithm (srchash) B. Polling simple algorithm (roundrobin) C. Weighted Round Robin algorithm (weightrr) D. ratio (Ratio)

Answer: A,B,C

Explanation:

QUESTION NO: 55 With the Huawei Anti-DDoS equipment first packet discard technology, the defense is constantlychanging the source IP address or source port number of attack packets. Regarding the first packet discard technology, which of the following is not correct? A. UDP protocol does not have retransmission mechanism, so you can not use the first packetdiscard techniques B. The first packet discarding used in conjunction with source authentication, prevents falsesource of attacks. C. Based triples (source IP address, source port, and protocol) to match packets and packets bytime interval to determine the first packet D. The packet transmission interval is less than the lower limit of the first packet detection rate, orthe rate is higher than the upper limit of the first packet inspection packets believed to be the firstpackage.

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 56 Virtual firewalls to forward multiple instances refers to the presence of more than one firewallrouting table, supports forwarding address overlapping, are implemented in the same configurationinterface, and the user can configure permissions and view all data. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 57 Below displays the IKE V1 first stage pre-shared key mode during the main mode packet switchingcrawl. Based on the information shown, the crawl occurs under which packet?

Huawei H12-721 Exam


A. IKE first or second Message B. IKE third or fourth Message C. IKE fifth or sixth Message D. IKE seventh or eighth Message

Answer: A

Explanation:

QUESTION NO: 58 HWTACACS encrypts only part of the password, but with RADIUS the entire packet is encrypted. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 59 With the abnormal flow cleaning solutions, in order to ensure that the introduction of the attacktraffic priority cleaning center can be cleaned as shown in the figure, the following configurationwas made using the management center: Select "Configuration"> Anti-DDoS> "drainage management" to create drainage tasks, configurethe IP address of the protected 10.1.3.10, subnet mask of 255.255.255.255. After completion of the above steps to configure the cleaning center, what route will be generated?

Huawei H12-721 Exam


A. The purpose of the address is 32 static host routes are the attacker’s B. The destination address is a 32 bit iEGP host route is the attacker's C. The destination address is 32 bit eBGP host route is the attacker's D. The source address of the attacker's 32 static host routes

Answer: A

Explanation:

QUESTION NO: 60 In an enterprise network, USG A and USG B have established an IPsec VPN. The administratorneeds to simulate traffic from server A to server B to test the connection. What ping commandshould the administrator use to simulate this traffic?

Huawei H12-721 Exam


A. Ping -a B. Ping -c C. Ping -t D. Ping –s

Answer: A

Explanation:

QUESTION NO: 61 An enterprise network deployed USG series firewalls, and they need to achieve per-user Telnet /SSH login to the USG and only the commands authorized by the server should be allowed. Which of the following authentication methods would meet these business requirements? A. Radius B. LDAP C. HWTACACS D. AD

Answer: C

Explanation:

QUESTION NO: 62 Which of the following is a correct desrcription of IKE? (Choose three answers) A. IKE is UDP bearer protocol used in IPSEC B. IKE negotiates for the IPSEC security protocol, and establishes the parameters and securityassociation for IPSEC C. IPSEC SA using IKE negotiation packets for the encryption or authentication process D. IPSEC must use the IKE key exchange

Answer: A,B,C

Explanation:

QUESTION NO: 63

Huawei H12-721 Exam


Malformed packet attack techniques would use some legitimate data packets; these packets are ofa legitimate application type. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 64 When the firewall is working in a hot standby load balancing networking environment, if thebehavior of a router and firewall is down while working in routing mode, you need to configure theOSPF cost adjustment value based on HRP. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 65 The USG supported HRP backup options are awhich of the follwoing? (Choose three answers) A. Automatic Backup B. Manual batch backup C. Quick Backup D. Real-time backup

Answer: A,B,C

Explanation:

QUESTION NO: 66 With the USG firewall, which two commands can be used to view equipment components (controlboard, fans, power supplies, etc.) run state and memory / CPU usage? (Choose two answers)

Huawei H12-721 Exam


A. display device B. display environment C. display version D. dir

Answer: A,B

Explanation:

QUESTION NO: 67 You are able to ping the IP address of the IPSec tunnel peer and trigger a successful IPSec tunnelby doing this, but the IPSec tunnel can not be established from within an internal PC on thenetwork. What could be a possible reason for this? A. IKE proposal configuration problems B. IPsec proposal configuration problems C. The ACL source segment does not include the PC D. packet filtering (inter-domain policy) configuration problems

Answer: C,D

Explanation:

QUESTION NO: 68 HTTP Flood attacks refer indirectly to the target server to initiate a large number of HTTP packetsto burden the server so that it can not respond to normal requests. Through the interface rate limit function, HTTP flood attacks can be prevented. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 69 Which of the following regarding HTTP Flood defense is not correct?

Huawei H12-721 Exam


A. HTTP Flood Source Authentication B. URI destination IP detection C. fingerprints learning D. Checks the load

Answer: D

Explanation:

QUESTION NO: 70 Establishing an IPsec tunnel is unsuccessful. The following is the debug output: %% 01IKE/4/WARNING (I): phase2: proposal mismatch, please check ipsec proposalconfiguration. 0.34476900%% 01IKE/7/DEBUG (d): dropped message from 3.3.3.1 due to notification typeNO_PROPOSAL_CHOSEN Based on this information, what is the likely cause of the failure? A. The IKE proposal is inconsistent. B. The ipsec proposal is inconsistent. C. IKEpeer configuration error. D. Security ACL configuration error.

Answer: B

Explanation:

QUESTION NO: 71 An IPsec VPN connection established by two USG firewalls in NAT traversal mode fail to see anyinformation from the “display ike sa” command. Neither session information nor UDP port 500information is displayed. What are possible reasons for this? (Choose two answers) A. public network unreachable. B. middle device blocking UDP 500 port. C. middle device blocking UDP 4500 port. D. middle device blocking ESP packets.

Answer: A,B

Explanation:

Huawei H12-721 Exam


QUESTION NO: 72 Which of the following is the role of Message5 and Message6 with the main mode IKE negotiationprocess? A. Runs the DH algorithm B. negotiate set of proposals C. mutual authentication D. negotiate IPsec SA

Answer: C

Explanation:

QUESTION NO: 73 In the firewall DDos attack prevention technology, the Anti-DDoS prevents attacks based on what? A. Based on the ability of the application to authenticate the source address of the packet, theapplication, and the cleaning equipment source by sending probe packets to prevent the attacktraffic source. B. session-based concurrent connections to the defense, where the new connection or abnormalconnections exceeds the threshold levels.. C. Mainly by fingerprint analysis to study and get traffic capture feature to prevent bots or initiatethe attack traffic through a proxy to distinguish normal user access behavior. D. By detecting the session using filter scanning packets and special control packets.

Answer: B

Explanation:

QUESTION NO: 74 Which of the following does an IPSec VPN use to encrypt the communication data stream? A. Public Key Encryption B. Private key encryption C. Symmetric key encryption D. Pre-shared key encryption

Huawei H12-721 Exam


Answer: C

Explanation:

QUESTION NO: 75 In IKE V1 stage 1 pre-shared key with Main Mode exchange process, the SA is established afterwhich messages? A. message 1 and message 2 B. message 3 and message 4 C. message 5 and message 6 D. message 7 and message 8

Answer: A

Explanation:

QUESTION NO: 76 A USG firewall can be divided into several virtual firewalls, and allows the root firewalladministrator to manage the virtual firewall administrators allowed access to each virtual firewall. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 77 What is the correct order for packet encapsulation with L2TP? A. PPP -> UDP -> L2TP -> IPsec B. PPP -> L2TP -> UDP -> IPsec C. IPsec -> L2TP -> UDP-> PPP D. IPsec -> PPP -> L2TP -> UDP

Answer: B

Explanation:

Huawei H12-721 Exam


QUESTION NO: 78 USG5000A has an IPSEC connection to USG5000B and the “display ike sa” command wasperformed on USG5000A:

Based on the output shown, which of the following is correct? A. USG5000A Firewall is a secure channel initiator IKE negotiation B. USG5000B is the initiator of IKE negotiation of safe passage C. The SA has been successfully established between the firewalls D. The SA has not been established between the firewalls successfully.

Answer: A,C

Explanation:

QUESTION NO: 79 USG_A and USG_B are in a hot standby configuration as shown below. The current session tableshow 1,500+ sessions, and when a switchover occurs there is a period of traffic interruption. Youwant to ensure a seamless failover.

Huawei H12-721 Exam


Which of the following are valid options that could be done to ensure a seamless failover? A. Run the “hrp preempt delay 64” command to make the preemption delay time longer. B. Check the connectivity between heartbeats. C. Configure session fast backup. D. Use the “no Hrp enable” command.

Answer: A

Explanation:

QUESTION NO: 80 In the FTP networ diagram shown below, you want to use the external control port of 21000 on theFTP Server, but the FTP clients can not access the FTP Server.

Huawei H12-721 Exam


You have ruled packet filtering, the FTP server itself, and USG connectivity issues. What do youthink the most likely problem is? (Choose two answers) A. No use of port mapping function, the FTP client request to the FTP Server is sent to port 21000packets as normal packets and it does not recognize these as FTP packets. B. The firewall can identify the FTP traffic on port 21 only, and does not recognize port 21000 FTPtraffic. C. ASPF function is not configured. D. The equipment discards all UDP traffic.

Answer: A,C

Explanation:

QUESTION NO: 81 With IP address scanning attack prevention, not only can it be used to prevent the ICMP packetdestination address detection, it can also prevent the use of TCP / UDP scanning probe targetaddresses. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 82 The USG limited flow policy configuration is as follows: [USG] car-class class1 type shared

Huawei H12-721 Exam


[USG-shared-car-class-class1] car 1000 [USG-shared-car-class-class1] quit [USG-traffic-policy-interzone-trust-untrust-outbound-shared [USG-traffic-policy-interzone-trust-untrust-outbound-shared-1] policy 1 [USG-traffic-policy-interzone-trust-untrust-outbound-shared-1] policy car-class class1 [USG-traffic-policy-interzone-trust-untrust-outbound-shared-1] policy source 192.168.1.0.0.0.0.255 [USG-traffic-policy-interzone-trust-untrust-outbound-shared-1] policy destination 192.168.2.00.0.0.255 [USG-traffic-policy-interzone-trust-untrust-outbound-shared-1] action car Based on this information, which of the following statements is correct? A. Class1 limits the definition of the overall car-class, and limits to 1000bps B. Policy1 traffic will match without limiting the direct release C. The 192.168.1.0/24 hosts tthat access the data flow will be limited D. Matching Policy1 traffic will be flow controlled for each source IP

Answer: C

Explanation:

QUESTION NO: 83 A network is as follows: LAN---------------G0/0/0 USG G0/0/1--------------Server. After administrators analyze a possible attack on the LAN networking G0/0/0 connection and wantto enable ARP Flood attack prevention, restricting ARP traffic to 100 packs / min. What should beconfigured to enable this? A. firewall defend arp-flood enable firewall defend arp-flood interface GigabitEthernet 0/0/0 max-rate 100 B. firewall defend arp-flood enable firewall defend arp-flood interface GigabitEthernet 0/0/0 max-rate 6000 C. firewall defend arp-flood enable firewall defend arp-flood interface GigabitEthernet 0/0/1 max-rate 100 D. firewall defend arp-flood enable

Huawei H12-721 Exam


firewall defend arp-flood interface GigabitEthernet 0/0/1 max-rate 6000

Answer: B

Explanation:

QUESTION NO: 84 As shown below, the address pool for domain abc is the L2TP VPN user's address pool.

Based on the information, which of the following statements is wrong? A. L2TP users can authenticate the domain account. B. If the value of Used-addr-number field is less than the value of the Pool-length field, the on-linedomain does not exceed the maximum number of user access number. C. From a corporate LAN a PC can obtain an IP address, but not dial L2TP VPN users. D. The address pool address range is from 100.0.0.2 to 100.0.0.99.

Answer: C

Explanation:

QUESTION NO: 85 After the firewall creates a new security instance, the firewall does not have any security zonesassigned to the new instance and the administrator needs to configure them. A. TRUE B. FALSE

Answer: B

Explanation:

Huawei H12-721 Exam


QUESTION NO: 86 In a Dual hot standby SSL VPN scenario as shown, the network administrator has enabled SSLextensions. Which of the following information about the configuration of SSL VPN functionality iscorrect?

A. When you create a virtual gateway the Master will not be synchronized to the Slave. B. When configuring the network extension, the address pool with binds to theVRRP backupgroup number 2. C. USG_ A virtual SSL VPN gateway must use IP address 202.38.10.2 D. USG_B virtual SSL VPN gateway must use IP address 10.100.10.2

Answer: B

Explanation:

QUESTION NO: 87 IPSec with AH and ESP support NAT traversal. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 88

Huawei H12-721 Exam


The three abnormal flow cleaning solution include? (Choose three answers) A. Cleaning Center B. Testing Center C. Management Center D. Acquisition Center

Answer: A,B,C

Explanation:

QUESTION NO: 89 Shown below is an IPSec standby scenario, with main link A and backup link B. Assuming that onlink B the next-hop IP address is 10.10.1.2 and 10.10.1.3, and we want to ensure that the primaryand redundant backup link via IP-Link is configured.

Which of the following is the correct cstatic routeonfiguration from the headquarters to the branchoffice? A. [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 B. [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 ip-link 2 C. [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 track ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 preference 70 track ip-link 2 D. [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 preference 70 track ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 track ip-link 2

Answer: C

Explanation:

Huawei H12-721 Exam


QUESTION NO: 90 An enterprise branch firewall is configured for NAT. As shown in the figure, USG_B is the NATgateway. In order to extablish an IPSec VPN to USG_B, you need to configure what on USG_B?(Choose two answers)

A. Configure a NAT Policy, citing the rule to allow the network segment’s source and destinationIP addresses for the ACL. B. Configuration the IKE peer, use name authentication, and remote-address of the interfaceaddress on USG_A. C. Configure a NAT Policy, where there is first a deny IPsec rule within the enterprise network toprotect the data flow from within the headquarters of the network, and then permit the enterprisenetwork to the Internet network data stream. D. Configure a IPSec policy template, citing the IKE peer.

Answer: B,C

Explanation:

QUESTION NO: 91 In the Enterprise netowrk shown below, Server A and Server B can not access Web services. Troubleshooting has found that there is firewall routing module and that there is a problem with therouting table in USG_A. An enterprise network follows, then Server A Server B can not access Web services,administrators troubleshoot and found no firewall routing module A problem has been to establishthe appropriate routing table, but Firewall A firewall module is provided with wrong.

Huawei H12-721 Exam


What troubleshooting method should be used? A. stratification B. Break Law C. substitution method D. Block Method

Answer: D

Explanation:

QUESTION NO: 92 An SSL VPN user authenticates, has enabled network expansion on the PC, and has beenassigned an IP addresses. However, the user can not access resources within theintermalnetwork server. Which of the following are possible reasons for this? (Choose three) A. Configuration error in the "Routing Client mode" configuration. B. User access is limited C. The network server is unreachable. D. The PC's physical interface and assigned VPN addresses overlap.

Answer: A,B,C

Explanation:

QUESTION NO: 93 SSL VPN authentication is successful, and with the use of the file-sharing feature, you can viewthe directories and files, but you can not upload, delete, or rename files. What are possiblereasons? (Choose two answers) A. If the file server for NFS, the user's UID and GID attribute does not allow users to upload,delete or rename the file operation. B. If the type of file server for SMB, the user currently logged on to the file share resource has only

Huawei H12-721 Exam


read permission and no write access. C. The SSL firewall configuration file sharing feature allows only viewing. D. Some TCP connections between the gateway and the virtual file server are blocked by thefirewall.

Answer: A,B

Explanation:

QUESTION NO: 94 A simple network is connected PC1-USG-Router-PC2. If PC1 sends packets to PC2, and theUSG processes fragmented packets, which modes can be used to do this? (Choose threeanswers) A. fragment cache B. slice discarded C. fragmentation direct forwarding D. slicing defense

Answer: A,B,C

Explanation:

QUESTION NO: 95 In IP-link, how many successive packets must not be recived for it to be considered a failure, bydefault? A. 1 times B. 2 times C. 3 times D. 5 times

Answer: C

Explanation:

QUESTION NO: 96 With Blacklist, which part of the packets are examined to determine there is an attack?

Huawei H12-721 Exam


A. The source address B. destination address C. Source Port D. destination port

Answer: A

Explanation:

QUESTION NO: 97 Which statement about IP-link features are correct? (Choose three answers) A. IP-link is a link connectivity detection function B. ARP detection methods only support direct link C. Firewalls will send ICMP or ARP packets to determine if the destination address is reachable tothe destination address of a probe D. With IP-link and associated VGMP, when the IP-Link status becomes down, VGMP lowers thedefault priority management group by 3.

Answer: A,B,C

Explanation:

QUESTION NO: 98 Refer to the following load balancing configuration: [USG] slb enable [USG] slb [USG-slb] rserver 1 rip 10.1.1.3 weight 32 [USG-slb] rserver 2 rip 14.1.1.4 weight 16 [USG-slb] rserver 3 rip 10.1.1.5 weight 32 [USG-slb] group test [USG-slb-group-test] metric srchash [USG-slb-group-test] add rserver 1 [USG-slb-group-test] add rserver 2

Huawei H12-721 Exam


[USG-slb-group-test] add rserver 3 Which of the following statements is correct? (Choose two answers) A. The load balancing algorithm is the polling algorithm. B. The configuration is a complete load balancing configuration. C. Values of weight determine which data stream path should be used, the smaller weight values should correspond to the real server that has less processing capacity. D. Weight is the weight of a real weight.

Answer: C,D

Explanation:

QUESTION NO: 99 About BFD detection mechanism, the following statement is correct? (Choose two answers) A. BFD control packets are encapsulated in TCP packets B. BFD provides two detection modes: asynchronous and synchronous mode C. After the establishment of a BFD session, both systems periodically send BFD control packets D. At the beginning of the session, the two sides negotiate through the control system carried inthe packet parameters

Answer: C,D

Explanation:

QUESTION NO: 100 An attacker sends a large number of SIP INVITE messages to the server, leading to a denial ofservice attack on the SIP server. This attack occurs on which layer of the seven layer OSI model? A. Application Layer B. Network Layer C. Transport Layer D. Data Link Layer

Answer: A

Huawei H12-721 Exam


Explanation:

QUESTION NO: 101 Interface management information and service control information are transmitted on the samechannel. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 102 In DDos attack prevention technology, the firewall will not establish the session table for packets, ifthe session has been established for packets that were directly released. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 103 The following attacks have special packets? (Choose three answers) A. Ping of Death attack B. Large ICMP packet attack C. Tracert packet attack D. ICMP unreachable packet attack

Answer: B,C,D

Explanation:

Huawei H12-721 Exam


QUESTION NO: 104 Regarding IKEv1 and IKEv2, which of the following is not correct? A. IKEv2 builds a pair of IPsec SA, normally used twice to exchange four messages that can beused to establish a pair of IPsec Security Associations. B. IKE version 2 does not support master mode, it uses the concept of savage mode. C. To create the next pair of IPsec SA IKEv1 Main Mode requires only six messages. D. IKEv2 IPsec SA established more than a pair, each additional SA on just one exchange, that is,two messages can be completed.

Answer: C

Explanation:

QUESTION NO: 105 When an attack occurs, the attacked host (1.1.1.1) captured the results below. What type ofattack is this?

A. Smurf attack B. Land Attack C. WinNuke D. Ping of Death attack

Answer: A

Huawei H12-721 Exam


Explanation:

QUESTION NO: 106 In the IKE V1 pre-shared key mode capture shown, what data is shown in the main role?

