Huawei H12-731-ENU HCIE-Security (Huawei Certified Internetwork Expert-Security) Online Training

Exam4Training Huawei H12-731-ENU HCIE-Security (Huawei Certified Internetwork Expert-Security) Online Training has high hit rate that will help you to pass Huawei H12-731-ENU test at the first attempt, which is a proven fact. So, the quality of Exam4Training Huawei H12-731-ENU HCIE-Security (Huawei Certified Internetwork Expert-Security) Online Training is 100% guarantee and Exam4Training Huawei Specialist Certification H12-731-ENU dump is the most trusted exam materials. If you won’t believe us, you can visit our Exam4Training to experience it.You will surely pass HCIE-Security (Huawei Certified Internetwork Expert-Security) exam easily.

Page 1 of 5

1. The correct statement about UDP Flood and TCP Flood attack prevention is: (Multiple Choice)

The UDP protocol is connectionless, so it cannot be implemented by source detection.

Prevent UDP Flood by analyzing the rules and characteristics of UDP packets sent by a certain host, the rules and characteristics are called fingerprint learning.

The fingerprint learning function of UDP packets learns all fields of the packet data segment.

UDP and TCP protocols can be implemented through proxy technology.

2. When the IPsec negotiation fails, turn on the IKE debug switch, and the following information is displayed: got NOTIFY of type INVALID_ID_INFORMATION or drop message from ABCD due to notification type INVALID_ID_INFORMATION, what does it mean?

The IKE proposals at both ends do not match

IPsec proposals at both ends do not match

The ACL configurations at both ends do not match

The LOCAL-ID-TYPE configuration at both ends do not match

3. What are the implementation mechanisms of intrusion prevention? (Multiple Choice)

Blacklist matching

Protocol Identification and Protocol Resolution

Feature matching

Response handling

4. Which statement about MTU and PMTU is correct? (Multiple Choice)

MTU (Maximum Transfer Unit) refers to the size of the largest data packet that can be transmitted in the network, in bytes.

The device will check the MTU on the inbound interface, and if the packet size exceeds the MTU value, it will be discarded.

In an IP network, interfaces with different MTU values may be passed from the source address to the destination address, and the largest MTU value is the PMTU of the path.

PMTU detection is to obtain the PMTU value of the specified destination IPv4 address through detection, and then use the MTU value to send packets.

5. In NGFW, to use the RBL blacklist, which of the following key options need to be configured by the network administrator? (Multiple Choice)

DNS server

Response code

RBL server IP address

SMTP server IP address

6. Regarding the relationship between 802.1X and RADIUS, which of the following descriptions is correct?

802.1X and RADIUS are different names for the same technology.

802.1X is a technical system that includes RADIU

802.1X and RADIUS are different technologies, but they are often used together to complete access control to end users.

802.1X and RADIUS are two completely different technologies and are usually not used together.

7. Which of the following aspects are included in the host reinforcement? (Multiple Choice)

Operating system hardening

Database hardening

Account password security

Network management system reinforcement

Vulnerability scanning

8. What functions does content filtering include in the Huawei USG firewall? (Multiple Choice)

File Content Filtering

Apply Content Filtering

File extension filtering

Mail filtering

9. The intranet IP address of a Web Server deployed in the DMZ area of an enterprise is 10.1.1.3, the port is 8080, the public network address announced to the outside world is 1.1.1.2, and the external port number is 80.

Configure the following commands on the firewall:

[USG6600] security-policy

[[USG6600-policy-security] rule name untrust_to_mz

[USG6600-policy-security-rule-untrust_to_mz] source-zone untrust

[USG6600-policy-security-rule-untrust_to_mz] destination-zone dmz

[USG6600-policy-security-rule-untrust_to_mz] destination-address 1.1.1.2 32

[USG6600-policy-security-rule-untrust_to_mz] service http

[USG6600-policy-security-rule-untrust_to_mz] action permit

[USG6600] nat server webserver protocol tcp global 1.1.1.2 www inside 10.1.1.3 8080

The external network PC cannot access the Web Server at 10.1.1.3 within the enterprise. Please analyze the most likely reasons for this:

The firewall does not open the default packet filtering policy from the untmut zone to the DMZ zone

The firewall untrust to DMZ zone security policy should be configured as service 8080

The firewall untrust to DMZ zone security policy should be configured as destination-address 10.1.1.3 32

Firewall should be configured as nat server webserver protocol tcp global 1.1.1.2 80 inside 10.1.1.3 8080

10. The whitelist + blacklist mode is adopted in terminal security management. Which of the following are normal behaviors?

The terminal host does not have the software in the whitelist installed, nor the software in the blacklist.

