최신 H12-731-ENU 무료덤프 - Huawei HCIE-Security (Huawei Certified Internetwork Expert-Security)

문제1

In the USG, the planning UTM statement is correct:

A. The firewall link-state inspection mechanism must be enabled first.

B. SA function requires license support.

C. UTM can support inconsistent return path networking.

D. UTM cannot be used in dual-system hot backup load balancing scenarios.

정답: A,D

문제2

In a new campus network of an enterprise, there is a requirement for ordinary PC users and dumb terminal users to connect to the Internet at the same time under an access switch.
Which authentication method is recommended to be deployed on this switch?

A. MAC Authentication

B. Portal Authentication

C. 802.1X Authentication

D. MAC bypass authentication

정답: D

문제3

Which of the following is correct for the functional comparison of NIP5000 and NIP5000D:

A. Regarding DDOS, NIP5000 supports two defense modes: automatic defense and no defense, while NIP5500D can only support automatic defense.

B. The NIP5000 can be directly connected to the female, while the NIP5000D must be linked through the firewall to achieve the blocking action.

C. NIP5000 can analyze, limit and block specific application protocol traffic; NIP5000D can only analyze application traffic.

D. NIP5000 is generally connected directly, and NIP5000D is generally connected by bypass.

정답: B,C,D

문제4

Which of the following statements about hot standby is correct?

A. The firewall is connected to the router upstream and connected to the Layer 2 switch downstream. OSPF+VRRP can be used to achieve load balancing.

B. The default priority of the Active group is 65001, and the default priority of the Standby group is 65000.

C. The slot numbers of the physical cards of the two devices can be different.

D. When the link status detection is enabled, and the incoming and outgoing messages are forwarded by the primary and standby USGs respectively, the USG does not enable rate-determining backup, and the TCP service can pass smoothly.

정답: A,B

문제5

For the description of NAT Server, which is correct?

A. If the public network address of the NAT Server and the corresponding public network interface address are not in the same network segment, you do not need to configure black hole routing.

B. If the public network address of the NAT Server is the interface address, if the black hole route of this address is configured, the service access to the firewall itself will be abnormal.

C. NAT Server cannot be configured on the virtual firewall for users of the root firewall.

D. If the public network address of the NAT Server and the corresponding public network interface address are in the same network segment, you do not need to configure black hole routing.

정답: D

문제6

Which route distribution modes does the SSL VPN network extension support?

A. dynamic mode ( dynamic )

B. Manual mode ( manual )

C. split mode ( split )

D. full routing mode ( full )

E. automatic mode ( auto )

정답: B,C,D

문제7

A firewall is associated with an Agile Controller. Which of the following statements is correct:
HRP A<NGFW A> display right-manager online-users
User name: lee
IP address: 10.1.6.3
Serverip: 192.168.1.2
Login time: 192.168.1.2
Login time: 10.14.11 2011/09/06
(Hour: Minute: Second Year/Month/Day)
--------------------------------------------
Role id Rolename
2
DefaultPermit
5 Deny_____1
225
Last
---------------------------------------------------------
HRP_A <NGFW_A> display right-manager role-info
All Role count: 8
Role ID ACL number Role name
-------------------------------------------------- -----------------------
Role 0 3099 default
Role 1 3100 DefaultDeny
Role 2 3101 DefaultPermit
Role 3 3102 Deny_____0
Role 4 3103 Permit___0
-------------------------------------------------- -----------------------
Role 5 3104 Deny_____1
Role 6 3105 Permit___1
Role 225 3354 Last
Advanced ACL 3099, 4 rules, not binding with vpn-instance
Ad's step is 1
rule 1001 permit ip destination 192.168.1.2 0 (0 times matched)
rule 1002 permit ip destination 192.168.1.3 0 (0 times matched)
rule 1003 permit ip destination 192.168.3.3 0 (0 times matched)
rule 1004 deny ip (0 times matched)
Advanced ACL 3100, 1 rule, not binding with vpn-instance
Ad's step is 1
rule 1 deny ip (0 times matched)
Advanced ACL 3101, 1 rule, not binding with vpn-instance
Ad's step is 1
rule 1 permit ip (0 times matched)
Advanced ACL 3104, 1 rule, not binding with vpn-instance
Ad's step is 1
rule 1 deny ip destination 172.16.1.10 0 (0 times matched)
Advanced ACL 3105, 1 rule, not binding with vpn-instance
Ad's step is 1
rule 1 permit ip destination 172.16.1.10 0 (0 times matched)
Advanced ACL 3354, 3 rules, not binding with vpn-instance
Acl's step is 1
rule 1 permit ip (0 times matched)
Advanced ACL 3104, 1 rule, not binding with vpn-instance
Ad's step is 1
rule 1 deny ip destination 172.16.1.10 0 (0 times matched)
Advanced ACL 3105, 1 rule, not binding with vpn-instance
Ad's step is 1
rule 1 permit ip destination 172.16.1.10 0 (0 times matched)
Advanced ACL 3354, 3 rules, not binding with vpn-instance
Ad's step is 1
rule 1 permit ip destination 192.168.1.2 0 (0 times matched)
rule 2 permit ip destination 192.168.1.3 0 (0 times matched)
rule 3 permit ip destination 192.168.3.3 0 (0 times matched)

A. Assuming that there is a server 10.1.1.1 in the domain after authentication, after the Agent client completes the security authentication, the firewall will allow it to pass.

B. Agent client cannot access 192.168.1.2.

C. The linkage between the price firewall and the Agile Controller is unsuccessful.

D. The administrator sets the default prohibition rules. In the "Control Mode" in the quarantine domain and the back domain, select "Only allow the resources in the controlled domain in the access list to prohibit access to others".

정답: A

문제8

A Web Server deployed in the DMZ area of an enterprise has an intranet IP address of 10.1.1.3 and a port of 8080. The public network address announced to the outside world is 1.1.1.2, and the external port number is 80.
Configure the following commands on the firewall:
[USG6600] security-policy
[[USG6600-policy-security] rule name untrust_to_mz
[USG6600-policy-security-rule-untrust_to_mz] source-zone untrust
[USG6600-policy-security-rule-untrust_to_mz] destination-zone dmz
[USG6600-policy-security-rule-untrust_to_mz] destination-address 1.1.1.2 32
[USG6600-policy-security-rule-untrust_to_mz] service http
[USG6600-policy-security-rule-untrust_to_mz] action permit
[USG6600] nat server webserver protocol tcp global 1.1.1.2 www inside 10.1.1.3 8080
The external network PC cannot access the Web Server of 10.1.1.3 within the enterprise. Please analyze the most likely reasons for this:

A. The firewall does not open the default packet filtering policy from the untmut zone to the dmz zone

B. Firewall should be configured as nat server webserver protocol tcp global 1.1.1.2 80 inside 10.1.1.3 8080

C. Firewall untrust to DMZ zone security policy should be configured as destination-address 10.1.1.3 32

D. Firewall untrust to DMZ zone security policy should be configured as service 8080

정답: C

최신 H12-731-ENU 무료덤프 - Huawei HCIE-Security (Huawei Certified Internetwork Expert-Security)

우리와 연락하기

유용한 링크

최신 업데이트