A. The negotiation phase SA 2 B. The negotiation phase SA 1 C. A random number used to exchange D-H public value, needed for the exchange of identityinformation

Answer: A

Explanation:

QUESTION NO: 107 DDos attacks work through the network to the target (usually a server, such as DNS server, WEBserver) and sends a small amount of abnormal packets of non-traffic, so that the attacked serverparses the message, causing the system to crash or become busy. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 108 In the TCP / IP protocol, TCP protocol provides reliable connectivity service using three-way

Huawei H12-721 Exam


handshake to achieve. The first handshake: establish a connection, the client sends a SYN packet (SYN = J) to theserver, and enter SYN_SENT state, waiting for the server to confirm. Second handshake: the server receives a SYN packet and must issue an ACK packet (ACK = ) toconfirm the client's SYN packet, but he is sending a SYN packet (SYN = K), ie, SYN-ACK packets,the server enters SYN_RCVD state. Third handshake: the client receives the SYN-ACK packet, the server sends an acknowledgmentpacket ACK (SYN = ASK = ), this package has been sent, the client and server enter into theESTABLISHED state, completing the three-way handshake. About three-way handshake during the three parameters, which of the following statements iscorrect? A. = J +1 = J +1 = K +1 B. = J = K +1 = J +1 C. = J +1 = K +1 = J +1 D. = J +1 = J = K +1

Answer: A

Explanation:

QUESTION NO: 109 The IKE first stage main mode negotiation process includes the following information? (Choosethree answers) A. IKE proposal set B. IPsec proposal set C. DH key exchange public information D. Both sides identity

Huawei H12-721 Exam


Answer: A,C,D

Explanation:

QUESTION NO: 110 In-Band management and port management control information and business information istransmitted on the same channel. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 111 ESP verifies only the IP payload in NAT traversal, but the ESP port information will be encryptedcausing the layer 4 information to be unusable with PAT. Using the IPsec NAT transparency feature can solve this problem, the ESP packet isencapsulated in a UDP header and contains the information necessary to enable PAT to work. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 112 A Site to Site IPsec VPN tunnel negotiation has been lost. How can you view the IKE Phase 2security associations, established connections, and configurations? (Choose two answers) A. display ike sa B. display ipsec sa brief C. display ipsec policy D. display interface

Huawei H12-721 Exam


Answer: A,B

Explanation:

QUESTION NO: 113 Which command can be used to set the virtual IP address of VRRP group 1 when you configureUSG hot backup? A. vrrp vrid 1 virtual-ip ip address master B. vrrp virtual-ip ip address vrid 1 master C. vrrp virtual-ip ip address master vrid 1 D. vrrp master virtual-ip ip address vrid 1

Answer: A

Explanation:

QUESTION NO: 114 Which of the following statements about VRRP and VGMP packets are correct? (Choose 2answers) A. VGMP groups use VGMP Hello packets to communicate with VRRP groups. B. VGMP groups use VGMP Hello packets for mutual communication. C. VGMP groups use VRRP packets for mutual communication. D. VGMP groups use VGMP packets to communicate with VRRP groups.

Answer: B,D

Explanation:

QUESTION NO: 115 The key steps to configure virtual firewalls include the following: 1 Configure the IP address of the interface 2 Create a VPN instance and the VPN instance of the specified routing instance and include theinterface to the security domain 4 Configure Inter-domain configuration default packet filtering rules

Huawei H12-721 Exam


5 Bind the interface with the VPN instance What is the correct order? A. 2-1-3-4-5 B. 1-3-4-2-5 C. 2-5-1-3-4 D. 1-2-5-3-4

Answer: C

Explanation:

QUESTION NO: 116 Which of the following statements are true about Link-group? (Choose two answers) A. The cross-switch interface supports state management B. The support interface state management across the interface board C. It provides support for remote management interface status D. It supports hot-swappable interface board

Answer: B,D

Explanation:

QUESTION NO: 117 In USG2200 series of products, GigabitEthernet 0/0/0 is the band management interface bydefault. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 118 When using manual IPsec negotiation, if there is a NAT device on the network then we need to

Huawei H12-721 Exam


use NAT traversal. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 119 In USG equipment, which statement is correct on current-configuration files and saved-configuration profile? (Choose two answers) A. ELI administrators to configure a feature USG device, the device will modify Saved-configuration immediately. B. See the next startup configuration file to load the device display saved-configuration. C. When executing the Save command, the device will be current-configuration is copied to thesaved-configuration. D. When executing the Save command, current-configuration commands to take effect.

Answer: B,C

Explanation:

QUESTION NO: 120 ACK Flood attacks use botnets to send a large number of ACK packets and impacts the networkbandwidth, resulting in network link congestion. If a large number of attack packets are sent,server processing power is exhausted, thereby refusing access to normal service. Which statement is correct about the Huawei Anti-DDos equipment to prevent this attack, whenthe comparison of two treatments are strict mode and basic mode? (Choose two answers) A. Bypass deploy dynamic drainage using strict mode. B. In strict mode, the cleaning device is not checked already established session, if session ACKpackets do not match, the device discards the packet. C. If the cleaning equipment checks to hit a session ACK packet, regardless of the strict mode andbasic mode will create a reason to check session. D. Using the "basic model" even though checks on the cleaning equipment is less than a session,the device will first few ACK packet discard and start checking the session.

Huawei H12-721 Exam


Answer: B,C

Explanation:

QUESTION NO: 121 Which statement is correct regarding the IP address scanning attack prevention principle?(Choose three answers) A. IP address scanning attack attacker attacks using ICMP packets (such as Ping and Tracertcommand) to detect the target address. B. In an IP address scanning attack, the attacker attacks using TCP / UDP packets to detect thetarget address. C. In an IP address scanning attack, prevention is done by detecting the address of a host ofbehavioral scanning rate, if the rate exceeds the threshold value, and add it to the blacklist. D. If the USG open blacklist function, and the associated IP address scanning attack prevention, asource when the scan rate exceeds the set value elaborated beyond the threshold will bediscarded packets within the follow-up time for this issue as long as the source is less thanthreshold can also be forwarded.

Answer: A,B,C

Explanation:

QUESTION NO: 122 On the IP-MAC address binding, when both IP and MAC packets that match, it will go to the nextprocessing firewall whereas the packet is discarded if IP and MAC does not match. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 123 Certain users want to limit the maximum bandwidth for network 192.168.1.0/24 500M, and limit theneed for all IP addresses network segment to get 1M bandwidth.

Huawei H12-721 Exam


How should you configure limiting policy to meet this demand? A. Configure limiting each IP, set for 192.168.1.0 /24 the maximum bandwidth of network hosts to500M B. Configure the overall limit, limit the maximum bandwidth of the network 192.168.1.0/24 to 1M C. Configure overall limiting, limiting the maximum bandwidth of the network 192.168.1.0/24 to500M D. By limiting the overall configuration, the maximum limit 192.168.1.0/24 network bandwidth to500M, and then limiting the use of IP to ensure that each server bandwidth is 1M

Answer: D

Explanation:

QUESTION NO: 124 Which of the following are malformed packet attacks? (Choose two answers) A. Smurf attack B. Fraggle attack C. Large ICMP packet attack D. Router IP packet attacks recorded items

Answer: A,B

Explanation:

QUESTION NO: 125 After BFD session is established, control packets are sent periodically to each other. If a systemdoes not receive the packet sent by peer within the detection time, it is assumed that the BFDsession is down. Which Mode is this one? A. Synchronous Mode B. Detection Mode C. Asynchronous Mode D. Query Mode

Answer: C

Explanation:

Huawei H12-721 Exam


QUESTION NO: 126 Dual hot standby, when the client does not receive packets sent by slave, after how many HRPHELLO packets, HRP would think that peer has failed or is dead. A. 1 B. 2 C. 3 D. 5

Answer: C

Explanation:

QUESTION NO: 127 Which of the statement is correct after going through the output of the command “display ike sa”which is shown below?

A. Phase 1 and Phase 2 has been established B. agreements negotiated by IKE V2 C. VPN instance name is public D. IPsec SA status is Ready

Answer: B

Explanation:

Huawei H12-721 Exam


QUESTION NO: 128 The picture below shows that the IKE V1 first stage pre-shared key mode. Which of the followingstatement is correct?

A. D-H exchange public values and various auxiliary data B. SA recommended strategy C. Authentication D. encryption transformation strategy

Answer: A

Explanation:

QUESTION NO: 129 Figure 1 is the first to be attacked host. A packet capture screenshots is shown in line no 132,Figure 2 is a screenshot of attacked first host with line no. 133 packet capture. Analyse what typeof attack is this?

Huawei H12-721 Exam


A. UDP Flood B. UDP Flood attack slice C. IP fragmentation attack D. TAP Fragment Flood

Answer: B

Explanation:

QUESTION NO: 130 For a virtual service technology, which of the following statements is correct? A. For multiple real servers, real servers need to be in the same network and the same securityzone B. For multiple real servers, real servers may not be in the same segment, but must be in thesame security zone

Huawei H12-721 Exam


C. For multiple real servers, real servers may not be in the same security zone, but must be in thesame segment D. For multiple real servers, network and security zone where the real server load balancing doesnot affect

Answer: A

Explanation:

QUESTION NO: 131 In a Firewall device through the source legality verification technology that defends SYN Floodattacks, the device receives a SYN packet, sending SYN-ASK probe packet and SYN packets tothe source IP address of the host. If the host is real, which message will it send? A. RST packets B. FIN packets C. ACK packet D. SYN packets

Answer: A

Explanation:

QUESTION NO: 132 In Defense gate FIN / RST Flood attack method, conversation is checked. The workflow is thatwhen the door FIN / RST packet rate exceeds the threshold; it discards packets, and then startsthe conversation check. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 133 Connection status data to be backed up by HRP functions include two of the following. (Choosetwo answers)

Huawei H12-721 Exam


A. ServerMap entries B. Port mapping table C. Dynamic blacklist D. Session entries

Answer: A,C

Explanation:

QUESTION NO: 134 A user using L2TP over IPsec vpn client appropriated by the company's LNS gets dialing failure. But in the LNS through debug ike all, and debug L2TP all did not show any information. Bothphases have failed in establishing IKE. What could be the reason for failure? (Choose twoanswers) A. Traffic interested acl configuration error. B. Firewall (LNS) connected to the public network interface does not apply IPsec policies. C. IPsec data flow does not reach the firewall. D. The LNS is not LZTP enabled.

Answer: B,C

Explanation:

QUESTION NO: 135 About L2TP over IPsec VPN, which of the following statements is correct? (Choose two answers) A. IPSEC L2TP tunnel packets trigger B. L2TP packets trigger IPSEC SA C. L2TP tunnel first establish D. IPSEC tunnel first establish

Answer: B,D

Explanation:

QUESTION NO: 136 Which of the following attack types includes CC attacks??

Huawei H12-721 Exam


A. Denial of Service Attack B. Scanning and snooping attack C. Malformed packet attacks D. Based system vulnerabilities

Answer: A

Explanation:

QUESTION NO: 137 Enabling DHCP Snooping feature avoids Bogus DHCP Server attacks. Which of the followingstatements is correct? A. Connect the user interface to configure the firewall to be trusted. B. DHCP Server firewall connection to untrusted interface configuration mode. C. Untrusted mode interface receives a DHCP Relay packets will all be discarded. D. Trusted DHCP Relay interface to receive packets, and can only be checked by DHCPSnooping through.

Answer: C

Explanation:

QUESTION NO: 138 Which of the following techniques can enhance the security of the mobile users to access thecorporate network VPN solutions? A. SSL B. PPPoE C. GRE D. L2TP

Answer: A

Explanation:

QUESTION NO: 139 In the dual hot standby network diagram shown below, figure PC1 gateway address should be theIP address of the main contact with the device, namely 10.100.10.2/24.

Huawei H12-721 Exam


A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 140 SSL VPN authentication is successful, but it can not access the Web-link resources. Whichstatement is correct? (Choose three answers) A. The server is not open Web services. B. Strategies to limit user access. C. The equipment and network server is unreachable. D. SSL VPN users have reached the maximum limit.

Answer: A,B,C

Explanation:

QUESTION NO: 141 At headquarters - when configuring branching structure IPsec VPN network (pre-shared key +wells NAT traversal case), IKE Peer needs to be referenced to the ipsec policy templates. Whichof the following must be configured with the template? (choose two answers) A. ipsec proposal B. exchange-mode aggressive

Huawei H12-721 Exam


C. pre-shared-key D. remote-address

Answer: A,C

Explanation:

QUESTION NO: 142 Virtual firewall technology can be implemented using IP address overlap. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 143 As shown in Figure, firewall is in stateful failover networking environment. Which of the followingcommand enables the device to automatically adjust VGMP management priority, and automaticstandby switch?

A. hrp ospf-cost adjust-enable B. hrp preempt delay 60 C. hrp interface GigabitEthernet 0/0/2 D. hrp auto-sync config

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 144 As shown below for the L2TP over IPsec scenarios, the client uses pre-shared-key manner IPsecauthentication. Which of the statements are correct to implement IPSec Security policy? (Choosetwo answers)

A. using IKE main mode negotiation B. using IKE aggressive mode negotiation C. IPsec security policy D. configure IPsec policy template

Answer: B,D

Explanation:

QUESTION NO: 145 USG remote capture device configuration functions in a way that the device can grab packetsdownloaded to the device. Users can download to a local service via FTP and use FirewallPacketyzer to analyze packet. A. TRUE B. FALSE

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 146 As shown below, the trust area has two PC machines, PC1 10.1.1.1, PC2 10.1.155.1 and theUntrust zone has one server 10.2.2.2. PC1 can not access 10.2.2.2, 10.2.2.2 and PC2 actively access each other. Through configurationanalysis, how will you fix the following problems?

A. image075

Huawei H12-721 Exam


B. image077 C. image079 D. image081

Answer: A

Explanation:

QUESTION NO: 147 Which of the following state indicates that the BFD session has been successfully established? A. Down B. Init C. Up ID. AdminUp

Answer: C

Explanation:

QUESTION NO: 148 With regard to virtual gateway type and shared exclusive type, which of the following statement iscorrect? (Choose three answers) A. Exclusive monopoly-type virtual gateway IP address. B. When the network IP address of tension, it is recommended to use share-based virtualgateway. C. Exclusive domain model can be used to access the virtual gateway. D. Multiple Shared Web Gateway, distinguished by its IP address.

Answer: A,B,C

Explanation:

QUESTION NO: 149 A static BFD session is configured between USG A and USG B. Which of the following statements

Huawei H12-721 Exam


about BFD session creation and removal are correct? (Select 2 Answers) A. Both USG A and USG B enable the BFD state machine. The initial status of the state machineis Down. They transmit BFD control packets whose status is Down. The value of YourDiscriminator is 0. B. If the local BFD status of USG B becomes Init and USG B still receives packets whose status isDown, USG B will update its local BFD status. C. After receiving the BFD control packet whose status is Init, USG B switches the local BFDstatus to Up. D. After the status transfers from Down to Init, a timeout timer is enabled respectively on USG Aand USG B. If the timer does not receive any BFD packet whose status is Init or Up within thetimeout, the local BFD status automatically switches to Down.

Answer: C,D

Explanation:

QUESTION NO: 150 An administrator to view the status information and IPsec Debug information is shown below. Aftergoing through the output, what is the most likely reason for failure?

A. The end ike ike peer strategies and policies do not match B. The end ike remote name and peer ike name does not match C. The end ipsec proposal and peer ipsec proposal does not match D. The end of the Security acl or does not match the peer Security acl

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 151 On the USG in hda1 ;/ we need to delete directories on sslconfig.cfg. Which of the followingcommands is needed to complete this operation? A. cd: hda 1: /remove sslconfig.cfg B. cd: hda 1: /delete sslconfig.cfg C. cd: hda 1: /rmdir sslconfig.cfg D. cd: hda 1: /mkdir sslconfig.cfg

Answer: B

Explanation:

QUESTION NO: 152 URPF main function is to prevent network attacks based on the destination address spoofing. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 153 The mechanism of source authentication defense against HTTPS flood attacks is that the anti-DDoS device, instead of the SSL server, initiates the TCP three-way handshake with the client. Ifthe TCP three-way handshake is complete, the source authentication succeeds. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 154 The server health monitoring mechanisms detects the backend server on a company's true USG

Huawei H12-721 Exam


firewall (three servers to Server A, Server B, and Server C) is running. When the USG repeatedlyreceives server B's response packet, it will prohibit the use of server B and follow configuredpolicies assigned to other servers. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 155 With regard to the firewall configuration interface binding VPN instance, which configuration iscorrect? A. ip binding vpn-instance vpn-id B. ip binding vpn-instance vpn-instance-name C. ip binding vpn-id D. ip binding vpn-id vpn-instance-name

Answer: B

Explanation:

QUESTION NO: 156 When using Radius server to authenticate users, (topology diagram shown below) we not onlyneed to ensure that the user name and password for the account exists on the Radius server, afirewall must be configured on a user name and password.

Huawei H12-721 Exam


A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 157 The VGMP HELLO packets default time is 1 second, that is, when the end of the three HELLOSlave cycle range, if packets do not received HELLO packets sent to the client, it will consider thepeer as dead, and it will switch them to Master-like State. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 158 In an IPsec VPN, which statement is incorrect about aggressive mode versus main mode? A. In the master mode pre-shared key mode does not support NAT traversal, and brutal modesupport. B. Main Mode negotiation message was 6, savage mode 3. C. In the NAT traversal scenario, the peer ID can not use IP addresses. D. Main Mode identity information encrypted exchange of information, while aggressive modedoes not encrypt the identity information.

Answer: C

Explanation:

QUESTION NO: 159 In standby IPsec link backup scenarios like the one shown below, you can use the link IPsectunneling technology.

Huawei H12-721 Exam


A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 160 The USG series product dual-system hot backup does not involve the ______ protocol. A. HRP B. VRRP C. VGMP D. IGMP

Answer: D

Explanation:

QUESTION NO: 161 Which statement is correct regarding the Eth-trunk function? (Choose three answers) A. improves communication bandwidth of the link B. improves data security C. Traffic load balancing D. improves the reliability of the link

Answer: A,C,D

Explanation:

Huawei H12-721 Exam


QUESTION NO: 162 After the device is configured with Link-group, use the display link-group 1 command to get thefollowing information:

What information do you get from the above output? (Choose two answers) A. GigabitEthernet0/0/2 Interface failed B. GigabitEthernet0/0/1 Interface failed C. GigabitEthernet0/0/2 interface fault because the other group was forced to convert to fault state D. GigabitEthernet0/0/1 interface fault because the other group was forced to convert to fault state

Answer: B,C

Explanation:

QUESTION NO: 163 If a data stream has been established in the firewall session and you modify the datacorresponding packet filtering policy, how will the firewall perform? A. When a new packet reaches the firewall, filtering is performed immediately according to thelatest strategies and refreshes the session table B. Immediately perform filtering according to the latest strategy session table is not refreshed. C. session before aging, not to implement the new strategy, in accordance with previouslyestablished session match D. modification will fail to modify the need to clear the session.

Answer: A

Explanation:

QUESTION NO: 164 USG device can be factory reset by holding down the Reset button for 1-3 seconds to recover theconsole password.

Huawei H12-721 Exam


A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 165 Limiting policies can limit which of the following objects? (Choose two answers) A. IP connection limit B. IP bandwidth limit C. PZP protocol data flow restrictions D. IM protocol data flow restrictions

Answer: A,B

Explanation:

QUESTION NO: 166 To establish IPsec VPN Security, ACL rules should mirror each other. This is the generalrequirement at both ends in Huawei firewall environment. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 167 Network attacks include flood attacks, scanning and sniffing attacks, malformed-packet attacks,and special-packet attacks. A. TRUE B. FALSE

Answer: A

Huawei H12-721 Exam


Explanation:

QUESTION NO: 168 USG GE0/0/0 firewall interface IP address is 192.168.0.1/24 and the firewall act as a FTP server.PC host IP address is 192.168.0.2/24, firewall GE0/0/0 interfaces to the host PC is directlyconnected via a network cable. As shown below: PC (192.168.0.2/24) ----------- (GE0/0/0) USG Which of the following commands can work together to complete the system configuration filesvrpcfg.cfg backup operations? (Choose two answers) A. Complete the following command on the firewall: [USG] ftp server enable Info: Start FTP server [USG] aaa [USG-aaa] local-user ftpuser password simple Ftppass # [USG-aaa] local-user ftpuser service-type ftp [USG-aaa] local-user ftpuser ftp-directory hda1 :/ B. Complete the following command on the firewall: <USG> Ftp 192.168.0.2 Trying 192.168.0.2 ... Press CTRL + K to abort Connected to 192.168.0.2. 220 FTP Server ready User (192.168.0.2: (none)): ftpuser 331 Password required for ftpuser Password: 230 User ftpuser logged in. [ftp] get vrpcfg.cfg C. Complete the following command on the PC: D. \ Documents and Settings \ Administrator> ftp 192.168.0.1 Connected to 192.168.0.1. 220 FTP service ready. User (192.168.0.1: (none)): ftpuser 331 Password required for ftpuser Password: 230 User logged in. ftp> get vrpcfg.cfg E. Complete the following command on the PC:

Huawei H12-721 Exam


F. \ Documents and Settings \ Administrator> ftp 192.168.0.1 Connected to 192.168.0.1. 220 FTP service ready. User (192.168.0.1: (none)): ftpuser 331 Password required for ftpuser Password: 230 User logged in. ftp> put vrpcfg.cfg

Answer: A,C

Explanation:

QUESTION NO: 169 USG hot standby must meet certain conditions before use. Which of the following statements arecorrect? (Choose two answers) A. master and slave devices must have the same product model B. standby device software version must be consistent C. master and backup devices interface IP must be identical. D. master device must be configured backup device without any kind of configuration.