The terminal host installs all the software in the white list, but does not install the software in the black list.

Some software in the whitelist is installed on the terminal host, but the software in the blacklist is not installed.

The terminal host installs all the software of the whitelist terminal, and installs some software in the blacklist.

Page 2 of 5

11. There are hundreds of people in a medium-sized enterprise network accessing the Internet through the company's firewall, and the company has deployed a corporate portal website in the firewall DMZ. Which of the following criteria should be followed as an IT security officer for purchasing and deploying Internet access auditing products?

Order No. 82 of the Ministry of Public Security

ISO27002

State Office issued No. 28

NIST800-53

12. The centralized networking scheme of three servers, as shown in the figure, the administrator found that only one of the three Agile Controllers in the resource pool was alive.

In this case, which of the following descriptions is correct? (Multiple Choice)

All three database servers cannot work properly, and only one of the three Agile Controllers in the resource pool is alive. In this case, all Agile Controller services are transferred to the surviving Agile Controller and can operate normally, and terminal identity authentication, access control, software distribution, patch installation, and asset management will not be affected.

After the Agile Controller is started, each Agile Controller will immediately read the database and save it on the local hard disk as a cache. If all databases become unavailable due to a failure, the Agile Controller will continue to maintain the operation of the Agile Controller service by using the cache saved at that time as the data source.

At this point, you can try to restart the surviving Agile Controller, and repair the database server when restarting.

At this time, the escape channel on the firewall has been opened.

13. For border network security, which of the following options are recommended for planning and deployment priorities? (Multiple Choice)

Security Domain Isolation

IPS real-time intrusion prevention

Enable device virtualization

Deploy a VPN

Enable DDoS function

14. Regarding the description of NAT Server, which of the following is correct?

If the public network address of the NAT Server and the corresponding public network interface address are in the same network segment, you do not need to configure black hole routing.

If the public network address of the NAT Server and the corresponding public network interface address are not in the same network segment, you do not need to configure black hole routing.

If the public network address of the NAT Server is an interface address, if a black hole route is configured for this address, service access to the firewall itself will be abnormal.

The NAT Server cannot be configured on the virtual firewall for users of the root firewall.

15. Regarding the way SAC equipment accesses the network, which of the following descriptions are correct? (Multiple Choice)

SACG equipment is required to communicate with the terminal at Layer 2.

The SACG is usually side-mounted on the core switch device and uses policy routing to divert traffic.

SACG supports side-hanging on non-Huawei devices.

SACG devices are required to communicate with the Agile Controller at Layer 2.

16. The USG firewall is directly connected to other devices at Layer 3. During commissioning, it was found that the peer IP address directly connected from the firewall could not be pinged. It was confirmed that there was no problem with the peer device. What are the possible reasons? (Multiple Choice)

Routing configuration error on the firewall

The firewall interface is not added to the security domain

The packet filtering from the firewall local to the corresponding security domain is not enabled

The intra-domain packet filtering policy of the corresponding domain of the firewall is not enabled

17. What is the online certificate application method supported by firewall PKI?

HTTP

LDAP

TFTP

SCEP

FTP

18. Which of the following description about SACG certification is correct? (Multiple Choice)

SACG certification is generally used for existing wired networks.

SACG certification is generally used for new wireless networks.

SACG is generally deployed in a bypass mode without changing the original network topology.

SACG essentially controls access users through 802.1X technology.

19. When the firewall uses the IPsec function, which protocols and ports need to be opened? (Multiple Choice)

The protocols are IP packets with AH and ES

UDP packets with source ports 500 and 4500.

UDP packets with destination ports 500 and 4500.

UDP packets with destination port 1701.

20. The firewall is deployed between the mobile terminal of the wireless user and the WAP gateway, the mobile terminal is in the trust zone, and the WAP gateway is in the untrust zone, and the following configurations are made:

[USG] ad 3000

[USG-acl-adv-3000] rule permit ip destination 202.10.10.2 0

[USG-acl-adv-3000] quit

[USG] fir-all zone trust

[USG-zone-trust] destination-nat 3000 address 200.10.10.2

[USG-zone-trust] quit

Which of the following descriptions are correct?

This configuration can also be applied to server address mapping scenarios

The command firewall zone trust should be changed to firewall interzone trust untrust outbound

The firewall translates the destination address of the packet accessing the gateway address of 202.10.10.2 to 200.10.10.2

The command firewall zone trust should be changed to firewall interzone untrust trust

Page 3 of 5

21. The networking of a certain network is as follows: PC----ADSL router-----USG-----LAN

The key configurations of the USG are as follows:

l2tp enable

interface Virtual-Template1

ppp authentication-mode pap

ip address 4.1.1.1 255.255.255.0

remote address pool 1

l2tp-group 1

mandatory-Icp

allow 12tp virtual-template 1

#

user-ma page user pc1

password [email protected]

aaa

domain default

ip pool 1 4.1.1.1 4.1.1.99

Assuming that other configurations are complete and correct, what is the problem with this configuration in actual work?