Answer: A,B

Explanation:

QUESTION NO: 170 The below information indicates that the real server is forced to USG unhealthy state and the realserver 4.4.4.4 is currently in unhealthy state.

Huawei H12-721 Exam


A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 171 The network administrator of a company uses firewalls in hot standby mode in order to forwardlarger traffic.

Network diagram shows that when the configuration is complete, Out of two firewalls, A fails,before the failure of the data stream being transmitted, it was a serious loss, but after the failure ofnew transmission data stream can work. What causes this phenomenon? A. On the firewall configuration HFP seizes less than the OSPF convergence time B. OSPF is not configured to adjust status under the HRP COST value function C. No configuration session on USG. Quick backup feature in an inconsistent situation can not beforwarded back and forth path normal packets D. HRP tracking is not enabled on the line interface on the firewall

Answer: C

Explanation:

QUESTION NO: 172 What are the three elements of abnormal flow cleaning solution? (Choose three answers)

Huawei H12-721 Exam


A. Cleaning Center B. Testing Center C. Management Center D. Acquisition Center

Answer: A,B,C

Explanation:

QUESTION NO: 173 In IPsec standby backup scenarios shown below, the gateway B is using IPsec tunnelingtechnology and gateway A build IPsec VPN.

A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 174 An attack will fake a source server to send a large number of SYN-ACK packet to the targetnetwork or server. If the packet destination port is a TCP service port to be attacked, it will causethe server’s TCP protocol stack to handle exceptions. What attacking technique is this? A. SYN Flood B. SYN-ACK Flood C. ACK-Flood

Huawei H12-721 Exam


D. Connection Flood

Answer: B

Explanation:

QUESTION NO: 175 Load balancing has the following configuration: [USG] sIb enable [USG] sIb [USG-slb] rserver 1 rip 10.1.1.3 weight 32 [USG-slb] rserver 2 rip 10.1.1.4 weight 16 [USG-slb] rserver 3 rip 10.1.1.5 weight 32 [USG-slb] group test [USG-slb-group-test] metric srchash [USG-slb-group-test] add rserver 1 [USG-slb-group-test] add rserver 2 [USG-slb-group-test] add rserver 3 Which of the following statements is correct? (Choose two answers) A. Load balancing algorithm for the polling algorithm. B. The configuration is complete load balancing configuration. C. Value judgments based on weight which server data stream should flow, the smaller the weightvalue, the corresponding real server processing capacity should be more weak. D. weight is the weight of a real server weight.

Answer: C,D

Explanation:

QUESTION NO: 176

Huawei H12-721 Exam


In the hot standby scenarios, which statement is correct about the standby equipments? (Choosethree answers) A. batch backup is two devices in the first consultation after completion of the batch backup of allinformation. B. backup channel business must be an interface board to support GE and eth-trunk interface. C. default under batch backup is open. D. Real-time backup in the device during operation, the new or refreshed real-time data backup.

Answer: A,B,D

Explanation:

QUESTION NO: 177 Huawei abnormal flow cleaning solution is characterized by relatively straight bypass deployment.Which of the statement is correct? A. straight deployment requires separate deployment testing equipment. B. bypass deployment requires separate deployment testing equipment. C. relatively straight bypass deployment deployment, more flexible, both static and drainage ways,and can use dynamic drainage ways. D. Straight deployment Anti-DDoS equipment for all traffic in real-time drainage.

Answer: C

Explanation:

QUESTION NO: 178 Which of the following are flow-type attacks? (Choose two answers) A. IP Flood attack B. HTTP Flood Attack C. IP address scanning attack D. ICMP redirect packet attack

Answer: A,B

Explanation:

Huawei H12-721 Exam


QUESTION NO: 179 When using digital certificates for authentication in IPsec VPN, it should adopt IKE main modenegotiation and validation of certificate is completed in the 5th 6th packet of the packet exchange. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 180 USG two ways to build a firewall to Site IPsec VPN through the Site, when viewing a USGA stateas follows: display ipsec statistics the security packet statistics: input / output security packets: 4/0 input / output security bytes: 400/0 input / output dropped security packets: 0/0 After viewing the state above, what information do you get? (Choose two answers) A. USGA encrypted data packets 4; USGA decrypt the packet is set 0. B. USGA has decrypted packet is 4, USGA already encrypted data packet is 0. C. Site A network device, there is no route, leading to the protection of the data may not be sent tothe USGA. D. IPsec tunnel is not established.

Answer: B,C

Explanation:

QUESTION NO: 181 In defense FIN / RST Flood attack method, conversation is checked. The workflow is when theFIN / RST packet rate exceeds the threshold, discarded packets, and then start the conversation

Huawei H12-721 Exam


check. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 182 In the dual-system hot backup networking environment as shown in the standby firewall also needto configure NAT function, assuming that the external address of the VRRP backup group. NATaddress pool and NAT Server in the same network segment. Which of the following configurationneeds to be on the Server? (choose two answers)

A. HRP_M [USG_A] nat address-group 1 2.2.2.5 2.2.2.6 vrrp 1 B. HRP_M [USG_A] nat address-group 1 2.2.2.5 2.2.2.6 vrrp 2 C. HRP_M [USG_A] nat server global 2.2.2.10 inside 10.100.10.3 vrrp 2 D. HRP_M [USG_A] nat server global 2.2.2.10 inside 10.100.10.3 vrrp 1

Answer: B,C

Explanation:

QUESTION NO: 183 The anti-DDoS device can implement traffic blocking or limiting to defend against attacks if theservice learning function discovers that certain services do not run on the network or the servicetraffic volume is small.

Huawei H12-721 Exam


A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 184 An enterprise network flow is shown below. Server A can not access the server B, administratorstroubleshoot and found that server A can access the firewall A, but can not access the firewall B.

What method will administrators use to troubleshoot this problem? A. stratification B. Break Law C. substitution method D. Block Method

Answer: B

Explanation:

QUESTION NO: 185 As shown in Figure Eth-Trunk functionality with binding, if the need is to implement each interface-by-packet load balancing feature, you need to run which of the following configuration commands?

Huawei H12-721 Exam


A. [USG] load-balance interface eth-trunk 1 packet-all B. [USG] interface eth-trunk 1 [USG-Eth-Trunk 1] load-balance packet-all C. [USG] load-balance interface eth-trunk 1 src-dst-ip D. [USG] interface eth-trunk 1 [USG-Eth-Trunk 1] load-balance src-dst-ip

Answer: B

Explanation:

QUESTION NO: 186 Hot Standby networking environment is shown in Figure 1 and 2 backup group joined VGMPmanagement group, USG_A main equipment, USG_B as a backup device.

When USG_A is in failed state, such as power failure, this time USG_B state switched from Slaveto Master. When USG_A firewall recovers, it switches back to its state Master, and USG_B status remains asMaster. What has caused this phenomenon? A. Two firewall load balancing mode, both in the same backup set is configured to master, alsoconfigure the Slave B. USGA after the failure to restore its priority VRRP backup group did not recover in time C. After the USGA recover from a failure, malfunction heartbeat D. No configuration hrp track

Huawei H12-721 Exam


Answer: C

Explanation:

QUESTION NO: 187 In the standby link IPsec backup application scenarios, which of the following ways is used by thestandby link switch? A. Hot Standby B. Link-Group C. Eth-thrunk D. IP-Link

Answer: D

Explanation:

QUESTION NO: 188 Administrators can create a vfw1 and vfw2 with multiple instances to provide security services forfirms A and B on the root firewall. It can be configured between vfw1 regional security and safetyvfw2 forwarding policy. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 189 Static fingerprint filtering function is configured through static fingerprints. Fingerprints on thepackets hit the appropriate treatment, and thus attack traffic defense. General Anti-DDos device can capture function, first grab the attack packets, and then extract thefunctionality through fingerprint and fingerprint information input to the static filter. A. TRUE

Huawei H12-721 Exam


B. FALSE

Answer: A

Explanation:

QUESTION NO: 190 According to the victim host capture shown in Figure, What type of attack is this?

A. ARP Flood attack B. HTTP Flood Attack C. ARP spoofing attack D. SYN Flood attack

Answer: A

Explanation:

QUESTION NO: 191 IPSec NAT traversal is not supported in IKE main mode and aggressive mode of IP addresses +pre-shared key authentication mode, because the pre-shared key authentication requires theextraction of IP packets in order to find the IP address of the source address of the correspondingpre-shared secret key, and the presence of NAT causes a change to make the device unable tofind the address of a pre-shared key. A. TRUE B. FALSE

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 192 When an attack occurs, the attacked host (1.1.128.4) was fooled. Host found many packets asshown. Based on an analysis what type of attack is this?

A. Smurf attack B. Land Attack C. WinNuke D. TCP packet flag attack

Answer: D

Explanation:

QUESTION NO: 193 In the use of virtual firewall technology: The two VPN users can travel over the public networkRoot VFW, log on to their respective private network VPN and get direct access to the privatenetwork resources. According to the characteristics of VPN Firewall that provides multiple instances of business,which of the following statements is correct? (Choose three answers) A. safe, VPN user authentication and authorization access through the firewall, after a visit withindependent access virtual firewall system for users to manage different resources VPN users arecompletely isolated. B. VPN flexible and reliable access to support from the public network to the VPN, can alsosupport VPN to VPN from two modes.

Huawei H12-721 Exam


C. easy to maintain, the user does not have superuser privileges on the system administratoraccount can manage the entire firewall (including each virtual firewall service). D. strict access control permissions, firewall can control access VPN access permissions basedon user name, password, so that employees can make a business trip, the super user (VPNrequire access to different resources), such as different users with different access rights.

Answer: A,B,D

Explanation:

QUESTION NO: 194 In static fingerprint filtering for different packets with different processing methods, which of thefollowing statements is correct? (Choose two answers) A. TCP / UDP / custom services can be based on the load (ie, packet data segment) fingerprints. B. DNS packets fingerprints for Query ID. C. HTTP packets fingerprints for Universal Resource Identifier URI (Uniform Resource Identifier). D. ICMP packets through fingerprints identifier.

Answer: A,C

Explanation:

QUESTION NO: 195 In site to Site IPsec VPN negotiation process, what should be the order of checks? 1 network connectivity problems 2. Establish conditions and configuration View IKE Phase 1 Safety Alliance 3. Establish conditions and related configuration view IKE phase 2 security alliance 4 Check whether the ends of the Security ACL mirror each other A. 1 -> 4 -> 2 -> 3 B. 4 -> 2 -> 3 -> 1 C. 2 -> 3 -> 1 -> 4 D. 4 -> 1 -> 2 -> 3

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 196 Comparing URPF strict mode and loose mode, which of the following statement is incorrect? A. Strict mode requires not only the presence of the corresponding entries in the forwarding tablealso called the interface but it must match in order to pass the URPF check. B. If using strict mode, the source address of the packet in the FIB USG does not exist, but thesituation has configured a default route and doing allow-default-route, the packet will pass theURPF check for normal forwarding. C. Under a symmetrical environment, it is recommended to use the route URPF strict mode. D. Loose mode does not check whether the interface matches the source address of the packet aslong as the existence of the USG's FIB table, packets can be passed.

Answer: B

Explanation:

QUESTION NO: 197 When using the SSL VPN client, it initiates network expansion "Connect gateway mate lost", whatare the causes of this failure? (Choose three answers) A. If you are using a proxy server, network extension client proxy server settings wrong. B. PC and virtual gateway routing between unreachable. TCP C. network expansion between the client and the virtual gateway connection is blocked bythe firewall. C. Username and password configuration errors.

Answer: A,B,C

Explanation:

QUESTION NO: 198 An enterprise network cutover has just been done. The old network equipment is off the assemblyline and the line is now on new network equipment. After operational testing we found that themajority of traffic will not work. What will be administrators quickest way to restore business?

Huawei H12-721 Exam


A. stratification B. Break Law C. substitution method D. Block Method

Answer: C

Explanation:

QUESTION NO: 199 HRP technology can achieve an alternate configuration of the firewall that does not need any kindof information, all the configuration information are synchronized to the primary firewall HRPprepared by a firewall, and configuration information is not lost after restart. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 200 L2TP is used between the user and the enterprise server and it transparently transmits packetsand sets up the PPP tunneling protocol, which includes which of the following characteristics?(Choose three answers) A. L2TP protocol uses TCP protocol B. Support private address assignment; do not take the public IP address C. It supports PPP authentication with RADIUS support with flexible local and remote AAA D. After combining with IPsec support for encrypted packets

Answer: B,C,D

Explanation:

QUESTION NO: 201 A USG standby scenario is shown in Figure. The service interface works in three steps, down theline connecting the router through an administrator to view, USG_A status is H RP_M [USG A],USG_B state HRP_S [USG_B ], but all the traffic is not completely passing through USG_A, half

Huawei H12-721 Exam


of the traffic also passes via USG_B.

Which of the following configuration command can solve this problem? [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet 0/0/1] hrp track master [USG_A] interface GigabitEthernet 0/0/3 [USG_A-GigabitEthernet 0/0/3] hrp track master [USG_A] ospf 101 [USG_A-ospf -101] area 0 [USG_A-ospf-101-area-0.0.0.0] network 10.104.10.0 0.0.0.255 [USG_A-ospf-101-area-0.0.0.0] network 10.104.30.0 0.0.0.255 [USG_A] hrp interface GigabitEthernet 0/0/2

Huawei H12-721 Exam


[USG_B] interface GigabitEthernet 0/0/1 [USG_B-GigabitEthernet 0/0/1] hrp track slave [USG_B] interface GigabitEthernet 0/0/3 [USG_B-GigabitEthernet 0/0/3] hrp track slave [USG_B] ospf 101 [USG_B] ospf 101 [USG_B-ospf -101] area 0 [USG_B-ospf-101-area-0.0.0.0] network 10.104.10.0 0.0.0.255 [USG_B-ospf-101-area-0.0.0.0] network 10.104.30.0 0.0.0.255 [USG_B] hrp interface GigabitEthernet 0/0/2 A. [USG_A] hrp ospf-cost adjust-enable [USG_B] hrp ospf-cost adjust-enable B. [USG_B] interface GigabitEthernet 0/0/1 [USG_B-GigabitEthernet 0/0/1] hrp track master [USG_B] interface GigabitEthernet 0/0/3 [USG_B-GigabitEthernet 0/0/3] hrp track master C. hrp preempt delay 60 D. heartbeat port addresses are not released to the OSPF

Answer: A

Explanation:

QUESTION NO: 202 If the two sides wish to establish an IPsec VPN tunnel and using just one of the IP addresses,which of the following configuration methods can not be applied in the gateway? A. Policy Template B. Strategy Name savage mode authentication C. Pre-share D. Savage mode key certification

Answer: A

Explanation:

Huawei H12-721 Exam


QUESTION NO: 203 As shown in Figure, firewall is in stateful failover networking environment, the firewall interfacesare in the business routing mode, and up and down are the router with OSPF configured.

Assuming the OSPF protocol convergence Recovery time is 30s, following best configurationmanagement is to seize on the HRP? A. hrp preempt delay 20 B. hrp preempt delay 40 C. hrp preempt delay 30 D. undo hrp preempt deplay

Answer: B

Explanation:

QUESTION NO: 204 Which of the following circumstances where main mode IKE negotiation can not be used?(Choose two answers) A. IKE in the pre-shared mode and peer identity is ID B. IKE in the pre-shared mode, and net exports outside the firewall dynamically assignedaddresses using DHCP C. IKE in the pre-shared mode, and there is a NAT device link D. IKE certificate in RSA mode, and there is a NAT device link

Answer: B,C

Explanation:

Huawei H12-721 Exam


QUESTION NO: 205 About VRRP packets, which of the following statements is correct? (Choose two answers) A. VRRP packets using TCP B. VRRP packets using UDP C. VRRP packet destination address is 224.0.0.18 D. VRRP packet TTL value is 255

Answer: C,D

Explanation:

QUESTION NO: 206 Under preemption and the default.VGMP management group is enabled, the preemption delay is60s. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 207 In Client-initial mode, it can be seen from the following debug information that L2TP dial husbandis lost. What is most likely cause of failure of dial-up?

A. username and password aaa configuration inconsistencies. B. LNS name configuration error.

Huawei H12-721 Exam


C. tunnel password is not configured. D. It is not enabled for l2tp.

Answer: A

Explanation:

QUESTION NO: 208 Under standby scene.USG hot standby, the service interface to work in three, down the lineconnecting the router through an administrator to view, USG_A state has been switched toHRP_M [USG_A], USG_B state has also HRP_M [USG_B] most What are the possible reasons?(choose two answers)

A. HRP using the wrong channel interface B. heartbeat connectivity problems C. No configuration session fast backup D. no Hrp enable

Huawei H12-721 Exam


Answer: A,B

Explanation:

QUESTION NO: 209 What do we want to achieve with Virtual firewalls on a single physical firewall device where wecreate virtual multiple logical firewalls and multiple instances? (Choose three answers) A. Security multiple instances B. VPN multi-instance C. configure multiple instances D. exchange multiple instances

Answer: A,B,C

Explanation:

QUESTION NO: 210 Which statement is incorrect about IPsec NAT traversal? A. AH and ESP supports NAT traversal B. IPsec NAT traversal is not supported IKE main mode (pre-shared mode) C. IPsec ESP packets using UDP through NAT packet encapsulation D. All IKE initiator communication messages exchanged use port 4500 port

Answer: A

Explanation:

QUESTION NO: 211 When configured behind a firewall stateful failover, in the Web configuration interface, select"System> High Reliability> hot standby", click "Check HRP configuration consistency"corresponding "check" button.

Huawei H12-721 Exam


Pop-up window, as shown, which of the following configurations can solve the problem (assumingheartbeat interface is added to the DMZ zone)? A. firewall packet-filter default permit interzone trust locaI B. firewall packet-filter default permit interzone trust dmz C. firewall packet-filter default permit interzone untrust dmz D. firewall packet-filter default permit interzone local

Answer: D

Explanation:

QUESTION NO: 212 As shown below, for the L2TP over IPsec scenarios, the following configuration shows how toprotect data on the IPsec flow. Which one is correct?

A. [LNS] acl number 2001 [LNS-acl-basic-2001] rule permit udp source 10.10.1.0 0.0.0.255 B. [LNS] acl number 3001

Huawei H12-721 Exam


[LNS-acl-adv-3001] rule permit source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255 C. [LNS] acl number 3001 [LNS-acl-adv-3001] rule permit tcp source-port 1701 D. [LNS] acl number 3001 [LNS-acl-adv-3001] rule permit udp source-port eq 1701

Answer: D

Explanation:

QUESTION NO: 213 Corporate network administrator for a large data flow, when the USG is out of memory or CPUprocessing capacity limit is reached, in order to ensure that forwards packets do not carry a threat,USG dropped over the device throughput traffic. Which of the following commands can achieve this kind of functionality? A. utm bypass enable B. undo utm bypass enable C. ips bypass enable D. undo ips bypass enable

Answer: B

Explanation:

QUESTION NO: 214 Logging session log NAT / ASPF generated DPI traffic monitoring logs. Logs for this type providea "binary" output mode. Using binary output can greatly reduce the impact on system performancebut the use of binary form output requires supporting eLog log management system. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 215

Huawei H12-721 Exam


In the IPsec NAT traversal application scenarios, the firewall must be configured to initiate partyNAT traversal, and the other end can not configure firewall NAT traversal related commands. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 216 When making hot standby switch, USG Series Firewall service port will send gratuitous ARPscene there. Which deployment mode is used? (Choose two answers) A. Routing Switch Mode + B. routing mode + router C. exchange mode + switch D. exchange mode + router

Answer: A,B

Explanation:

QUESTION NO: 217 Scenario: In the virtual firewall technology which is more commonly used in business to provide aphase out of business. If the virtual firewall VFW1 leased to companies A, virtual firewall VFW2leased enterprise B, which of the following statement is not correct? A. The system is a virtual firewall VFW1, VFW2 respectively independent system resourcesamong each other. B. transparent to the user, the business between companies A and B is completely isolated fromthe enterprise, as with the use of a separate firewall deployment respectively. C. firms A and B can address the overlap and use vlan divided into different virtual LANs. D. firms A and B alone can not manage their own virtual firewall, management must beimplemented by the lessor administrator.

Answer: D

Explanation:

Huawei H12-721 Exam


QUESTION NO: 218 When using optical Bypass Interface, Bypass link has two operating modes, automatic mode andforced mode. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 219 Policy strategy limiting constraints include quintuple, time, user identity and application protocols. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 220 An administrator using the following command to view the state of device components

Slot3 board is status abnormal, what are the possible causes? (Choose three answers) A. The device does not support this interface cards.

Huawei H12-721 Exam


B. The Interface Card is damaged. C. The backplane or damaged pins on the motherboard, such as incorrect installation lead pinboard tilt. D. The ADSL phone line is faulty.

Answer: A,B,C

Explanation:

QUESTION NO: 221 In Hot standby, the backup channel must be the primary interface to the interface board. Whichtype is not supported? A. Ethernet B. GigabitEthernet C. E1 D. vlan-if

Answer: C

Explanation:

QUESTION NO: 222 ACK Flood attacks exploit payload inspection defense. The principle is to clean equipment forACK packet payload to check if the contents of the full load are consistent (as are all a load ofcontent, etc.), the packet is discarded. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 223 Which of the following packets are not sent during IP-link detection? (Choose two answers) A. ARP packets

Huawei H12-721 Exam


B. IGMP packets C. ICMP packets D. Hello packets

Answer: B,D

Explanation:

QUESTION NO: 224 If using a policy template and configuring IPsec policy child policy, the firewall will first apply apolicy template, and then it will apply the child policy. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 225 Limiting policy function supports only the number of connections to the specified IP initiated orreceived to limit the number of connections. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 226 In hot standby environment, there is an event of inconsistent data packets being sent back andforth. Which of the following conditions may cause packet loss? (Choose three answers) A. Quick Sync feature is not enabled session B. heartbeat insufficient bandwidth C. Close monitoring of the state D. heartbeat port specified error

Huawei H12-721 Exam


Answer: A,B,D

Explanation:

QUESTION NO: 227 Virtual firewall security services provide multiple instances of the following? (Choose threeanswers) A. Address Binding B. blacklist C. ASPF D. VPN routing

Answer: A,B,C

Explanation:

QUESTION NO: 228 After the configuration on NRT Server (no-reverse parameter is not added), the firewall willautomatically generate static Server-map entries, the first packet matching Server-map entries, butit does not match the session table. A. TRUE B. FALSE

Answer: A

Explanation:

QUESTION NO: 229 BFD static route topology is shown in Figure A. On the firewall, administrator needs to do thefollowing configuration: [USG9000_A] bfd [USG9000_A-bfd] quit [USG9000_A] bfd aa bind peer-ip 1.1.1.2

Huawei H12-721 Exam


[USG9000_A-bfd-session-aa] discriminator local 10 [USG9000_A-bfd-session-aa] discriminator remote 20 [USG9000_A-bfd-session-aa] commit [USG9000_A-bfd-session-aa] quit Which of the following section of the configuration is correct there? (Choose two answers)

A. The command "bfd as bind peer-ip 1.1.1.2" is used to create BFD sessions to detect link statusbinding policy B. The command [U5G9000_A] bfd configuration errors, should be replaced by [U5G9000_A] bfdenable BFD function to enable C. [USG9000_A-bfd-session-aa] commit configuration is optional, if not configure the system willdefault to submit to configure and generate BFD session log information, but does not establishthe session table D. firewall on BFD session will also need to bind with a static route command: [USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa

Answer: A,D

Explanation:

QUESTION NO: 230 BFD static route topology is shown in Figure A. On the firewall, administrator needs to do thefollowing configuration: [USG9000_A] bfd [USG9000_A-bfd] quit [USG9000_A] bfd aa bind peer-ip 1.1.1.2 [USG9000_A-bfd-session-aa] discriminator local 10

Huawei H12-721 Exam


[USG9000_A-bfd-session-aa] discriminator remote 20 Which of the following commands should be added to the firewall configuration to achieve BFD forstatic route? (Choose two answers)

A. [USG9000_A-bfd-session-aa] commit B. [USG9000_A] bfd aa bind local-ip 1.1.1.1 C. [USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa D. [USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 bind bfd-session aa

Answer: A,C

Explanation:

QUESTION NO: 231 Which statement is correct regarding local users with VPN instance bindings? A. By the command Iocal-user user-name vpn-instance vpn-instance-name local user can bind aVPN instance Under B. default bindings already achieved between local users and VPN instances B. After the local user to bind with V PN instance, local users that can manage the entire firewalls C. Local users with VPN instance can not bind

Answer: A

Explanation:

QUESTION NO: 232 In hot standby networking environment, two USG's NAT configuration is consistent. When thevirtual IP address is in the address of the VRRP backup group, then NAT address pool in thesame network segment. The next two figures show the NAT Server applications with a

Huawei H12-721 Exam


combination of VRRP ARP response situations.

Which Combination of the following NAT Server configuration and VRRP shown as options arecorrect? A. Figure 1 will VRRP backup group Interface NAT address pool with connection to the Internet onthe binding, in Figure 2 the VRRP backup group Interface NAT address pool with connection tothe Internet on the binding. B. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to theInternet on the binding, Figure 2 is not the VRRP backup group Interface NAT address pool withconnection to the Internet on the binding. C. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to theInternet on the binding, in Figure 2 the VRRP backup group Interface NAT address pool withconnection to the Internet on the binding. D. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to theInternet on the binding, Figure 2 is not the VRRP backup group interfaces with NAT address poolon connection to the Internet unbound.

Answer: C

Explanation:

Huawei H12-721 Exam


QUESTION NO: 233 No need to use deny rules because of the policy limiting strategy for deny rules withoutrestrictions. A. TRUE B. FALSE

Answer: B

Explanation:

QUESTION NO: 234 Tracert packet attack occurs when an attacker using TTL returned ________. ICMP timeoutpackets reach the destination address and return an ICMP time exceeded message back to thesource IP address. An attacker may run the tracert program to detect source ip address in ICMPreturned message and it can snoop structure of the network. A. 0 B. 1 C. 2 D. Changes according to the actual situation

Answer: A

Explanation:

QUESTION NO: 235 Which of the following description about SMURF attacks is correct? A. Attacker sends ping requests to a subnet (broadcast), requesting that devices on that subnetsend ping replies to a target system. Once the host or network is detected, it is then brought down. B. Attacker sends SYN packets with source and destination addresses for the IP address wherethe attacker is. A SYN-ACK message is sent to their own address, so is the presence of anattacker hosts a large number of air connections. C. An attacker can target where to send a UDP packet in the network. The source address of thepacket is being attacked. Host address, destination address are in the subnet broadcast address

Huawei H12-721 Exam


where the attack host the subnet network address using destination port number 7 or 19. D. An attacker using a network or host receives an ICMP unreachable packets, the packetsdestined for the follow-up of this destination address directly considered unreachable, therebycutting off the connection to the host destination.

Answer: A

Explanation:

QUESTION NO: 236 Which of the following protocol packets can not be sent by default in an IPsec tunnel? A. TCP B. UDP C. ICMP D. IGMP

Answer: D

Explanation:

QUESTION NO: 237 Which of the statement is correct about the Eth-trunk function? (Choose three answers) A. It improves communication bandwidth of the link B. It improves data security C. Traffic load balancing D. It improve sthe reliability of the link

Answer: A,C,D

Explanation:

QUESTION NO: 238 Which of the following statements is correct one for the dual hot standby in conjunction with IPSecfunctionality? A. USG supports IPsec primary backup mode of hot standby.

Huawei H12-721 Exam


B. Load does not support IPsec stateful failover under balancing. C. You must configure the session fast backup. D. You must configure preemption

Answer: A

Explanation:

QUESTION NO: 239 What type of packet sent in a VRRP HELLO message? A. unicast packets B. broadcast packets C. multicast packets D. UDP packets

Answer: C

Explanation:

QUESTION NO: 240 IPsec VPN using digital certificates for authentication has the following steps: 1. Certificate signature verification 2. Find the certificate serial number in the CRL 3. Both devices share their entity certificate 4. Verify the certificate is valid 5. Establish a VPN tunnel Which of the following is the correct pattern? A. 3-2-1-4-5 B. 1-3-2-4-5 C. 3-1-4-2-5 D. 2-4-3-1-5

Answer: C

Huawei H12-721 Exam


Explanation:

QUESTION NO: 241 With regard to the Radius protocol, which of the following statements are correct (choose threeanswers) A. Use the UDP protocol to transmit packets Radius B. authentication and authorization port number can be 1812 C. To account for encryption processing using the Radius protocol to transmit user account andpassword D. authentication and authorization port number can be 1645

Answer: A,B,D

Explanation:

QUESTION NO: 242 The following virtual firewall networking, USG provided outwardly rough business, VPN instancevfw1 coarse A, to the enterprise network diagram below. A foreign enterprise network users need to access via PC C. Server B in DMZ zone is NAT’ed. If Iwant to achieve this requirement, then I must have following key configuration? (Choose threeanswers)

Huawei H12-721 Exam


A. [USG] ip vpn-instance vfw1 vpn-id 1 B. [USG] ip vpn-instance vfw1 [USG-vpn-vfw1] route-distinguisher 1001 [USG-vpn-vfw1] quit C. [USG] nat server zone vpn-instance vfw1 untrust global 2.1.2.100 inside 192.168.1.2 vpn-instance vfw1 D. [USG] nat address-group 1 2.1.2.5 2.1.3.10 vpn-instance vfw1

Answer: A,B,C

Explanation:

QUESTION NO: 243 In a dual-system hot backup, the backup channel must be the primary interface port by the board,which type is not supported? A. Ethernet B. GigabitEthernet C. E1 D. vlan-if

Answer: C

Explanation:

H12721-10st

QUESTION NO: 244 As shown in a corporate network, where the USG_A and USG_B a hot standby configuration,USG_A based devices. Administrators want to configure SSL VPN enables branch employees canaccess through SSL VPN headquarters on the firewall.

Huawei H12-721 Exam


The SSL VPN virtual gateway address should be and why? A. 202.38.10.2/24 B. 202.38.10.3/24 C. 202.38.10.1/24 D. 10.100.10.2/24

Answer: C

Explanation:

QUESTION NO: 245 As shown in Figure BFDS for SPF networking scenarios: 1. Run OSPF between FW_A, FW_B and FW_C. All three devices are neighbors. 2. To reach FULL neighbor state, configure OSPF BFD and linkage. BFD finished creating BFDsessions. Which of the following statements are correct? (Choose two answers)

Huawei H12-721 Exam


A. When a link fails, BD first perception, FWA and FWB will soon converge B. Link switch toggles the seconds level C. FWA deal with neighbors Down event, re-route calculation, a new route for the link b D. When a link fails, OSPF convergence and automatic notification BD

Answer: A,C

Explanation:

Huawei H12-721 Exam


HCIP SECURITY DUMPS

Why Apt attacks are difficult to defend? Part of the reason is that they are use zwero day

loopholes to attack . this zero day loopholes usually takes a lot of time to research and analyze

and make corresponding defense method

True

False

Huawei waf products mainly consists of implementing front end back end system end central

system and databases. The database mainly stores the front end detection rule and black and

white list configuration files

True

False

Huawei nip6000 products have zero setting network parameters and plug and play functionally

becuase interfaces pairs only work on l2 and do not need to set ip address

True

False

Network attacks are classified into two types single packet attacks and traffic base attack .single

packet attack include scanning and snooping attack malformed packet attack and special paket

attack

True

False

The application behaviour control configuration files takes effect immediately after reference

without configuration the submission

True

False

The huawei usg6000 product can be identify the actual types of common files and filter

inspection to content even if the file is hidden in a zip file if you can change the extension you

cannot escape the eyes of the firewall

True

False

The ddos attack defense configuration process is follow

Start the flow statistics function

Set different protection threshold for different types of attack

When the traffic exceed the preset thresold.

True

False

Malicious code usually uses rootkit technology to hide itself roomkit modify the kernal of the

system by loading special drivers to hide itself and specifies files

True

False

Content filtering is a security mechanism for filtering files or applications by huawei

6000products by deeply identifying the content contained in the traffic the device can block or

alarm the traffic containing specific keyword.

True

False

Information security is a protection of information and information system against unautherised

access use disclourse interuption modification destruction and thereby providing confidentially

integrity and availabilty

True

False

Because the sandbox can provide virtual execution enviroment to detect files on a network the

sandbox can replace devices such as antivirus IPS spam detection when deploying security

devices

True

False

Virus can demage computer systems and falsify or demage business data spyware collects use

and disseminate sensitive information from employees . these malicious software seriuosly

interfare with the normal business operations of enterprises desktop antivirus can slove the

problem of virus and spyware globally.

True

False

In the huawei usg6000 products after the security profile is created or modified the configuration

take not effect immediately you need to click submit in the upper right corner of the page to

activate it.

True

False

When misuse detection techniques are used the false positives are reported if the normal user

behaviour matches the intrusion signature repository successfully.

True

False

The security management system is optional and antivirus software and anti hacking technology

can be very good against network threat

True

False

Anti ddos defense systems includes management centre inspection center clearing centre

True

False

Anti ddos 7 layers defense work from their interface base defense global base defense and

defense base dimentions

True

False

For compressed file the virus detection system can directly detect

True

False

Fraggle attack means that the both source address and destination address of tcp are set to ip

address of a victim this behaviour will cause the victim to send a syn ack message to its own

address which in turn send back an ack messages and create an empty connection causing the

system resourses to be occupied or the destination host to crash.

True

False

Attacks against the web can be devide into three attacks on the client server or communication

channel.

True

False

In the deployment of huawei nip6000 products traffic mirroring can be performed using port

mirroring

True

False

The main attack defense technologies of huawei usg6000 include sorce detection fingerprint

learning and correlation defense.

True

False

The core technology of content security is lies in anomaly detection.the idea of defense lies in

continuous monitoring and analysis

True

False

Single packet attacks are classified into scanning and snoofing attack malformed packet attack

and special packet attack ping of death belongs to special packet attack

True

False

The implementation of the content security filtering technology requires the support of the

content security combination license.

True

False

When two way ssl function is used to decrept the https data packet the value of reverse proxy

series represents the number of times which the data packet can be decrept.

True

False

After the data files hits the whitelist of the firewall anti virus module the firewall will no longer

do virus detection on the file.

True

False

Ips function of huawei usg6000 product two response modes of blocking and alarming

True

False

If huawei usg6000 product uses its own protocol stack cache for all files passing through the

devices then perform virus scanning then the devices uses a flow scan mode.

True

False

Threat after big data intelligent security analysis platform detect will be synchronized to each

network device and then continue to learn and optimise by collecting to the logs from the

netywork device

True

False

Traditional firewall have weak application layer analysis and processing capabilities and cannot

correctly analyze malicious code that is doped in the allowable application data stream many

attacks or malicious behaviour often use firewall open application data stream to cause damage

resulting in application layers threats can penetrate the firewall.

True

False

url filtering technology can access control urls for user according to different times objects and

object address and acheive thr purpose of accurately managing user online behaviour

True

False

File filtering technology can filter files based on their application file tranfer direction file type

and file extension.

True

False

After the huawei usg6000 product lisense expires the rdl function is unavailabe user can local

black and white lists to filter spam

True

False

When user deploy a firewall anti virus policy there is no need to deploy anti virus software

True

False

About firewall and ids which of the following is true?

Firewall is a bypass device for fined grained detection

Firewall is unable to detect insider malious operation

Ids cant interact with firewall

Which of the following attack types is DDOS attack

Single package attack

Traffic attack

Malformed packet

Snooping scanning

The firewall will check blacklist first and then check the whitelist

Assume that user visit www.ezample.com which is a part of humanities and social

networking category

The whitelist rule of the firewall antivirus module is configured as example which of the

following matches is used in this configuration?

Prefix

Suffix

Keyboard

Exact

Udp is connectionless protocol a large number of udp flood attacks cause the performance of

network devices thats raly on sessions forwarding to be degraded and even the seesion table is

exhaused causing network congestion which of the following options does not prevent udp flood

attack

Upd fingerprint learning

Associated defense

Current limiting

First packet discarded

Regarding file process of file filtering which of the following statement is wrong?

After the file extraction fails, the file still be filtered

The application identification module can be identify the type of application hosting the file

Protocol decoding is responsible for parsing the file data and file transfer directions in data

stream

Misuse detection discovers intrusion activity in system by detecting similar behaviour of user

instusion or by detecting violations of system security rules in directly by exploiting system

flaws which of the following is not misuse detection feature?

http://www.ezample.com/

Easy to implement

Accurate detection

Effective detection of impersonation of legitimate user

Easy to upgrade

During the infiltration phase of apt attack which of the following attack generally have?

Long term latency and data collection

Leaks key data information to interested third parties

The attacker sends C&C attack or other remote command to the infected host cause to

attack spread horizontally across intranet.

Which of the following is correct configuration strategy for anti virus policy?

Load features library

Configure security policy

Apply and activate license

Configure AV profile

Submit

3->1->4->2->5

3->1->4->1->5

3->1->6->2->5

3->1->4->5->5

About the description of the file filtering technology in the vusg6000 which statement is wrong?

It can identify the application hosting the file the file tranfer direction the file type file extension

For the dns request flood attack of the autherization

In the process of source authentication the firewall trigger the client to send a dns request

with tcp packet to verify the validity of the source ip but it will consume the tcp connection

resources of the dns cache server to some extend

Which of the following statement is wrong about anti spam answerback codes?

Usg treats the mail matches the answerback code as spam

Release the mesaage if the asnwer back code does not reply to or the replied answerback code is

not configured on the usg

The answer code is uniformly set as 127.0.0.1

Ips is an intelligent intrusion detection and prevention prevention .it can not only detect the

occurence of intrusion but can stop the occurencence and development of intrusion in real time

trought a certain response method and protect the information system from substanitive attack in

a real time which of the following statement is wrong about thev desription of ips?

Ips makes ids and firewall unified

Ips must be deployed in bypass mode on the network

The common ips deployment mode is straight line deployment

For the desription of the anti ddos system which of the following option is correct?

The management center mainly complete the processing of attack event control the flow

policy of the cleaning center and classified various attack events attack traffic to generate

reports.

The firewall can only be a detection device.

Regarding file filtering configuration file global configuration of huawei usg6000 products

which of the following is correct ?

When the no of compressed layers is greater than the configure max number of

uncompressed layers the firewall filter the file.

When the file is not recongnized file filtering content filtering anti virus detection are not

performed.

In huawei 6000 product IAE provides an integrate solutions all content security detection

functions are integrate in a well designed high performance enginewhich of the following is not a

content security detection features that the product supports?

Intrusion preventions

Video content filtering

url classification and filtering

which of the following options does not belong to the basic ddos attack prevention configuration

process.

The system starts traffic statistics

The system is associated to configurate application for fingerprint learning

The system start attack defense

Which of the following statement is wrong about the network intrusion detection system?

Use newly receive network packet as a data data source

Real time monityoring through network adapter and analysis of all communication traffic

through the network.

The cloud sandbox refers to deploying the sandbox to the cloud and providing tenants with

remote detection services the process includes:

Report suspicious files

Backtracking attack

Firewall linkage defense

Cloud sandbox detection

1-3-4-2

1-4-2-3

1-4-3-2

3-1-4-2

Which of the following is correct about order of file filtering technology process?

Security policy

File type identification

File filtering

1 2 3 4 5

1 4 2 3 5

1 4 6 4 3

1 3 2 4 5

Sqi injection attack generally have the following steps

Privilage escaplation

Get data in db

Db type

3 4 1 2

3 4 2 1

4 1 2 3

Which of the following statement about ips is wrong?

The covering signature has a higher priotity than signature in a centralized signatured

The signature set can contain both pre defined and custom signature.

Due to difference in network enviromens and system security policies IDS in term of

composition what are four major components ?

Event extraction intrusion analysis reverse remote management

Event recoding intrusion analysis reverse remote management

Event extraction intrusion analysis intrusion response remote management.

Which of the following statement is wrong about huawei anti virus technology?

The virus detection system cannot directly detect compressed file

Anti virus engine can detect file type by extension

The following is a description of black and white lists in spam filtering which option is wrong?

Configure a local blacklist or whitelist

The priority of the blacklist is higher than that of the whitelist.

For the url is http:www.abcd.com where is the path options ?

http:www.abcd.com

http:www.abcd.com h8080

//news education aspx

The process of a browser carrying a cookie to request a resourse from a server is as shown in

following figure

3 4

1 3 4

5 6

2 4

Usg6000 software logical artitecture is devided into three planes manage cobtrol and

Configure

Data forwarding

Log

Analyze is cre function od intrusion detection . the aanalysis process of ID can devide into three

phases the analyzer is build to analyze feedback refine actual feild data.

Data analysis, classification,processing

Data processing, classification,post processing

Data analysis, classification,processing

Which of the following options does not belong to packet message attack ?

Icmp redirect packet attack

Trecert

Ip fragmentation .

Which of thr following is correct about worm and viruses?

The worm is parasitic

The virus is mainly tranmitted through systems loopholes

The worm is infected with other computer system on the network.

When you suspect that the corporate netywork is being attacked by hackers you have conducted

technical investigation

Planning malware

Loophole attack

Web app attack

Which of the following options does not pose securitythreat to network ?