You can dial successfully, and you can also access the intranet server.

Cannot dial successfully.

Disconnect immediately after successful dialing.

The dial-up is successful, but the intranet server cannot be accessed.

22. Which of the following attack methods are network layer attacks? (Multiple Choice)

Constructing data packets with wrong TTL value, causing the device to handle abnormally.

Constructing many SYN packets, leading to exhaustion of host resources.

Construct a packet with abnormal TCP flag bit, causing the host to process abnormally.

Constructing a packet with an incorrect IP fragment flag, causing the host to process abnormally.

23. When the dual-system hot backup network is used, according to this configuration, PC2 sends an ARP request to the Mac of IP10.100.30.8. Which of the following options is correct?

sysname NGFW_A

#

hrp enable

hrp interface GigabitEthernet 0/0/3

#

interface GigabitEthernet0/0/1

ip address 192.168.10.2 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.10.1 active

#

interface GigabitEthernet0/0/2

ip address 10.100.30.2 255.255.255.0

vrrp vrid 2 virtual-ip 10.100.30.1 active

#

Nat address-group 1

section 0 10.100.30.8 10.100.30.9

#

nat-policy

rule name trust to untrust

source-zone trust

destination-zone untrust

source-address 192.2163.10.0 24

action nat address-group 1

NGFW_A responds to this ARP with VMAC

NGFW_B responds to this ARP with VMAC

The MAC of the NGFW_A interface responds to this ARP

The MAC of the NGFW_B interface responds to this ARP

24. If the content of the visited web page contains filtered content, what will be the result?

Display "Cannot open webpage"

Display "The web page has been filtered".

The filtered content is deleted and will not be displayed.

The filter content is replaced with “*”.

25. The Trust zone of the USG firewall of a certain network is connected to the terminal host, and the Untrust zone is connected to the security controller. If the security controller can issue rules to the USG, which of the following security policies must be configured?

security-policy rule name local_to_trust source-zone local destination-zone trust action permit

security-policy rule name untrust_to_local source-zone untrust destination-zone local action permit

security-policy rule name to_local source-zone untrust trust destination-zone local action permit

security-policy rule name untrust_to_local source-zone untrust destination-zone local action permit rule name local_to_trust source-zone local destination-zone trust action permit

26. When the network traffic is heavy, if you do not want the downstream network to be congested or directly discard many packets due to the excessive data traffic sent upstream, you can limit and cache the traffic on the outbound interface of the upstream device, so that such packets can be blocked. The text is sent out at a relatively uniform speed.

This technique can be:

GTS

Car

WRED

CBWFQ

27. VGMP unified management of VRRP backup group status, VGMP management group Active priority is 65001, Standby priority is 65000. When the VGMP management group detects that the interface is Down through the VRRP backup group or directly, the priority of the VGMP management group is recalculated. When each interface is Down, the priority of the VGMP management group decreases by 2.

TRUE

FALSE

28. NGFW_A and NGFW_B, NGFW_A and NGFW_C configure static routes respectively. NGFW_A -> NGFW_B is the primary link, and NGFW_A -> NGFW_C is the backup link. It is required that the traffic can be quickly switched to the backup link when the primary link fails; the traffic can be switched to the primary chromium road after the primary link is restored.

Which of the following configuration is correct? (Multiple Choice)

A. [USG_A] bfd

[USG_A] bfd ab bind peer-ip 10.1.1.2

[USG_A-bfd-session-ab] discriminator local 10

[USG_A-bfd-session-ab] discriminator remote 20

[USG_A-bfd-session-ab] commit

[USG_A] ip route-static 0.0.0.0 0 10.1.1.2 track bfd-session ab

[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100

B. [USG_A] bfd

[USG_A] bfd ab bind peer-ip 10.1.1.2

[USG_A-bfd-session-ab] discriminator local 10

[USG_A-bfd-session-ab] discriminator remote 20

[USG_A-bfd-session-ab] commit

[USG_A] ip route-static 0.0.0.0 0 10.1.1.2

[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100 track bfd-session ab

C. [USG_B] bfd

[BSG_B] bfd ab bind peer-ip 10.1.1.1

[USG_B-bfd-session-ab] discriminator local 20

[USG_B-bfd-session-ab] discriminator remote 10

[USG_B-bfd-session-ab] commit

D. [USG_B] bfd

[BSG_B] bfd ab bind peer-ip 10.1.1.1

[USG_B-bfd-session-ab] discriminator local 10

[USG_B-bfd-session-ab] discriminator remote 20

[USG_B-bfd-session-ab] commit

29. 168.22.122:22 <-- 192.168.22.151:4354

Because the SSH client supports packet retransmission during the login process.