Hacking

Poor personal safety awareness

Open company confidential documents.

Which of the following is the correct about computer virus?

Patching the system can completly solve the problem of virus instrusion

The computer virus is latent . it may be lurking for a long time it will only begin to

platform sabatage if certain condition are met .

Which of the following is correct about the file reputation technology in the antivirus engine?

File reputation database can only be upgraded by manual upgraded

File reputation is calculated by calculating the full text md5 of the under test and matching

it with the local reputation md5 cache for virus detection.

Which of the following is not detected action when detecting a virus message ?

Alarms

Blocking

Annoucement

Which of the following options is not cyber security thread posed by weak personal security

awareness?

Threat internal network

Leaking corportive information

Increse the cost of enterprise network operation and maintainance.

The most common form of traffic based attack is flooding a large number of seemingly

legimimate messages to target host eventually resulting in the exchasing of the network file

bandwith .

Tcp packet

Ucp

Icmp

ftp packet

which of the following is correct about special packet attack ?

the special control packet attack is a potential attack and does not have a direct

destruction.

attack on special control packet can use icmp to construct aatack packet

when the anti ddos systems detect attack traffic the traffic is directed to he cleasing device after

cleaning device complete cleaning the traffic is reinjected to original link which of the foolwing

option does not belong to injection method ?

gre injection

bgp injection

mpls injection

which is the following statement is wrong about the content filtering conf of huawei ?

the size of attachment is limited to singal attachment

when pop3 message is detect it is determine to illlegal the vresponse action of firewall only

support sending alarm information and does not blocvk messages

which of the following is false positive for an IDS?

Unable to detect new worms

The process of typing to log in the system was recorded

Using ping for network detection and being alert as an attack .

Which of the following options are not part of pdrr security model?

Protection

Testing

Request

Response

Which is the wrong about the 3 types of abnormalies in the file type recogination result ?

File extension mismatch means file type mismatch

Unreconized file type means that file type cant be reconginzed

Which of the following is wrong about instrution prevention?

Ip can bolck attacks in real time

IP technology after discovering intrusions must link firewall to prevent instusion.

Which of the following is correct about anti ddos system configuration ?

Configure port mirroring on the cleaning device

Add protection objects on the management centre.

Ips cant detect which of the following threats ?

Virus

Worms

Spam

Dos

The anti temporing technology of huawei WAF products is based on the cache module assuming

that A user accesses website B website B has signs of page temporing the workflow of WAF

temper resistant module has the vfollowing steps :

1 2 3 4 5

2 3 4 5 1

3 4 5 6

5 3 4 2 1

Which of the following options does not belongs to the defense against http flood attack?

http flood source authentication

source statistics

baseline learning

the status code in the http response message describes the types of response message there are

many possible values

400

404

200

503

Regarging the local black and whitelist of the antispam messages which of the following

statement is wrong ?

The black and white list is matched by extracting

The black and white list is match by sender dns suffex

Which of the following options does not belong to chracteristics of trojans?

Replicate themself

Actively infectious

Not replicate

The administer has following configurations

The signature are protect all include the signature id 3000

Overwriting the signature id3000 action is in alarm

the action signature id3000 action is in alarm

the action of signature id3000 is blocked

which of the folowing is correct regarding the order of mail tranfer process?

1->2->3

1->2->4

1->2->5

1->4->3

To protect the security of data transmission more and more wesites or companies choose to

encrypt traffic trough ssl which of the following statement is true ?

Nip can directly crack and detect ssl encrption

Process such as decryption threat detection and encryption

The ips process has following steps

Match signature

Message processing

Protocol identification

4-1-2-3

1-4-2-3

1-3-2-4

Which of the following statement true process of file filtering ?

There are two alarm and bolcking actions.

If all the parameters of the file can match all the filtering rulr the module will platform the

action of this file filtering rule.

Which of the following statement is wrong about http behaviour?

When the file upload operation is allowed

When the size of upload and download file or the size of the post operation reaching the

blocking thersold the system will only upload or subsequent file and operations.

For the usg6000 huawei product which of the following statement about mail configuring is

correct ?

Unable to filter incoming mail for keyword

You can control the size of the attachment that receive mail.

In the inteligent security analysis platform it is necessary to collect the data source then

complete a series of actions such as process detecting analysis

Data preprocessing

Threat assesment

Distributed storage

Distributed index

The admin defines two keywords that need to to identified on the firewall the keyword x has a

weight value of 2 and y value is 3 and the content filtering thresold is 5 10 if device detects that

there is a keyword x in the page viewed by the user two keyword are y

The weight value is 8 and you can access the web page

The weight value is 9 and you can access the web page

The weight value is 10 and you can access the web page .

Which of the folloowing option is incorrect for thr intel sense engine iae?

English null name IEA

IAE engine security detection is parallel and uses a message based file processing

mechanism that can receive file fragment and platform security checks

Which of the following statement is wrong about scanning and snoofing attack?

Scanning attack includes address scaninig and port scanning

When a worm breaks out it is generally accompined by an address scan attack so scanning

attack are aggressive .

Which is following options is a malformed packet attacket based on the tcp protocol ?

Teadrop

Ping of death

Ip snoofing

Land attack

Regarding the ID technology which of the following statement is correct ?

Is an active static security defense technology

Can detect authorized and non authorized instrustions

If the regular expression is abcde which of the following is not match the regular expression ?

Abcde

Abced

Advcs

Which of the following signature properties cannot be configured for custom signature ?

Id

Packet length

Protocol

If you set the alarm policy for the smtp virus file which is the followinf option is correct ?

Generate log and discard them

Generate log and forward

Generate log and discard content

Which of the following options does not belong to chracterictics of big data technology ?

Low value density

Slow processing

Huge amount of data

For apt attack attacket offen link for a long time and initiate formal attacks on the enterprises at

key points of the accidents apt attacks can generally be summerized in four stages.

Data leakage

Long term latency

Collect information

2-3-4-1

1-2-4-3

1-4-2-3

In the construction of information security the ids plays a role as a monitor . through monitoring

the traffic of a critical modes in information system it conduct in depth analysis and explores the

security event that are taking place which of the following are it.

Cannot perform in depth inspections

Ids can be linked with firewall and switches to become powerful helper for firewal to better

and more prisely control access between domains.

The virus signature database on thr device needs to be continusly from security upgraded

platform .?

Sec.huawei.com

support huawei.com

www. huawei.com

an enterprises adminstrator configures a web reputation website in the form of a domain name as

www.abc.example.com which of the following is an entry that the firewall will match wesite url

?

example

www.abc.example.com

example.com

which of the following options does not belong to security risk of the tcp/ip stack app layer?

Virus

Buffer overflow

Port scanning

ID is a network security technology used to detect any demage or attempt to demage the

confidentially integrity and availibility of a system

Complete virus sample

Complete trojan sample

Specific behaviour patterns

Which of the following is not an abnormal condition of the vfile type recognize result.

File extension dose not match

File damage

Files are compressed

The adminstrator configured file filterimg to prohibat internal employee from uploading

development files but internal employee can still upload development files which of the

following is not possible ?

License is not activated

Misconfigured action for file extension mismatch .

Which is the following statement is wrong about the antivirus ddos cloud cleaning solution ?

Normal attack are usually cleaned locally first

http://www.abc.example.com/

http://www.abc.example.com/

Becuase the cloud cleasing allience will direct larger attack traffic to cloud for cleaning it

will be network congession.

For syn flood attack tcp source authentication and tcp proxy can be used for defense

Tcp source authentication has same restriction in the path of packet

During thr tcp proxy process the firewall proxies and respond to every syn packet received

and maintain half connection threfore, when the traffic of the syn packet is heavy the

firewall require very high performance .

Which is the following description is incorrect about the cleaning center?

The data collector and management server support distribute deployment and centralized

deployment ,

Management is devide into two parts server and data collector .

Which of the following description is incorrect about cleaning centre?

There are two drainage ways of statics and dynamics

The cleaning equipment supports a verity of flexible attack defense technologies but it is

infec tive for cc attack icmp flood attack defense.

When you suspect that the corporate network is being attack by hackers you have conducted

technical investigations ?

Planting malware

Loophole

Bruce force

Huawei usg6000 product can scan and process certain ftp but which of the following protocol

does not include ?

Pop3

Imap

ftp

tftp

under the cli command which of the following commands can be used to view the Av engine and

db version?

Disply utm

Display av utm

Display version av-sdb

Which of the following options is correct about the sequence by flow detection of anti ddos?

1-2-3-4-5-6-7-8

1-2-7-4-5-6-3-8

1-3-4-2-6-5-8-7

1-2-3-6-5-4-7-8

There are following steps in the storage XXS attack

User login

User request attacker problem

3,2 ,7,6,4,5,1

3,2,4,5,7,6,1

3,2,4,6,5,7,1

After cleaning device establish a bgp neighbour relationship with peer router uses bgp traffic

diversion and policy reijnctions what configuration needs to be performed on the cleaning device

?

System view [sysname] firewall ddos bgp next hop xxxx

[sysname] policy base route [sysname-policy-pbr]rule name huizhu [sysname-policy-pbr-

huizhu]ingress-inface gigaethernet 2/0/1 [sysname-policy-pbr-rule-huizhu]action pbr

egress-interface gigaethernet 2/0/2 next hop x.x.x.x [sysname-policy-pbr-rule-huizhu] quit .

Which two of the following options use similar attack methods and generate a large number of

useless reply packet occupying network banwidth and consuming device resources?

Fraggle and smuf

Land and smuf

Fraggle and land

Which of the following attacks belong to attacks against web servers?

A. Website fishing fraud

B. Website Trojan

C. SQL Injection

D. Cross Site scripting attacks

Which of the following are true about the description of the keywords?

A. Key words are content that the device needs to recognize when content is filtered

B. Keywords includes pre defined keywords and custom keywords

C. The minimum length of a keyword that a text can match is 2 bytes

D. Custom keyword can only be defined in text mode

What content can be filtered by the content filtering technology of Huawei USG 6000?

A. Keywords contained in the uploaded file contents

B. Keywords contained in the download file

C. File types

D. Direction of file upload

Which of the following are typical intrusions?

A. Computer is infected by U Disk virus

B. The Power supply in the equipment room is abnormally interrupted

C. Tampering web pages

D. Copy/view sensitive Data

What are the typical technologies of antivirus engines?

A. First Packet Inspection technology

B. Heuristic Detection Technology

C. Decryption Technology

D. Document reputation detection technology

Which of the following are the common behavioral characteristics of a virus?

A. Download and Backdoor features

B. Information Collection features

C. Self hiding features

D. Network attack Characteristics

Which of the following technologies can achieve content security?

A. Web Security Protection

B. Global environment awareness

C. Sandbox and Big data analysis

D. Intrusion Prevention

Which of the following are the control items for HTTP Behavior?

A. POST Operation

B. Browse the web

C. Acting on the internet

D. File Upload and Download

Which of the following belong to content security filtering technologies?

A. Content filtering

B. Mail filtering

C. Application behavior control

D. File Filtering

If the users FTP operation matches as the FTP filtering policy which actions can be performed ?

A. Blocking

B. Announcement

C. Alerts

D. Execution

What are the risks to information security caused by unauthorized access?

A. Confidentiality

B. Integrity

C. Availability

D. Recoverability

In the security protection system of cloud era reforms must be carries out in advance in the event

and afterwards and continuous improvement and development and closed loops must be formed.

Which of the following points should be fulfilled in the matter?

A. Vulnerability information

B. Defense in depth

C. Offensive and Defensive Situation

D. Counterattacks Hackers

Huawei NIP 6000 Products provide carrier grade high reliability mechanisms at multiple levels

to ensure the stable operation of the equipment. Which of the following options belong to

reliability of the internet?

A. Hot Standby

B. Power 1+1 redundancy backup

C. Hardware Bypass

D. Link-Group

Which of the following are the upgrade methods for the antivirus feature Database of Huawei

USG6000 Product?

A. Local Upgrade

B. Manual Upgrade

C. Online Upgrade

D. Automatic Upgrade

Which of the following options are correct for the description of URPF technology?

A. The main function is to prevent network attacks based on source address spoofing.

B. Does not check whether the interfaces match in the strict mode. As long as there is a

route to the source address , the packets can pass

C. In loose mode not only the corresponding entries in the following table are required but

the interfaces must match to pass the URPF Check

D. Use the loose mode of URPF in an environment where route symmetry is not

guaranteed.

Which of the following options are correct for the description of the management center of ATIC

Configuration?

A. The drainage task must be configured on the management center and delivered to

the cleaning centre when an attack is discovered.

B. The protection object needs to be configured on the management center to guide

abnormal access traffic.

C. The port mirroring needs to be configured on the management center to monitor

abnormal traffic.

D. The recycle strategy needs to be configured on management center needs to guide the

cleared traffic.

The network based intrusion detection system is mainly used for real-time monitoring of critical

network path information listening to all packets on the network collecting data and analyzing

suspicious objects. Which of the following options are its main features?

A. Good concealment network based monitors do not run other applications do not

provide services do not respond to the other computers and are therefore less

vulnerable to attacks

B. Monitoring is fast problems can be detected in microseconds or seconds and host

based IDS rely on analysis of audit records in the last few minutes

C. Needs a lot of monitors

D. Can detect the source address and destination address can identify whether the address is

illegal and can located the real intruder.

When configure the URL filtering configuration file www.bt.com is configured in the URL

blacklist and URL is set to bt.com in the custom URL classification and action for customizing

the URL classification is warning which of the following statements is the true about the above

configuration ?

A. users can visit www.videobt.com

B. users can visit www.bt.com website but administrators will receive warning message

C. users can't access all websites ending with bt.com

D. users will be blocked when they visit www.bt.com

Which of the following are true about the email protocol?

A. use POP3 the client software download all unread messages to the computer and the

mail server deletes the message

B. use IMAP the client software download all unread messages to the computer and the mail

server deletes the message

C. use IMAP the user directly operates the mail on the server and does not need to

download all the mails locally and perform various operations

D. use POP3 directly operate the mail on the server and does not need to download all the

mails locally and perform various operations

Based on the above information which of the following statements is correct

A. Mail with source address 10.17.1.0/24 will be blocked

B. Mail with source address 10.18.1.0/24 will be blocked

C. Mail with source address 10.17.1.0/24 will be released

D. Mal with source address 10.18.1.0/24 will be released

In the antivirus policy configuration of Huawei USG 6000 products which are the HTTP

response methods?

A. alarms

B. blocking and pushing pages

C. popup warning dialog

D. disable all Access for this client

A college user needs are as follows

Environment traffic is relatively large and can add up to 800m in both

directions. Huawei USD 6000 series firewalls are deployed at its network nodes

The intranet is divided into student areas and service areas users are most

concerned about the security of the server area and avoid being attacked by

various types of threats

At the same time some pornographic websites in the student district are

prohibited

The external network is configured as untrust zone on the firewall and the internal

network is configured as trust zone. How to configure the firewall to meet the above

requirements?

A. You can enable the AV, IPS protection and URL filtering functions in the global

environment

B. Enable AV and IPS protection only for the server zone in the amt in the UN trust

direction to protect the server

C. Entrust the internal network direction only for the server photo area to open AV,

IPS protection to protect the server

D. Enable URL filtering for the entire campus network in the direction of entrust and

filter some classified websites

Which of the following is correct about enhanced mode in HTTP flood source authentication?

A. Enhanced mode refers to the use of verification code authentication

B. Some Bots have redirection function or the free agent used during the attack

supports the redirection function resulting in the failure of Defense of the basic

mode the enhanced mode can effectively defend.

C. the enhanced mode is better than the basic mode in the User experience

D. The enhanced mode supports all HTTP blood source authentication scenarios.

Anomaly detection establishes the normal behavior characteristics of the systems main body true

analysis of system audit data in the detection if the audit data in the system is different from the

normal behavior characteristics of the established subject it is considered an intrusion behavior

which of the following can be used as system body?

A. host

B. a group of users

C. single user

D. a Key program and file in the system

What are the three aspects that need to be considered when designing a cloud platform security

solution?

A. Infrastructure security

B. Tenant security

C. How to manage the operation and maintenance

D. Hardware maintenance

Which of the following protocols can be used to construct attack packets for special control

packets attacks?

A. ICMP protocol

B. UDP protocol

C. IP protocol

D. FTP protocol

The antivirus feature configured on the Hawaii USG 6000 product does not take effect which of

the following is possible causes?

A. the security policy does not reference the antivirus configuration file

B. antivirus configuration file configuration error

C. the version of the virus , signature database is older

D. no virus exceptions are configured

Which of the following descriptions are correct about the principles of HTTP flood and HTTPS

flood attack defense?

A. Https flood defense mode includes basic and enhanced mode and 302 redirects.

B. Https flood defense can perform Source authentication by limiting the packet

request rate.

C. the principle of https flood attack is to use the URL that involves database

operations or other URL that consumes system resources, causing server resources

to become exhausted and unable to respond 2 normal requests

D. the principle of https flood attack is to initiate a large number of https connections

to the target server resulting in exhaustion of server resources failure to respond to

normal requests

Which of the following categories of sand box it can be used by a company to detect image files,

shell code files and PDF files?

A. PDF inspired sandbox

B. PE heuristics sandbox

C. Web inspired sandbox

D. Heavyweight sandbox (virtual execution)

A business administrator wants to prevent employees from accessing shopping websites during

business hours. URL filtering configuration file was then configured to select the shopping site

in the predefined category as blocked however employee A can still use the company's network

to shop online during the lunch break. What are the possible reasons for the following?

A. the administrator did not set the time period to 9:00 - 18:00

B. the shopping site does not belong to the predefined shopping site category

C. the administrator did not submit the configuration after configuration

D. the administrator did not apply the URL filtering profile to the security policy

For the basic mode of HTTP flood source authentication of the following are correct

descriptions?

A. The basic mode effectively blocks access from non browser clients

B. The Zombie tool does not implement a complete HTTP protocol stack and does not

sport automatic redirection therefore the basic mode can effectively defend against

HTTP flood attacks.

C. When there is an HTTP proxy server in network, the firewall will add the proxy server IP

address to the white list but the basic source authentication of the Zombie host is still

valid.

D. The basic mode will not affect the User experience so the defense effect is higher than the

enhanced mode

What are the following descriptions of the role of content security filtering Technology?

A. File filtering by blocking the transmission of certain types of files you can reduce the

risk of internal networks running malicious code and viruses you can also prevent

employees from leaking corporate confidential files to the internet.

B. Content filtering prevents the leakage of confidential information and the

transmission of non compliant information.

C. The application behaviour control function can finely control the common http

behaviour and FTP behaviour

D. Email filtering refers to the management and control of email sending and receiving

activities including the prevention of spam and proliferation of anonymous emails

and the control of illegal sending and receiving.

With the continuous development of the network and ever changing applications enterprise users

have begin to transfer files on the network more and more frequently and the resulting virus

threats are also increasing only when the company rejects viruses outside the network can't

ensure data security and system stability. So which of the following are the possible harms of the

virus?

A. Threatening user host and network security

B. Some viruses can be used as invasive tools such as Trojan horse virus

C. Control host permissions steal user data and some viruses can even damage the host

hardware

D. Huawei USG 6000 product can easily pass the defense

With regard to traditional firewalls which of the following statements are correct?

A. lack of effective protection against application layer threats

B. it is unable to effectively resist the spread of viruses from the internet to the internal

network

C. can quickly adapt to changes in threats

D. cannot accurately control various applications such as P2P , online games etc

Configure the following command on the Huawei firewall.

[USG] interface G0/01

[USG] ip urpf loose allow-default-route acl 3000.

A. for the loose type check if the source address of the packet exist in the FIB table of

the firewall the packet passes the check

B. if the default if the default route is configured but the parameter allowed default

route is not configured as long as the source address of the packet does not exist in

the FIB table of the firewall the packet will be rejected

C. if the default route is configured and the allowed default route parameter is also

matched if the source address of the packet does not exist in the FIB table of the

firewall but for the loose type check the packet will pass through URPF check and

perform normal forwarding

D. if the source address of the package does not exist in the FIB table of the firewall and the

default route is configured and the allowed default route parameter is also matched the

packet cannot pass the URPF check even if it is a loose type check

If you combine security defenses with big data Technologies which of the following statements

is correct?

A. During the learning process we should start with collecting samples, analyze their

characteristic vectors, and then perform machine learning

B. Machine learning is only for statistics of a large number of samples, which is convenient

for security administrators to view

C. During the detection process, the unknown sample needs to be extracted and

corresponding model is calculated to provide a sample for subsequent static

comparison

D. The security source data can come from many places including data flows, packets,

Threat events, logs and so on.

When a device identifies a Keyword during content filtering detection, what response actions can

the device perform?

A. Alarm

B. Blocking

C. Announcement

D. Operate by weight

Which of the following statements about intrusion detection/ defense devices are correct?

A. Can’t effectively resist the spread of viruses from the internet to the intranet

B. NIP 6000 can identify applications up to 6000+ implement fine-grained application

protection, save export bandwidth and ensure the business experience of key

services.

C. Protect the intranet form external attacks and suppress malicious traffic such as

spyware, worms etc, flooding and spreading to the intranet

D. Can quickly adapt changes in threats

Which of the following are the possible causes for the failure to include a signature after the IPS

policy is configured?

A. Direction is not enabled

B. Direction opened, but no specific direction was chosen

C. Severity Configuration is too high

D. Incorrect Protocol Selection

After the IP Policy is enabled, some services are found to be inaccessible. Which of the

following may be the cause?

A. Only one direction of packet goes through firewall

B. The same pocket posses through the firewall multiple times

C. IPS Missed

D. Too much traffic causes the bypass function to be enabled.

Which of the following are the common causes of IPS Detection failures?

A. IPS Policy is not submitted for compilation

B. Policy ID,s with incorrect associations between IPS Policy Domains

C. IPS Function is not enabled

D. Bypass function in IPS is turned off

The following commands are configured on the Huawei Firewall:

[USG] firewall defend ip-fragment enable

Which of the following situations will be recorded as an attack?

A. DF bit is 1 and MF bit is also 1 or the fragment offset is not 0

B. DF bit is 0 , the MF bit is 1 or the fragment offset is not 0

C. DF bit is 0 and fragment offset + length > 65535

D. DF bit is 1 and fragment offset+ length > 65535

Which of the following are the network layers attacks of the TCP/IP stack?

A. Address Scan

B. Buffer Overflow

C. Port Scanning

D. IP Spoofing

Which of the following features are supported by the Huawei NIP Intrusion Prevention Device?

A. Virtual Patch

B. Mail Detection

C. SSL Traffic Detection

D. Application identification and Control

Which of the following files can be detected by the Sandbox?

A. WWW Documents

B. PE File

C. Picture file

D. Mail

What content can be filtered by the content filtering technology of Huawei USG6000?

A. File Content Sharing

B. Voice Content Sharing

C. Application Content Sharing

D. Video Content Filtering

Which descriptions about viruses and Trojans are correct?

A. Viruses are triggered by Computer users

B. Viruses can self replicate

C. Trojans triggered by computer users

D. Trojans can self replicate

Which of the following descriptions are correct based on the proxy based antivirus gateways?

A. The detection rate is higher than the flow scan mode

B. System overhead will be small

C. All files are cached through the gateway own protocol stack

D. More advanced operations such decompression and shelling can be performed.

Which of the following are keyword matching patterns?

A. Text

B. Regular Expressions

C. Community Keywords

D. Custom Keywords

HUAWEI H12-723-ENU

1. Which of the following are correct about 802.1x access process?(Multiple Choices)

a. Throughout the authentication process the terminal exchange information through the

server and EAP packets

b. The terminal exchange EAP packets with the 802.1x switch The 802.1x switch and the

server radius packet exchange information

c. 802.1x authentication does not require security policy checks

d. Use md5 algorithm to verify information.

Answer: (B,D)

2. Boyd solution provide product and system cover terminals, network security, application

include specialized BYOD device wireless network system, network access security client

software authentication system mobile device management (MDM) mobile eSpace UC

etc.

a. True

b. False

Answer: (A)

3. Which of the following is correct for terminal Wi-Fi path order?

1. Any office mobile office system path Wi-Fi configuration

2. Any office mobile office automatically apply for certificate

3. The administrator configuration enterprise Wi-Fi push

4. The terminal automatically accesses enterprise Wi-Fi

a. 1-2-3-4

b. 4-2-3-1

c. 3-2-1-4

d. 2-3-1-4

Answer: ( C )

4. which of the following correct for PKi process sequence

1. PKI entity request CA certificate from CA

2. After PKI entity receives CA certificate it install CA certificate

3. When the CA receives CA certificate request from PKI entity. It return Rs ownCA

certificate to PKI entity

4. PKI entity sends a certification registration request message to CA

5. When a PKI entity communicate with each other they must obtain and install the

local certificate of the peer entity.

6. PKI entity receives the certificate information send by CA.

HUAWEI H12-723-ENU

7. After PKI entity install the local certificate to the peer entity. It verifies the validity of

the local certificate of the peer entity. When certificate is valid , POC entity the

certificate public key for encrypted communication.

8. CA receives the certificate registration request message from PKI entity.

a. 1-3-5-4-6-7-8

b. 1-3-5-6-7-4-8-2

c. 1-3-2-7-6-4-5-8

d. 1-3-2-4-8-6-5-7

Answer: ( D )

5. Adopt user isolation information technology in WLAN networking environment which of

the following statement is wrong.

a. User isolation between groups means that user in different group can’t communicate

with each other and internal user in the same group can communicate

b. Isolation in user groups means that’s user in the same group can’t communicate with

each other

c. User isolation function means that layer 2 packet associated with all wireless user in

same AP can’t forward packets to each other

d. Group isolation and isolation between groups can’t be used at same time

Answer: ( D )

6. When use local guest account authentication portal authentication is used to path the

authentication page to the visitor.

Before the user authentication when the access control device receives HTTP request is

not the portal server authentication URL how does the admission control device the

handle it.

a. Drop the packets

b. URL address redirect to portal authentication page

c. Direct release

d. Send authentication information to the authentication scanner

Answer: ( B )

7. The administrator issues notices to users through the from of announcements. such as

the latest software and patch installation notices etc. Which of the following option is

wrong?

a. You can issues an announcement by department

b. The and piont must have proxy installed to receive announcements

HUAWEI H12-723-ENU

c. If the system issues an announcement and the proxy client is not online.it will not

receive the announcements information after going online.

d. You can issue an announcement by account number.

Answer: (B)

8. When manage guest accounts, you need to create guest account policy and set account

creation method which of the following descriptions is incorrect for account creation?

a. When you add accounts individually, you can select individual creation.

b. If the number of users is large you can create them batches

c. If the number of users is large, you can choose database synchronization.

d. Self-registration can be used to facilitate management and enhance the user

experience.

Answer: (c)

9. In WDS-enabled WLAN network. Which of the following statement is correct regarding

the determination of illegall devices?

a. All Ad-hoc devices will be directly identified as illegal devices

b. AP that are not connected to this AC are illegal AP

c. STA that are not connected tothis AC are illegal STA

d. STA that are not connected to this must check weather the access AP is valid

Answer: (AD)

10. When deploy wired 802.1k authentication if the admission control device is deployed at

the convergence layer this deployment method has feature such as high security

parameters multiple management devices and complicated management.

a. True

b. False

Answer: ( B)

11. Which of the following is correct for the roles of portal authentication system?

a. The client is any office software

b. The role of portal server is to receive the client authentication request provide free

portal service and authentication interface and interact with the access device to

authentication the access device to authentication client

c. The role of radius server is redirect all http request from users in the authentication

network segment to the portal server

d. The role of admission control device is to complete the users authentication

authorization and accounting.

Answer: (B)

12. Which of the following correct for MAC authentication and MAC bypass authentication?

HUAWEI H12-723-ENU

a. Mac authentication is an authentication method that control the users network

access rights based on the certificate of mac address. It does not require the user to

install any client software.

b. MAC bypass authentication first 802.1x authentication it performed on the device if

the device does not respond 802.1x authentication the device user mac to

authentication the device.

c. During the mac authentication process it user need to manually enter the user name

and password.

d. Mac address is not used as the user name and password auto access the network

during MAC bypass authentication.

Answer: (AB)

13. Which of the following are correct about hardware SACG authentication deployed

scenario?

a. A SACG authentication is generally used in suitable network scenario where wired

admission performed

b. SACG authentication generally used in scenario where network are set up for wireless

admission control.

c. SACG is generally deployed in bypass ode without changing network topology

d. SACG essentially controls access to users through 802.1x technology.

Answer: (AC)

14. The traditional network single strategy is difficult to deal with complex situation such as

device user location owner sifted terminal application and experience.

a. True

b. False

Answer: (A)

15. A network use portal authentication when the user accesses ,he find that the user name

and password is not entered in the pushed web page, this fault may be caused by which

reason?

a. There is no cross ponding user on agile controller campus

b. Such AAA configure wrong

c. Push page error on portal scanner

Answer: (C)

16. In agile network before the user authenticated, user may need to access server such as

as DNS, DHCP and portal. When the traffic from the user access the server pass through

HUAWEI H12-723-ENU

the firewall, the agile controller-campus server the agile security group information cross

ponding to the traffic because the user is authenticated,

After the user passes the authentication the right authority can’t be offered immediately,

How to solve?

a. Turn off state direction on FW

b. Configure TSM on FW.

c. See the security pre-domain when an unauthenticated user accesses a scanner in the

pre-security domain. FW directly forward the traffic.

d. Release traffic to the server on FW

Answer: ( C )

17. Mobile smart phone and tablet users establish IPsec encryption tunnel with AE through

any office. After passing authentication ad compliance check the access services.

a. True

b. False

18. Typically application scenarios of the terminal security include desktop management and

illegal outreach computer management.

a. True

b. False

Answer: (A)

19. The standard 802.1x that is provided by the web client and operating system only has the

identity authentication function it does not support the implementation of inspection

class places and mentoring class places. The any office client support all inspection class

policies and mentoring class.

a. True

b. False

Answer: (A)

20. MAC authentication means that 802.1x authentication environment when the terminal

does not respond 802.1x authentication request from the access control devices after

accessing the network the access control device automatically obtains Mac address of the

terminal and sends to radius server as a certificate accessing the network.

a. True

b. False

Answer: (B)

21. When all servers are allocated according to the user groups, account number and

terminal ip address range if the same service is assigned to user group, account number

and terminal ip address range, the business assigned by the highest priority will take

effect about the order of priorities, which of the following is correct?

HUAWEI H12-723-ENU

a. Account> user group>Terminal ip address Range

b. Terminal ip address range>account >user group

c. Account> terminal ip address range> user group

Answer (C)

22. The multi- level defense system is merrily embodied at the network level and system level

.which of the following option are used for security protection at the network level?

a.Software SACG

b. Hardware SACG

c. 802 1X switch

ANSWER: (ABC)

23. Location refer to the terminal environment when terminal user use a AC-campus to access

a controlled network.

a. Different location have different security strategy

b. There is no relationship between location and safety

c. There can only be in one location in the company

d. There is no relationship between locations

Answer: (A)

24. Identity authentication determines what to allow access by identifying the access device

or user

a. True

b. False

Answer: (A)

25. Which of the following is wrong about account blacklist?

a. Automatic account lockout and manual account lockout can’t be enabled at the same

time

b. For automatically locked an account, if the number of wrong password entered during

and user authentication exceeds the limited time, the account is automatically locked

c. For manually locking an account the administrator needs to manually add the account

to the locked account list

d. If manually locked account is deleted from the list ,the account lock is released

Answer: (A)

26. All components of angle controller-campus support windows and Linux system

a. True

b. False

Answer: (A)

27. The sonic will determine the access of light are QoS policy accessing to SWH condition of

user access. Which of the following statement is connect for SWH?

a. Who determine the activation of access equipment

HUAWEI H12-723-ENU

b. Who determine the identification of the access person

c. How to determine the access method

d. What determine the access device

Answer ( CD)

28. Which of the following network security threats acts only on WLAN?

a. Bide torce

b. Pan attack

c. DoS denial of service attack

d. Weak to attack

Answer ( D)

29. After the user authentication access switch or switching case on line user on

a. A remote assistant and user access the ary office

b. Force access to go office

c. Audit user online and offline records

d. Disable the user cost account and assign ideas

Answer (ABCD)

30 which of the following parameters must be configured on the shared on the portal

authentication.

a. Portal sever IP

b. Portal page URL

c. Shared key

d. Portal protocol version

Answer (ABC)

31. Portal authentication is used on the terminal to access the network however it is not

possible to jump to the authentication page the possible reasons don’t include which of

the following option.

a. Portal authentication parameters configured on agile controller campus inconsistent

with the access control devices.

b. The authentication port number configured on the access devices portal profile in

50122 data default on agile controller campus

c. SC did not start

d. When the page is customized the preset template is used.

Answer (D)

32. Which of the following is wrong about the SACG online process.

a. The terminal communicates with Agile controller campus server use SSL encryption

b. Authentication base end user only can access resources in the pre authentication

domain.

HUAWEI H12-723-ENU

c. After the security check is passed Agile controller campus sever notifies SACG to

switch the IP address of end user in the isolation domain.

d. Agile controller campus server controls domain procedures in SACG messages.

Answer ( C)

33. Traditional access control policy area implemented through ACI or VLAN and can not be

associate with IP address. Maintenance modified is large when the IP access changes

because the agile network introduces the concept of security groups. It can achieve

decoupling with IP address.

a. True

b. False

Answer (A)

34. When the access command is used to test connectivity to the radius sensor on the

access control device. The running result display timeout this may caused by wrong

account or password configuration.

a. True

b. False

Answer (B)

35. When agile controller campus authentication as RADIUS server. What is the post that

radius to be configured on the admission control device.

a. 1812

b. 1813

c. 6443

d. 8080

Answer (A)

36. Which of the following does not belong to the challenge of mobile office

a. The mobile office platform is safe and reliable

b. Secure and fast user access to the network

c. Unified management of the terminal fine control

d. Deployment of network gateways

Answer (D)

37. After successful installed agile controller campus windows account. How to manually

stats state managements center MCP

a. A double click start sensor shortcut on the desktop to start it.

b. Select start>All programs>Huawei>MCserver>start server

c. Select start>All programs>Huawei>agile control>server setup config> to manually

start the required components.

d. Select start>All programs>Huawei>MCserver>server startup config to manually

start the required components.

Answer (AB)

HUAWEI H12-723-ENU

38. When configuring an antivirus software policy. The required antivirus software

violation level is not installed or not running is generator and select the option. There is

serious violation of the rules prohibit access to the network when the user use any office

to authentication. The authentication is passed. However if the result of the security

check shows that the antivirus software is not enabled can the user access the network.

a. Can access the network but also can access network sources.

b. Can access the network

c. Can access the network but need to be regard to network resources

d. Can access the network but need to re-authenticates to access network resources.

Answer ( C)

39. Which of the following methods can security protection be used for enterprise terminal

security.

a. Admission control

b. Encrypted access

c. Business isolation

d. Auditing and accessing

Answer (A)

40. Which of the following is the main function of SC component in agile controller campus?

a. As the management center of agile controller campus. It is responsible for

formulating the overall strategy.

b. As the management interface of agile controller campus and monitor the system

c. Introgate standard RADIUS server, It is possible for implementing user based

network access control policy is conjunction with network access devices.

d. As security sever of agile controller campus. It is responsible for analyzing and

calculating security events reported by radius.

Answer ( C )

41. Import user information of AD server on Agile controller campus to implement user

access authentication. If the user does not find user information on Agile controller

campus. Which of the following actions will be performed next.

a. Return authentication failure information directly

b. Direct user information

c. Send the user information to AD server for verification

d. Synchronize the database again

Answer ( C)

42. VIP experience guarantee mainly from which two aspect to protect VIP user experience

a. A Bandwidth

b. Forwarding priority

c. Permissions

d. Strategy

HUAWEI H12-723-ENU

Answer (AB)

43. Which of the following does the user access authentication technology do not include?

a. Authentication

b. Quarantine repair

c. Security check

d. Admission control

Answer ( B)

44. Which of the following network security technologies are part of the user access

security WLAN session access wireless access scenario.

a. AI certification

b. Link authentication

c. User access authentication

d. Data encryption

Answer ( BCD)

45. Which of the following description are correct regarding the process of use ADLDAP

account for authentication.

a. If the account is synchronized to Agile controller campus and agile controller campus

verify the account to agile controller campus .if the account exist send the password

to ADLDA server to verification after the password is verified it return to Agile

controller campus and authorizes the user according to the configured authorization

rule.

b. The account has been synchronized to agile controller campus and Agile controller

campus creates to send ADLDAP authentication. If the account exist on ADLDAP

sever. Agile controller campus sends the password corresponding to the account to

ADLDAP server for verification. After successful verification the authentication

process.

c. If the agile controller campus authentication account does not exist. Continue

sending the account to ADLDAP authentication. if the account exist on the ADLDAP

server the account is incorrectly synchronized the Agile controller campus. After

the synchronization is successful Agile controller campus sends the password of the

account ADLDAP server for verification. After the verification successful the

authentication process.

d. If the agile controller campus authentication account exist. Verify the account of

agile controller campus. If the account does not exist send the account to ADLDAP

authentication password after passed the password verification it returns to agile

controller campus and authorize the user according the configured authorization

rules.

Answer(AC)

HUAWEI H12-723-ENU

46. MAC bypass authentication means that the access control device automatically obtain

MAC address after the terminal is connected to the network and sends the certificate

of the access network to RADIUS server for verification

a. True

b. False

Answer (B)

47. When the administrator access network for an account to guest which if the following

action not included in that an administrator can perform on the visitor.

a. Visitor login on and off

b. Force user to go offline

c. Account deactivation/reset password

d. Send waiting message to user.

Answer(D)

48.in the recognition hall of company visitor there are a large number of end users who

access temporarily. The administrator hopes that user can access the internet without

pending any account number and password.

a. local account authentication b. anonymous authentication c. AD account authentication d.MAC authentication Answer (B)

49. Agile controller campus system include four parts management centers (MC) service manager (SM) service controllers (SC) and client network access devices(NAD) are used as integral part of solution interact with service controller implement user base access control and business capability. a. True b. False

Answer (A) 50. Which of the following are correct when deploy BYOD system adopt disabled

deployment a. In the distributed networking the database and SM server are only installed in the

corporate headquarters SC server and AE server are installed in the corporate headquarters and branches.

b. AE server reads the provide interfaces and therefore it is recommended that deploy in untrusted zone of the agress firewall.

c. The database SM server and SC server are all installed on the server d. Any office server is deployed in trust zone.

Answer (AD) 51. For the application access of centralized deployment and distributed deployment Agile

controller campus .which of the following are correct.

HUAWEI H12-723-ENU

a. If most of the end users are centralized in one area. A few end user work in branch

and centralized deployment is recommended. b. If most of the end users are centralized in one area. A few end user work in branch

and distributed deployment is recommended. c. If end user geographically dispersed. it is recommended to use distributed

deployment solution. d. If end user geographically dispersed. it is recommended to use centralized

deployment solution. Answer ( AC)

52. Security authentication mainly implement security check on access user through security policy. Terminal host security management is mainly implemented by check type policy end user behavior management is implemented by monitoring policy if the end user needs to terminate strategy according to his own custom strategy. a. True b. False

Answer(A) 53.in portal authentication after the account password authentication through web

browser prompt authenticating the status continues for a long time before the authentication is successful .This phenomenon is caused by which of the following preseasons .

a. multiple agile controller server simultaneously add the same terminal IP address to portal access terminal IP address is and some of agile controller server and terminal can’t communicate normally.

b. The portal template is configured with wrong password. c. There are too many authorization rule on Agile controller campus and takes a lot of

time to find item. d. The lack of contain in the terminal equipment leads to large delay. Answer (A)

54.In WLAN network intra group isolation add inter group isolation can be used simultaneously. a. True b. False

Answer (A) 55. Which device is usually used as a hardware SADG in Agile controller campus solution? a. Router b. Switch c. Firewall d. IPS

Answer ( C) 56. When visitor needs to access the network through an account. Which of the following

methods can be used to access.

HUAWEI H12-723-ENU

a. Create new account b. Use existing social media account c. No certification no account required d. Scan public QR code.