When the PC logs in to the standby firewall FW2, the round-trip paths are inconsistent.

The problem may be caused by turning off hrp mirror session enable.

The problem caused by the indo firewall session link-state check function is turned off.

30. What are the possible reasons why the local license cannot be activated? (Multiple Choice)

ESN mismatch

The device cannot connect to sec.huawei.com

The function item in the License has expired

The device is not configured with an activation password

Page 4 of 5

31. 168.1.2:44012[1.1.1.3:6103] --> 2.2.2.2:2048

Which of the following descriptions are correct? (Multiple Choice)

The device with the address 192.160.1.2 is pinging the public network address 2.2.2.2.

The device with the address 1.1.1.3 is performing a ping test on the public network address 2.2.2.2.

NAT destination address one-to-one address mapping is configured on the firewall.

Many-to-one address mapping of NAPT source addresses is configured on the firewall.

32. What are the URL matching methods in the URL filtering function in USG? (Multiple Choice)

Prefix

Suffix

Parameters

to be precise

Keywords

33. Which of the following functional modules can be used in conjunction with the IP-Link function? (Multiple Choice)

DHCP

Routing Policy

VRRP

OSPF

34. As shown in the figure, which illustrates the negotiation process of IPsec, which of the following descriptions are correct? (Multiple Choice)

This process is the IKEv2 negotiation process.

The red box part is the EAP authentication process.

①② means that the two parties negotiate the data flow to be protected and the IPsec security proposal.

The red box is a mandatory negotiation process

35. In a new campus network of an enterprise, under an access switch, ordinary PC users and dumb terminal users need to connect to the Internet at the same time.

Which authentication method is recommended to be deployed on this switch?

802.1X authentication

Portal Authentication

MAC Authentication

MAC bypass authentication

36. Which of the following is a correct description of the stateful inspection firewall forwarding principle? (Multiple Choice)

The non-first packet forwarding is based on the session table, which can only be forwarded if it matches the session table.

ICMP packets do not perform stateful inspection.

Establish a connection for the UDP data stream when processing UDP protocol packets.

The firewall does not support the stateful inspection mechanism when deployed as a Layer 2 device.

Session state detection is performed based on the three-way handshake of the TCP connection.

37. Using the SSL function of the USG gateway, the administrator can quickly and securely access all resources in the enterprise intranet, not only Web resources, but also ensure that the communication between the client and the virtual gateway adopts the SSL security protocol, and must ensure that the SSL client does not affect access to other network resources and can directly access Internet resources _______________.

Network expansion in full routing mode

Network Expansion in Split Mode

Network expansion in manual mode

Port forwarding

38. In the abnormal flow cleaning scheme, automatic drainage means that the detection equipment reports abnormal flow to the management center, and the management center automatically generates drainage tasks and automatically sends drainage tasks to the cleaning equipment.

Which specific drainage technology is generally required to achieve automatic drainage?

BGP drainage

Static route diversion

Policy routing diversion

GRE drainage

39. If you use a mobile terminal (Android or Apple system) to access intranet resources through a web proxy, which of the following methods should be recommended?

Only use web link

Can only be rewritten using the web

You can use web link or web rewrite

Such mobile phones cannot access intranet resources through web proxy at all

40. 168.100.28:1036 [58.251.159.112:2048] --> 111.206.79.100:80

Which of the following descriptions is incorrect?

The firewall interface GigabitEthernet0/0/1 belongs to the untrust zone.

The MAC address of the outgoing interface of the firewall is 00-0f-e2-a2-a2-61.

The internal network 192.168.100.28 host establishes an http connection with the external network 111.206.79.100.

The address after NAT translation is 58.251.159.112.

Page 5 of 5

41. Which of the following applications cannot be secured using packet filtering alone? (Multiple Choice)

WWW service

Telnet Service

FTP service

323

42. A network needs to replace the dual-system hot-standby USG_A and USG_B due to the network upgrade of the new hardware USG. On the premise of not affecting the business, how to upgrade:

USG_A is the Active device, and USG_B is the Standby device.

Which of the following are the correct cutover steps?

① Connect the 5th line to the new USG_B in sequence.