Answer (ABCD) 57. Which of the following is correct portal gateway access process.

a. Portal gateway initiate Radius challenge request packet contain user name and password information

b. ACL that the server delivers to the access gateway is carried in portal protocol packet c. Delivering policy while performing identify authentication d. Portal server needs to pass the security check result to access gateway device

Answer ( D) Answer ( )

58 .In the terminal security full scale defense system use PPI PDCA model can effectively achieve terminal security defense . which of the following does not belongs to PPI model a. Technology b. Process c. Organization d. Plan

Answer (D) 59 . The traditional campus work is based on IP based network . if there are mobile office users which if the following is not problem faced by mobile office users when deploying access authentication . a. The user has a large range of distribution and high access control requirements b. The deployment of access control policies is heavy c. Access rights are difficult to control d. Inconsistent user experience

Answer (A) 60. Which of the following option are not included in mobile terminal life cycle a. Obtain b. Deployment c. Operation d. Uninstall Answer (D) 61. Create CAPWAP between AP and AC establish CAPWAP tunnel negotiate with AP

and AC . in this process CAPWAP tunnel use DTLS to encrypt and transmit UDP packet. Which encryption method are supported by DTLS

a. certificate encryption b. AES encryption c. PSK encryption d. plaintext encryption Answer (AC)

HUAWEI H12-723-ENU

62. when performing terminal admissions control . which of the following are not

include when use the authentication technology . a. 802 1X authentication b. SACG certification c. bypass certification d. portal authentication Answer ( C) 63. The XMPP protocol has three rules server, gateway and client corresponding to the

mobility solution . Agile controller campus as the server. Huawei USG6000 firewall acts as the gateway and the agile switch senses as the chart a. True b. False Answer (B) 64. In order to access the security of AP online AP may be authenticated on AC. What

are the correct authentication methods supported by Huawei AC? A. MAC authentication b. Password authentication c. no certification d. SN certification Answer (ACD) 65. Portal page push side has priority the high precedence rule matches the user

information first .if none of the configured rules match the default rule is used . a. True b. False Answer (A)

66. The following is 802.1X access control switch configuration

[55720]dot1x authentication method eap

[55720-GigabitEthernet0/0/1] port link-type access

[55720-GigabitEthernet0/0/1] port default varies 11

[55720-GigabitEthernet0/0/1] authentication dot1x

Assume that 0E0/0/1 is connected to user 1 and user 2 through HUB which of the

following options is correct?

a. Alter user 1 passed authentication user 2 can access network resources without

authentication.

HUAWEI H12-723-ENU

b. Both user 1 and user 2 must be authenticated individually to access network

resources

c. GE0/0/1 does not need to enable dot1x

d. Both user 1 and user 2 can’t authenticate and access network resources

Answer (A)

67. Use Agile Controller-Campus for guest management. Users can obtain the

application account in multiple ways. But does not include which of the following?

a. SMS

b. E-MAIL

c. Web printing

d. Voicemail

Answer (D)

68. Mobile devices that have escaped from prison, mobile terminals installed with

non-compliant applications, or terminals with non-complaint lock screen passwords

etc. are all insecure when they have accessed the corporate network to platform

business. How does the any office mobile office system solve the problem?

a. Directly discard data sent by noncompliant devices.

b. Certification of non-complaint devices

c. Check non complaint terminal and prohibit unable devices access to the network

d. Send alarm information to notify the administrator

Answer (C)

69. for the convenience of visitor different authentication and registration pages can

be pushed for different visitors/ When configuring push page policy, you need to

define different matching conditions. which of the following can be used as qualified

matching conditions?

a. Terminal IP address

b. Access device location information

c. Guest account priority

d. SSD of access network

Answer (AD)

70. Is terminal security management, check the software installation of terminal host

use the black and white last mode. Which of the following are compliance actions?

HUAWEI H12-723-ENU

a. The terminal host does not install whitelist software and also does not install blacklist

software

b. The terminal host install all software in the white list but does not install blacklist

software

c. The terminal host install same software in the whitelist. But does not install blacklist

software

d. The terminal host installs all software in the whitelist and all installs some software

in the blacklist

Answer (B)

71. The terminal access control function does not take effect. The following information

on SACG.

<FW> Display right-manager role-id rule

Advance ACL 3099, 5 rules, not binding vpn instance

Ads step 1

Rule 1000 permit ip (1280 times matched)

Rule 1001 permit ip destination 172.18.11.22 10(581 times matched)

Rule 1003 permit ip destination 172.18.11.223.0 (77 time matched)

Rule 1003 permit ip destination 172.19.0.0 0.0.255.255(355 times matched)

Rule 1004 deny ip (507759 time matched)

a. 172.18.11.221 is server that isolates the domain.

b. Open the escape route

c. 172.18.11.223 is the post domain server

Answer (B)

72. which of the following devices is suitable for MAC authentication access network?

a. windows System host for office

b. Linux system host for testing

c. Mobile clients such as a smart phone

d. Network printers

Answer (D)

73. For the hardware SACC access control, if the terminal does not pass the

authentication, it can access the post-authentication domain resources. The phenomena

may be caused by which of the following reasons?

HUAWEI H12-723-ENU

a. The authentication data flow is started by SACG

b. hardware SACG devices are not added to TSM system

c. SACG times on default inter domain packet filtering d. The privileged ip was misconfigured

Answer (CD)

74. if use normal account for authentication which of the following option is wrong?

a. A user can use any office for authentication

b. user can’t use web method for authentication

c. user can use web agent for authentication

d. user can use built-in 802.1x client for authentication

Answer (B)

75. which of the following is true about uninstall Agle- controller controller-campus on

windows and linux system?

a. Run sh uninstall to start uninstall program use the common account in Agile controller

uninstall directory

b. Run sh uninstall to start uninstall process use the not account in Agile Controller

directory

c. Windows plateform select start > all program>Huawei> agile controller>server startup

config

d. Windows plateform select start > all program>Huawei> agile controller>uninstall

Answer D

76. A company with strict and-host access control management. The administrator wants

to bind the terminal host and account so as to around end users from access the

controlled network from non-authorized terminal host which of the following is correct ?

a. when any office log in use an account for the first time the terminal host automatically

binds current account.

b. When an other account need to be authenticated on the bound terminal host they do

not need to find the owner of the acsset bound for the first authorize themselves.

C. The bound terminal host and account are only applicable to the scenario where the

terminal user through any office. The authentication through web agent plug-in and web

client is not applicable.

Answer (C)

77. which of the following are correct of SACG equipment accesses the network ?

HUAWEI H12-723-ENU

a. A SACG equipment requires interworking with terminal at layer .

b. SACG IS usally hung on this core switch equipment and use policy routing to divert traffic

c. SACG support hanging on non huawei equipment.

d. SACG equipment requirement interworking with agile controller campus layer 2.

Answer (BC)

78. Which of the following I true about software SACG and hardware SACG?

a. A hardware SACG use any office for admission control.

b. Software SACG use any Office for admission control

c. Hardware SACG cost compared to software SACG

d. Hardware SACG is more secure

Answer: (B)

79. Source Email is killer application of any office solution for coprate office oA. It provides

powerful email source capabilities and email polices which of the following are correct

for secure email?

a. Through mail client you can dock notes or exchange mail system

b. Supports automatic encryption of mail transmission.

c. Does not support online browsing of attachments documents

d. Support standard protocols such as IMAP4/SMTP/TAS to send and receive emails. And

support email to push in real time

Answer (AD)

80. The users accesses the network through network access device The third party radius

server authenticate and authorize the user which of the following incorrect about

certification process?

a. A configure RADIUS authentication and accounting on radius server.

b. configure agile controller-campus as local data source authentication the packet which

sent by the device and perform authentication.

c. configure RADIUS authentication and accounting on device

d. configure RADIUS authentication and accounting on Agile controller campus.

Answer: (B)

HUAWEI H12-723-ENU

81. The use of 802.1x authentication scheme generally require the terminal install specific

client

Software. For large-scale deployment of client software. For large-scale deployment of

client software. Which of the following can use ?

a. Enable guest vlan so that users can obtain the installation package in guest vlan.

b. Configure free-rule and web push functions on search to push installation packges to

users.

c. Copy the installation packages from each other through U disk.

(Answer: AB)

82. which of the following description is correct distributed deployment scenario for an

authentication server?

a. The enterprise network is relatively decentralized. There are multiple branches and

the users of the branches are large.

b. scenario where the number of users is less than 2000 and network between

headquarter and S

c. the terminal security management services between the branches and the

headquarter

d. The quality of the network between the branch office and the headquarter is difficult

to gurantee. The network between headquarter and branch office may interrupted.

Making the terminal of the branch office to correct the data center of the headquarters.

Answer(AD )

83. Which of the following are the connect of security domains in angle controller-

campus?

a. The user domains is generally composed of various types of terminal users. The terminal

in this area has features such as large quantity,wide distribution and strong flow.

b. The science domain a problem for service traffic bearing it use security technology to

logically divide the business according to the enterprise’s needs so as to achieve the

security of the network

c. The network domains is the security protection area most connected by all kinds of

enterprises, and it carries the important and core information assets of the enterprise

HUAWEI H12-723-ENU

d. A service domain is an area that provides security services enterprises. This area is

generally composed of system that provides security services such as antivirus servers,

patch management servers and terminal security servers.

Answer: (AD)

84. In WPA2,WPA2 is more secure then WPA because of the more secure encryption

technology, TKIP,MC

a. True

b. false

Answer: (B)

85. In 802.1X authentication port is the aggregation layer switch, which special

configurations are required in addition to the commercial configurations such as

RADIUS,AAA and 802 1X?

a. The 802.1X function needs to entailed on both aggregation layer and access layer switch

b. The access layer switch needs to configure transparent transmission of 802.1X packets

c. The aggregation layer switch needs to configure the transparent transmission of 802.1X

packets

d. No special configure action is required

Answer: (B)

86. The service manager download patches in two ways. When adopt hierarchal

deployment, the patches can be downloaded directly through Microsoft’s patch server.

When we use non-hierarchal deployment ,patches can be downloaded through the

management center or downloaded directly through Microsoft’s patch server.

a. True

b. False

Answer: (B)

87. There are two types of accounts on agile controller –campus one is local accounts and

the others as

external account which of the following does not belong to local accounts?

A. Ordinary account

B. Guest account

HUAWEI H12-723-ENU

C. Mobile certificate account

D. Ancrymous account

Answer (C)

88. which of the following is correct about the authentication method and authentication

type?

a. a user can use the web method to support both local authentication and digital certificate

authentication

b. users can use the web agent method to support both digital certificate and system

authentication

c. User can use the agent mode to support three authentication types: local authentication,

digital certificate and system authentication

d. user can use the web agent method to digital certificate authentication and local

authentication.

Answer: (C)

89. Security domain refer to the internet into several apporipate logical access based on

internet service types and security requirement in order to better secure the inranet which

of the following options does not belonging to the security domain in Agile controller-

Campus?

a. user domain

b. network domain

c. business domain

d. attack domain

Answer: (d)

90.Which of the following description is wrong about patch management and window patch

policy?

a. Patch management and window patch check whether terminal host has installed the

specialized window patch

b. Window patch check policy facilities, on the checking whether the terminal host has

patch for the window operating system.

c. When the terminal host does not install the specialized window system patch.

HUAWEI H12-723-ENU

d. The patch management features on checking whetherthe terminal host install the

specified patch and perform access control on the terminal host

Answer: (D)

91. In Agile Controller-Campus admission control technology framework which of the

following is correct radius ?

a. RAIDUS is used to pass user name, password and other information between client and

802.1x switch

b. RADIUS IS used to pass username, password and other information between 802.1x

c. Radius is used to push web pages to user portal server

d. RADIUS is used to devices security policies and SACG devices by the server

Answer (B)

92. which of the following belongs to MAC portal authentication and application scenario

?

a. user use portal page for authentication

b. user are connected about wechat for authentication

c. the user use MAC client for authentication

d. when the user portal for the first authentication, RADIUS server caches MAC address

used by the terminal. If the terminal goes offline after being dropped within the validity

period of cache, RADIUS server searches the cache for MAC address of the terminal

directly for authentication.

Answer: (D)

93. A networks adopts 802.1X to authenticate access users. The admission control

device is deployed at the convergence layer. After the deployment is complete the

test-aaa command is uses successfully on the admission control device. But the user

can’t access the network. Which of the following may be the cause of the fault?

a. A RADIUS authentication template is not configured on the aggregation layer device

b. The switch is added to angle controller-campus as NAS device

c. The 802.1X function is not enabled on the port on the access device

HUAWEI H12-723-ENU

d. Layer 2 links are used between access devices and aggregation devices .the 802.1X

transmission is not enabled

Answer: (CD)

94. Check the policy downloaded by the angle Controller-Campus server on the switch

as follows:

<SW>display act all

Total nonempty ACL number is 3

Advanced ACL Auto PCM _OPEN_POLICY_3999 . 0 rule

ACL’s step is 5

Ucl group ACL Auto _PGM_u2 9996 , 1 rule

ACL’s step is 5

Rule 1 permit ip source ucl-group name Common –user destination ucl_ group name

Mail-Server (match-counter 0)

Ucl group ACL Auto _PGM_u1 9997 , 2 rules

ACL’s step is 5

Rule 1 permit ip source ucl-group name VIP destination ucl_ group name Mail- Server

(match-counter 0)

Rule 2 permit ip source ucl-group name VIP destination ucl_ group name Internet_

WWW [match-counter 0)

Ucl group ACL Auto _PGM_u1 9998 , 1 rule

ACL’s step is 5

Rule 1 deny ip source ucl-group 0 (match-counter 0)

Lid-group ACL Auto_ PGM_ PREFER_ POLICY 9999 . 0 rule

ACL’s step is 5

Which of the following are correct for this strategy?

a. A common user users can access internet WWW resources

b. VIP can access internet WWW resources

c. VIP can access Mail server resources

d. Common user users can access Mail server resources

Answer: (ABC)

95. An enterprise use the hardware SAGG access mode to perform admission control. The

configuration commands are as follows:Admin@123

[USG] right-manager server group

[USG rightm] local ip10.1.10.2

[USG rightm] server ip 10.1.31.78 shared-key Admin@123

[USG2100rightm] right manager server group enable

HUAWEI H12-723-ENU

Assuming other configurations are correct, based on the above configuration, which of the

following option is correct?

a. After the configuration is complete, the SACG can associate with angle controller-campus

successfully

b. After the configuration is complete, the SACG can’t associate with angle

controller-campus successfully

c. The pre-authentication domain ACL can be delivered

d. The association falls but terminal can access the pre-authentication domain

server

Answer: (B)

96.RRegarding the WPS/WDS which of the following is correct ?

A. WDS is a wireless prevention system

B. WPS is wireless intrusion detection system

C. WDS is wireless intrusion communication system

D. WPS is wireless intrusion Prevention system

97. The angle-controller campus is developed on windows platform and use SOL server

data base

which of the following is true about HA function of angle controller-campus?

a. when deploying the management controller MC. HA is supported and HA active/standby

switchover based on keepefived technology is provided

B. When developing the service manager SM.HA is supported and HA active/standby

switchover is based on keepefived technology is provided.

c. When developing the service controller SC. HA is supported and backup scheme for

resource pool mood is provided .N+1 SC need to be deployed

d. When the data base DB is deployed, HA is supported .Use SQI server database mirroring

technology. You need to deploy the primary DB+ mirror DB+witnassDB

Answer: (CD)

98. A layer three forwarding device exists between the authentication client and admission

control device is in this case,if the layer 3 authentication mode of portal authentication is

adopted ,the device can also obtain the MAC address of the authentication client.

HUAWEI H12-723-ENU

Therefore the IP address and MAC address can be used as the same to identify the user’s

information

a. True

b. False

Answer: (B)

99.which of the following is correct of the accoumpanyng logical

archtacture of the business?

a. The business management plan focus on adminstration authentication

server and server policies

Answer :(A)

100. Terminal security the three domentional defense include acpests which

of the following options does not belong to three domentional efense?

a. integration

b. traceablity

c. multi level

Answer (B)

101. Which of the following is connect for the isolation domain role?

a. An isolation domain refers to the area where the terminal host car access before being

authenticated, such as DNS server, external authentication source service controller

(SC) and service manager (SM) are located.

b. Isolation domain is an area that allows access when an and user passes identity

authentication has security authentication, such as the path server and virus database

server.

c. Isolation domain refers to the area where and users can access after passing

authentication and security authentication, such as ERP system financial system and

database system are isolated

d. End users can access the isolation domain regardless of identity authentication.

Answer (B)

102. Which three steps involved in the free mobility deployment?

HUAWEI H12-723-ENU

a. Define the security group

b. Define and deploy group policy

c. The system runs automatically

d. System report security group

e.Define user groups

Answer (ABC)

103. Visitor management can authorize visitors based on the account number, time,

location terminal type and access method, area can push personalized pages to visitors

based on time, location , and terminal type.

a. True

b. False

Answer (A)

104. Which of the following options are connect for great management descriptions?

a. Guest registration accounts can be configured for approval

b. Guest login can only be configured as a web page

c. Guest authentication page cannot be used for anonymous account authentication

d. Guest accounts approval information can notify visitors via SMS

Answer (AD)

105. How to check if MC service is started?

a. Check whether TMCServer service is started as task manager

b. Check whether TMCServerDaemon service is started in task manager

c. Check whether TMCServer and TMCServerDaemon service are started in task

manager

d. On the server, choose Start> All Programs> Huawei> Agile Controller “check

whether MC status is Running”

Answer (C)

106. Which of the following is not supported by the business?

a. Internet users access the data center/internet.

b. When traveling user access the internet resources, the traveling user accesses the

intranet though VPN.

c. Teamwork office

d. Employment communication between devices.

HUAWEI H12-723-ENU

Answer (D)

107. When the test area command is used on the access control device to test the

connectivity to the Radius server, the operation must in displayed successfully However, the

user cannot access the device normally. Possible research do not include the following

options?

a. The access layer switch does not enable EAP transparent transmission

b. In the wireless 802.1X access as security profile is configured on the access control device

c. The service controller does not join AD domain in AD authentication scenario.

d. The user account or password is wrong configured.

Answer (D)

108. in the centralized networking the database SM server SC server and AE server are all

installed at the headquarter of the enterprise. The networking mode is applicable to

enterprises with a wide geographical distribution of users and a large uber of users.

a. True

b. False

Answer (B)

109. Configuring device detection on WLAN can implement monitoring at the entire

network, but you need to first set the working mode of AP which of the following belongs

to the working mode of AP?

a. Access mode

b. Normal mode

c. Mixed mode

d. Monitoring mode

Answer (BD)

110. Which of the following description is connect about the trigging mechanism of 802.1X

authentication.

a. 802.1X Authentication can only be initiated by the client

b. 802.1X Authentication can only be initiated by authentication device (such as 802.1X

switch)

c. Client can trigger authentication through multicast or broadcast

d. The authentication device can trigger authentication through multicast or unicast

Answer (CD)

HUAWEI H12-723-ENU

111. Agile controller campus product architecture includes three levels which of the

following does not belongs to product architecture hierarchy?

a. Server layer

b. Network device layer

c. Admission control layer

d. User access layer

Answer (C)

112. Agile controller-campus system architecture between to C/S architecture

a. True

b. False

Answer (B)

113. Policy template is collection of several policy. To audit the security status of

different terminal host and the behavior of end users. Administrator need to customize

different policy templates for protecting and managing terminal hosts. which of the

following are correct regarding the policy template?

a. When configure policy template, you can inherit the parent template and modify the

parent template policy.

b. Only policy is the policy template can be used. Administrator can’t customize the policy.

c. You can assign policy template is network segment.

d. If different policy template is applied to departments and accounts, the policy template

assigned to the highest priority will take effect. The priority relationship of department

and accounts is account > department.

Answer (CD)

114. Which of the following is wrong about asset management?

a. Asset management can be done by automatically registering assets or by manually

registering assets.

b. Enable asset and automatic registration and user registration is not required during

asset registration.

c. Auto enrollment assets apply when the asset number is automatically maintained by

the service Manager

d. Manually registering assets means that an administrator manually creates an assets

record on Business Manager and enters the asset number in Any Office to complete

the asset registration process.

Answer (D)

HUAWEI H12-723-ENU

115. Which of the following descriptions are correct regarding MAC authentication and

MAC bypass authentication?

a. The biggest difference between the two is MAC bypass authentication belongs to

802.1X authentication, while Mac authentication does not belong to 802.1x

authentication.

b. If one network port may connect to dumb terminal (pointer, P phone) or to laptop use

MAC bypass authentication try 802.1X authentication first. After the authentication

falls, try MAC authentication again.

c. If network port only connects dumb terminal (pointers, P phone) use MAC

authentication to shade on the authentication time.

d. MAC authentication has one more 802.1X authentication link than MAC bypass

authentication, as it takes longer than MAC bypass authentication.

Answer (ABC)

116. Guest management is important feature of Agile Controller-Campus which of the

following statement is correct regarding visitor management

a. Visitors can use the mobile number to quickly register an account

b. Administrators can assign different permissions to each visitor

c. The reception staff can’t create guest account

d. Violation of guest accounts, administrators can’t trace

Answer (AB)

117. Which of the following is correct about the source files set in software management?

a. When the source of the file is internal data source when distributing the software, the

service manage only sends the path of software data source to be distributed to Any

Office.

b. When the source of file is external data source any office will obtain the software to be

distributed.

c. The external data source can’t distribute FTP type file server files.

d. Microsoft windows file sharing server provides the path to the software to be distributed

in UNC (Universal Naming Conversion) path (beginning with ‘\\’)

Answer (D)

118. If deploy BYOD system use stand-alone install SM, dual-system install SC, single-

machine hardware deploys AE, which of the following description is correct?

HUAWEI H12-723-ENU

a. AE server preferentially use the standby SC server

b. When install AE server configure the IP addresses of the primary and secondary SC

server

c. If primary SC server falls. AE server will use the secondary SC server

d. Alter the primary SC server is resorted. AE server will not switch back to the primary

SC server for processing services

Answer (BC)

119.In user management, user group and accounts relationship are stored in a tree on

Agile Controller-Campus. An account only belongs to one user group, which is

consistent with the organizational structure of the enterprise. File organization unit

(OU) structure stored in ADLDAP server in the same as the organizational structure of

the enterprise, the users is stored under OU.

a. Press OU to synchronize

b. AO synchronizer’s by ‘group’ and OU describes organizational structure

c. AO synchronizes by ‘group’ and ‘group’ describes organization structure

d. LDAP synchronizes by ‘group

Answer (A)

120. In some scenario anonymous accounts can be used for authentication. Which are

correct for anonymous account?

a. Use anonymous account for authentication is based on the belief that the certification

authority does not require the other party to provide identify information and provide

services to the party

b. The – anonymous account needs to be manually created on Agile Controller-Campus

c. By default, anonymous account access control policy patching template invocation and

software distribution can’t be preferred.

d. The administrator can’t delete the anonymous account ‘-anonymous’

Answer (AD)

121. Business encourage is a special access control method. According to the user’s access

point access time, access method and user terminal specified permission is granted. Ass

long as the user conditions remain unchanged the permission and network experience

after accessing the network are the same ?

a. True

HUAWEI H12-723-ENU

b. False

Answer (A)

122. Portal authentication on Agile Controller-campus has been configured and it is correct

Configure the following command on admission control switch.

[ 55720] authentication free-rule 1 destination IP 10.1.31.78 mask 255.255.255.255

Which of the following options are correct?

a. After use configuration is complete on e switch will automatically release the data

flow to access the security controller without the administrator manually

configuring it.

b. The configuration allows users to access the network resources before

authentication.

c. After the configuration is complete the administrator will need to manually

configure the release network segment

d. The terminal can access the 10.1.31.78 host only after the authentication is passed

Answer (AB)

123. In WLAN network which type of packet does AP use to determine the type of device when

AP is in monitoring more?

a. DHCP

b. ARP

c. CAPWAP

d. 802.11MAC

Answer (D)

124. Which of the following belongs to the third-party server account?

a. AD account

b. Mobile certificate account

c. Anonymous account

d. Guest account

Answer (AB)

125. Business encourage function at Agile controller can direct traffic to the security center based

on services and improve the utilization of physical devices.

a. True

b. False

HUAWEI H12-723-ENU

Answer (B)

126. In the scenario where SACG a linked in bypass mode, only the traffic initiated by the end

user passes through the firewall. The traffic network from the server to the end user does not

need to pass through the firewall, for the firewall. It belongs to the inconsistent parts to the traffic

back and forth in this case you need to describe the session start describe function.?

a. True

b. False

Answer (A)

127. After an enterprise deploys anti-virus software. it finds that virus protection still occur is

large areas. The reason for this problem is that apart from the limitless of the product’s own

technology. Personal terminal security is weak and it is also an imported factor.

a. True

b. False

Answer (A)

128. Use hardware SACG access control the result of viewing the session table on hardware SACG

is as follows

<FW> display firewall sessions table verbose

tcpVPN public->public

zone, untrust->trust TTL 99.10.00 Left: 00.05.27

interface GigabiEthernet 0/9/1 NextHop 192.168.200.11 MAC 00.8c 29 64 47 d2

<- packets 316bytes 3616->pacets 33bytes -17277

192.168.0.119:1574->192.168.200.11:15080

tcpVPN public-> public

zone, untrust->trust TTL 99.10.99 left:00.02.20

interface GigabiEthernet 0/9/1 NextHop 192.168.100.1 MAC 00.0c 29 d4 37 c2

<- packets 316bytes 9616->packets 33Bytes -17277

HUAWEI H12-723-ENU

192.168.0.119:1571->192.168.100.1:8443

Which of the following statement are correct?

a. 192.168.100.1 must be the manager IP address of Agile Controller-Campus

b. If 192.168.200.11 is the server is the post authentication domain. then the terminal

with the IP address 192.168.0.119 may access the server if it is not authorized.

c. 192.168.100.1 must be the controller IP address of Agile Controller-Campus

d. If the session 192.168.0.119:1574->192.168.200.11:15980 is not refreshed within

minutes. The IP address is 192.168.0.119 if the device wants to communicate with the

device whose IP address is 192.168.200.11 must reestablished the session

Answer (ABD)

129. The user access security solution is an end to end security architecture. The user access

security terminal teamwork includes three key components: terminal equipment, network

admission equipment and admission server?

a. True

b. False

Answer (A)

130. The following configuration is to configure authentication commands on two admissions

control devices A and B which of the following are correct for the analysis or configuration

commands?

[A]dot.1x enable

[A] interface gigabit Ethernet 1/0/1x

[A-GigabitEthernet1/0/1] dot 1x enable

[A-GigabitEthernet1/0/1] dot 1x mac bypass

[B]mac-authen

[B]interface gigabitethernet1/0/1

[B-GigabitEthernet1/0/1] mac-authen

a. MAC bypass authentication is configured on device A

b. Mac bypass authentication is configured on device D

c. The GE1/0/1 port on device A can access both PC and dumb terminal devices

d. The GE1/0/1 port on device B can access both PC and dumb terminal devices

Answer (AC)

HUAWEI H12-723-ENU

131. The MDM technology architecture of any office mobile office system broadly domed into

three parts: Security SDk , android MDM and IOS MDM which of the following is wrong of these

parts

a. The security SDK provides basic local data encryption network transmission data

encryption and L4VPN capabilities to the entire Any Office mobile office system

b. The security SDK can also integrate third party application and obtain corresponding

security capabilities after integrations.

c. The functions that Android MDM can implement include remote message push,

remote control commands, terminal configuration delivery and policy control

d. The IOS system has its own MDM protocol which involves remote message push

remote control command, terminal configuration delivery and policy control. Any

Office mobile office system adds some MDM feature to its own basis on IOS MDM

protocol

Answer (B)

132. Regarding CAPWAP encryption which of the following statement is wrong?

a. CAPWAP data tunnels can be encrypted use DTLS

b. DTLS supports two authentication method certificate authentication (factory AC AP

has been calmed) and PGK password authentications.

c. DTLS encryption can ensure that the control message delivered by AC is not save

dropped

d. DTLS recognition is performed by use certificate. The certificate is only used to

generate the key and does not authenticate AP.

Answer (A)

133. According to different reliability requirements centralized networking can provide different

reliability networking. which of the following are correct about these solutions?

a. The basic networking includes deploy are SM server use SC server, one DN and one

AE server

b. In addition to deploying basic networking components AE reliability networking

requires the deployment of one more standby SC server

c. In addition to deploying basic networking components SC reliability networking

requires the deployment of one more standby SM server

d. In addition to deploying basic networking components DB reliability networking

requires the deployment of one more standby DB server

Answer (AD)

HUAWEI H12-723-ENU

134. Which of the following are correct about each role in the portal authentication on

architecture

a. AAA server stores user name and password for authentication of access users

b. Web users store user name and password for authentication of access users

c. AAA server is used to push Porta authentication page to users

d. web server is used to push Porta authentication page to users

Answer (AC)

135. Which of the following descriptions is wrong for the basic principle of user access security?

a. When terminal device accesses the network it first authenticates the user through

the access device and the access device cooperates with the authentication server

to complete the user identity authentication.

b. The terminal device directly interacts with the security policy server. The terminal

reports its own status information, including the virus database version, operating

system versions and patch version installed on the terminal.

c. The security policy server checks the terminal status information. for terminal

device that do not reset enterprise security standard’s policy server no issues

authentication information to the access device.

d. The terminal device selects the resource to be accessed according to the result of

the status check

Answer (D)

136. Which of the following options are correct for security policy?

a. The check class policy is mainly used to check some static setting of the terminal

such as whether the screen server is set whether the anti-virus software is related

whether date is illegal outreach and so on.

b. The monitoring policy is mainly used to monitor the events according to the

system is real time for example whether anti-virus software is installed or whether

you use PPPOE to access the network dial-up once the events are detected, you

can take some control.

c. The security check policy includes only two types: the end host check class policy

and the end user behavior check type policy

d. End host security management is mainly implemented by check type policy, end

user behavior implemented by monitoring policies.

Answer (D)

137. Which of the following description is wrong about the principles of MAC authentication

a. MAC authentication requires Portal Server Cooperation

HUAWEI H12-723-ENU

b. MAC authentication is implemented through 862.1X protocol

c. MAC authentication replies that the terminal MAC address stored in advance on

AAA server.

d. MAC authentication is configured on MAC address of the endpoint is

automatically used as the username and password

Answer (A)

138. The visitor management process includes page customization application, user

authentication auditing and logout. After the user successfully applies for an account the user

needs to distribute the accounts to the user. Which stage of the account distribution?

a. Page customization phase

b. Account application stage

c. User authentication stage

d. Audit and cancellation stages

Answer (B)

139. According to the format and content of the user name used by the access device to verify

the identify the user of the user name format used for MAC authentication can b dropped into

three types. Which of the following formats is not included?

a. MAC address format

b. Fixed username form

c. DHCP option format

d. ARP option format

Answer (D)

140. An account can belongs to more than one role. That is one user may save multiple roles.?

a. True

b. False

Answer (A)

141. An account can only belongs to one user group that is one user only can belong to one

department

a. True

b. False

Answer (A)

142. Visitors refer to users who need temporary access to the network in a specific location

a. True

HUAWEI H12-723-ENU

b. False

Answer (A)

143. The admission control server is the implementor of the enterprise security policy and a

reasonable for implementing the corresponding admissions control (allow, deny quarantine, or

restrict) according to the security policy formulated by the customer network.

a. True

b. False

Answer (B)

144. Agile Controller-Campus is deployed with highly reliable window’s+SQL server platform

which of the following components is not supported?

a. Deploy the main DB

b. Deploy the mirror DB

c. Deploy the witness DB

d. Deploy MC and SM Dual system Backup

Answer (D)

145. Which of the following statement is true about description of ACL used by SACG devices and

TSM Systems?

a. The default ACL role group number can be arbitanly specified

b. The default ACL role group number can only be 3999

c. Because SACG needs to use ACL 3099 to 3999 to receive the role delivered by TSM

system you must first ensure that these ACL are not reformed by other function

before configuring TSM linkage.

d. TSM linkage can be successfully enabled even if ACL with the original group

member 3099 to 3999 is occupied

Answer (C)

146. After the announcement is configured Agile Controller-Campus system can’t assign the

announcement to which of the following objects?

a. Assigned to the user

b. Assigned to the account

c. Assigned to the terminal IP address range

d. Assigned to a place

Answer (D)

147. After the Agile Controller-Campus is installed successfully how can you check whether SM

and SC components start normally?

HUAWEI H12-723-ENU

a. Open https://SM server IP 8943 in browser and enter the account admin and the

default password changme123 if the login succeeds the SM component is normal.

b. After logging in 8c choose Resource > users> user management and create a new

common account. Open the https://SM server IP 8447/newauth in browser if the

account created in the previous step can be successfully logged in the SM component

is normal

c. Open https://SC users IP 8443 in browser and enter the account admin and the

default password Changeme123 if the login succeeds. The SC component is normal.

d. After logging in SM choose Resources> Users> user management and create a new

common account. Open the https://SC server IP 8447newauth in browser and user

the account created in the previous step. If this login succeeds the SC component is

normal.

Answer (AD)

148. Which of the following series of devices does not support the free mobility feature?

a. 86720/HI Series switches

b. AR series Routers

c. USG6000 Series Firewalls

d. SVN5600 Series

Answer (B)

149. Which of the following options can’t trigger MAC authentication?

a. ARP packets

b. DHCP packets

c. DHCPV6 packets

d. ICMP packets

Answer (D)

150. The Portal Server can be as independent entity (external portal Server) outside the access

or it can be an embedded entity (built in Portal Server) that exists on the access device

a. True

b. False

Answer (A)

151. Which of the following statement is wrong about use MAC authentication to access network

in WLAN networking environment?

a. MAC authentication does not require the user to install any client software

b. User name format used for MAC authentication these is only one MAC address

user name format

https://sm/

https://sm/

https://sc/

https://sc/

HUAWEI H12-723-ENU

c. MAC authentication actually uses 802.1X authentication method.

d. MAC bypass authentication resolves both 802.1X client authentication a MAC

authentication is the same network environment

Answer (B)

152. The free mobility is a special access control method. According to the user’s access point,

access time, access method and user terminal special permission is granted. From the physical

connection. The access method can be dividing into 3 categories which of the following access

methods not include.?

a. Wired access

b. Wireless access

c. VPN access

d. 802.1X access

Answer (D)

153. In Agile Controller-Campus admission control scenario which of the following is correct

about RADIUS server/client role?

a. Agile controller-Campus integrates all the functions of RADIUS server and client

b. Agile controller-Campus serves as RADIUS Server and the user terminal serves as

RADIUS client

c. The authentication device (such as 802.1X switch) serves as RADIUS server and the

user terminal serves as RADIUS client

d. Agile controller-Campus acts as RADIUS server and the authentication devices

(such as 802.1X switch) acts as RADIUS client

Answer (D)

154. Which of the following steps does not need to be completed before install Agile Controller-

Campus?

a. Install the operating system

b. Install the database

c. Install antivirus software

d. Import license

Answer (D)

155. When hardware SACG is used for authentication, after SACG configuration is complete, you

can use that the association between SACG and Agile Controller-Campus succeeds, but the user

authentication falls. This phenomenon may be caused by which of the following reasons?

HUAWEI H12-723-ENU

a. User traffic did not press SACG

b. User traffic is not released on SACG

c. There is no shutdown state detection on SACG

d. The key configuration error on Agile Controller-Campus is related to SACG

Answer (BC)

156. Terminal security access technology does not include which of the following options?

a. Admission control

b. Safety certificates

c. Authentication

d. System management

Answer (D)

157. If the deployment business is accompanied in logical architecture, which of the following is

administrator concern?

a. The policy if it is automatically deployed?

b. Choose the night policy control point and user authentication point

c. Policy deployment if it is for single user

d. Policy deployment if it is to single department?

Answer (B)

158. In the campus, users frequently enter and leave the wireless signal coverage area because

of office requirements. If you need to protect the user’s internet access experience, after the

user passes one authentication and does not need to repeat the authentication when accessing

the network again. Which of the following is recommended?

a. MAC authentication

b. 802.1X authentication

c. Portal authentication

d. MAC priority portal authentication

Answer (D)

159. Agile Controller-Campus system can manage the software installed on the terminal define

the black and white list and assist the terminal to install the necessary software and uninstall the

software that is not allowed to be installed by linking with the access control device. The

definition of the black and white list which is correct?

Check for prohibited install software and allowed install software

Check for prohibited install software

Check for prohibited install software and software that must be installed

HUAWEI H12-723-ENU

Check the software that must be installed

Answer (C)

160. Which deployment mode does Agile Controller-Campus not support?

a. Centralized deployment

b. Distributed deployment

c. Hierarchical deployment

d. Two-machine deployment

Answer (D)

161. Which of the following description is correct regarding the strategy for checking screen saver

settings?

a. You can check whether the terminal has screen saver enabled

b. You can check whether the screen saver password is enabled

c. Only windows operating systems are supported

d. Screensaver setting do not automatically repair

Answer (AB)

162. Which of the following is correct about Portal authentication process?

a. Portal authentication process is only used in Web authentication

b. Portal authentication for a terminal on the server will only send authentication

messages to Portal device

c. The switch receives Portal message and sends Radius authentication request to the

Radius server

d. Portal authentication message does not carry the result of security check

Answer (C)

163. A company has a large number of mobile office employees who need to deploy a mobile

office system to manage employees. The company employees more than 2000 people and its

work areas are distributed throughout the country. What kind of deployment method is sued to

facilitate management?

a. Centralized deployment

b. Distributed deployment

c. Hierarchical deployment

d. Both centralized and distributed deployment

Answer (B)

164. Which of the following is true about WLAN?

HUAWEI H12-723-ENU

a. WLAN is WPI use 802.11 technology

b. WLAN has been architecture. Fat AP and AC+FIT AP

c. AC+FAT AP architecture for medium and logic scale use scenario’s

d. AC+FAT AP is also called autonomous network architecture

Answer (B)

165. Use the command on the switch to view the free deployment status of the service. the

command is as follows:

<SW> display group policy status

Controller IP address 10.1.31.78

Controller port:5222

Backup controller Port.

Source IP Address 10.1.10.34

State: working

Connected controller: master

Device protocol version:2

Controller protocol version: 2

For the above concerned which of the following description is correct?

a. The control server address is 10.1.10.34

b. The address of the authentication device is 10.1.31.78

c. The status is working indicating that the association between the switch and the

controller is successful.

d. The current controller server is backup

Answer (C)

166. Which devise is usually used as the hardware SACG in Agile Controller-Campus solution?

a. Router

b. Switch

c. Firewall

d. IPS

Answer (c)

HUAWEI H12-723-ENU

167. After the enterprise network administrator deploys Agile Controller-Campus and SACG the

authentication succeeds but the authentication domain can’t be accessed. This may be due to

reasons?

a. Serious violation will prevent access to the post-authentication domain

b. The access control list of past-authentication domain is not delivered to SACG.

c. ALC rules are used in large quantities and requires a lot of time to match causing

interruption of access services.

d. Wrong post-authentication domain resources are configured on Agile Controller-

Campus

Answer (ABD)

168. Which of the following description are correct regarding the strategy of checking account

security?

a. You can check if there is a weak password

b. You can check whether the account has joined a specific group

c. Can’t repaired automatically

d. Can’t check whether the password length meets the requirements.

Answer (AB)

169. If automatic account lockout function is enabled on Agile Controller-Campus and the

account IP/MAC address is bound. If the number of wrong passwords entered during the end

user authentication exceeds the limit within limited time, which of the following description are

correct?

a. When the account is locked only the account can’t be automated on the bound

terminal device. Normal authentication can be performed on the terminal devices

b. This account is locked on all terminal devices and can’t be authenticated

c. If you want to unlock the account, only the administrator can delete the account

from the list.

d. After the lockout time expires, the account lockout is automatically released

Answer (AD)

170. The AD/LDAP account can be synchronized to Agile Controller-Campus or not to Agile

Controller-Campus. The synchronization to Agile Controller-Campus can only be authorized by

the user group. If it is not synchronized to Agile Controller-Campus. It can be based on account

authorization

a. True

b. False

HUAWEI H12-723-ENU

Answer (B)

171. On the campus network employees can use 802.1X Portal MAC address or SACG. According

to different methods are used to access and achieve the purpose of user access control.

a. True

b. False

Answer (A)

172. The SACG query right-manger information as follows which are correct?

[USG] display right-manager server-group

17-35-21 2017/7/14

Server group status: Enable

Server Number: 1

Server IP address Port State Master

1.1.1.2 3288 active Y

2.1.1.1 3288 active N

a. The collaboration between SACG and IP address 2.1.1.1 was unsuccessful

b. The linkage between SACG and the controller is successful

c. The main controller IP address is 1.1.1.2

d. The main controller IP address 2.1.1.1

Answer (BC)

173. Which of the following are correct for any Office solution context?

a. Provide a unified security portal for enterprise mobility application on mobile

devices

b. The tunnel is dedicated and viruses can’t intrude

c. Application rapid integration can be extended

d. Quickly integrate and interface with enterprise application cloud platform

Answer (ABCD)

174. In layer 2 authentication based on Portal authentication the client is directly connected to

the access device (or only the layer 2 device exists.) The device can learn MAC address of the usr

and use IP and MAC addresses to identify the user.

a. True

HUAWEI H12-723-ENU

b. False

Answer (A)

175. In the terminal host check class policy, you can control the access of the terminal host by

checkin whether the important subkeys and keys of the registry must be requirement. Which of

the following check results are recorded as violations?

a. The registry does not include the “subkeys and keys values” enforced by the policy

b. The registry contains the “subkeys and key values” enforced by this policy

c. The registry contains the “subkeys and key values” prohibited by this policy

d. The registry does not “subkeys and key values” prohibited by this policy

Answer (AC)

176. In the centralized networking the database SM server SC server and AE server are all

installed at the headquarters of the enterprise. This networking mode is applicable to enterprises

with a wide geographical distribution of users and a large number of users.

a. True

b. False

Answer (B)

177. Visitors can access the network through their registered account. Which of the following is

not an account’s approval method?

a. Free approval

b. Administrator approval

c. Visitor self-approval

d. Receptionists approval

Answer (D)

Huawei - H12-721 - 1 File Download

Documents

Transcript of Huawei - H12-721 - 1 File Download