② Connect lines 1, 2, and 3 from the old USG_A to the new USG A in turn,

③ Power on the new USG_B and the new USG_A, and import the configuration.

④ Enter undo hrp enable in USG_B, and cut off lines 4, 5, and 3 in turn.

⑤ Adjust the routing cost so that all traffic passes through USB_B.

⑥ Enter hrp enable for the new USG_A and new USG_B, and adjust the routing cost to meet the expectations.

③ -> ④ -> ① -> ⑤ -> ② -> ⑥

③ -> ④ -> ① -> ② -> ⑥ -> ⑤

④ -> ① -> ⑤ -> ③ -> ② -> ⑥

③ -> ④ -> ⑤ -> ① -> ② -> ⑥

43. An enterprise has the following requirements:

The intranet users in the Trust zone are on the 192.168.1.0/24 network segment and can access the Internet. There are a total of 50 hosts (192.168.1.1-192.168.1.50) with a total curtain size of 500M.

Which of the following plans are reasonable?

The overall bandwidth is limited to 500M, and the maximum bandwidth of each IP is 12

The overall bandwidth is limited to 400M, and the maximum bandwidth per IP is 12

The overall bandwidth is limited to 500M, and the maximum bandwidth of 192.168.1.1-192.168.1.50 per IP is 12

The overall belt curtain is limited to 500M, the guaranteed belt curtain is 500M, and the maximum belt curtain per IP is 10

44. Do the following configuration on the firewall:

[USG-policy-security] rule name Trust Local

[USG-policy-security-rule-Untrust Local] source-zone trust

[USG-policy-security-rule-Untrust Local] destination-zone local

[USG-policy-security-rule-Untrust Local] source-address 192.168.5.2 32

[USG-policy-security-rule-Untrust Local] destination-address 192.168.5.1 32

[USG-policy-security-rule-Untrust Local] service http

[USG-policy-security-rule-Untrust Local] service telnet

[USG-policy-security-rule-Untrust Local] action permit

Please select the correct description below: (Multiple Choice)

Allow the firewall to log in to the device at 192.168.5.1 through Telnet.

Allow the IP address 192.168.5.2/24 to log in to the firewall through Telnet.

Allow the firewall to log in to the device at 192.168.5.1 through the Web.

Allow the 192.168.5.2/24 address segment to log in to the firewall through the Web.

45. The IPsecVPN tunnel is successfully established, but the speed of accessing the peer's private network web page is slow or the access is intermittent. The influence of the Internet network quality has been eliminated. The following possible faults are: (Multiple Choice)

The problem of packet fragmentation

The CPU usage of the egress gateway is too high

There is a NAT device in the middle of the network

The packet filtering policy is not enabled

46. When using the SSL VPN network extension function, the virtual IP address pool can be set to the same network segment as the IP address of the internal network interface of the device.

If the virtual IP address pool and the IP address of the internal network interface are not on the same network segment, manually configure the route to the address pool on the device. The outbound interface is the internal network interface, and the next hop is the next hop of the internal network interface.

TRUE

FALSE

47. When a corporate intranet user accesses the Internet through the USG firewall, a certain URL has been added to the blacklist, but the user can still access it. What are the possible reasons for the failure of the URL filtering function? (Multiple Choice)

Not updating the list of remote URLs

The URL filtering policy is not applied in the corresponding inter-domain direction

The URL remote query function is not enabled

No URL filtering configuration file submitted

48. Which of the following options can be used as a condition for Portal push? (Multiple Choice)

Terminal IP address range

Terminal browser type

Terminal Equipment Type

SSID of the access AP

The MAC address of the access AP

MAC address of the access AC

49. Mobile employees access the headquarters through the L2TP over IPsec tunnel. The correct statement about the planning and deployment is: (Multiple Choice)

The Security ACL of the headquarters USG gateway should be [USG] acl 3000 [USG-acl-adv-3000] rule permit udp source-port eq 1701

Since IKE V1 cannot assign addresses to remote users, address assignment must be implemented through L2T

L2TP generally uses NAS-Initialized mode.

The NAT traversal function cannot be used.

50. Which of the following statements about dual-system hot standby is correct? (Multiple Choice)

The firewall is connected to the router upstream and connected to the Layer 2 switch downstream. OSPF+VRRP can be used to achieve load balancing.

When link state detection is enabled, and incoming and outgoing packets are forwarded by the active and standby USGs respectively, and the USG does not enable rate-dependent backup, the TCP service can pass smoothly.

The default priority of the Active group is 65001, and the default priority of the Standby group is 65000.

The slot numbers of the physical cards of the two devices can be different.

Latest H12-731-ENU Dumps Valid Version with 206 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download H12-731-ENU PDF