Pre-Winter Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

H12-721 PDF

$38.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

H12-721 PDF + Testing Engine

$61.6

$175.99

3 Months Free Update

  • Exam Name: Huawei Certified ICT Professional - Constructing Infrastructure of Security Network
  • Last Update: Oct 16, 2024
  • Questions and Answers: 217
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

H12-721 Engine

$46.2

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

H12-721 Practice Exam Questions with Answers Huawei Certified ICT Professional - Constructing Infrastructure of Security Network Certification

Question # 6

The principle of HTTPS Flood source authentication defense is that the Anti-DDoS device replaces the SSL server with the client to complete the TCP three-way handshake. If the TCP three-way handshake is complete, the HTTPS flood source authentication check is successful.

A.

TRUE

B.

FALSE

Full Access
Question # 7

The management control information and service information of the out-of-band management interface are sent on the same channel.

A.

TRUE

B.

FALSE

Full Access
Question # 8

The Tracert packet attack is an ICMP timeout packet returned by the attacker when the TTL is ____, and the ICMP port unreachable packet returned when the destination address is reached to find the path through which the packet arrives at the destination. Spying on the structure of the network

A.

0

B.

1

C.

2

D.

varies according to actual conditions

Full Access
Question # 9

Virtual firewall virtualizes multiple logical firewalls on a physical firewall device and implements multiple instances?

A.

secure multi-instance

B.

VPN multi-instance

C.

Configuring multiple instances

D.

exchange multiple instances

Full Access
Question # 10

IPSec VPN uses digital certificates for authentication. It has the following steps: 1. verify the certificate signature; 2. find the certificate serial number in the CRL; 3. share the entity certificate between the two devices; 4. verify the validity period of the certificate; . Establish a VPN tunnel. Which of the following is correct?

A.

3 2 1 4 5

B.

1 3 2 4 5

C.

3 1 4 2 5

D.

2 4 3 1 5

Full Access
Question # 11

By default, GigabitEthernet0/0/0 can be used as an out-of-band management interface in the USG2200 series.

A.

TRUE

B.

FALSE

Full Access
Question # 12

Regarding the virtual gateway type exclusive and shared type, what are the following statements correct?

A.

exclusive virtual gateway exclusive IP address

B.

When the network IP address is tight, it is recommended to use a shared virtual gateway.

C.

Exclusive virtual gateway can use domain name access

D.

Multiple shared virtual gateways, distinguished by IP address

Full Access
Question # 13

When using the SSL VPN client to start the network extension, the prompt "Connection gateway failed", what are the possible reasons for the failure?

A.

If the proxy server is used, the proxy server settings of the network extension client are incorrect.

B.

The route between the B PC and the virtual gateway is unreachable.

C.

TCP connection between the network extension client and the virtual gateway is blocked by the firewall

D.

username and password are incorrectly configured

Full Access
Question # 14

When the firewall works in the dual-system hot backup load balancing environment, if the upstream and downstream routers are working in the routing mode, you need to adjust the OSPF cost based on HRP.

A.

TRUE

B.

FALSE

Full Access
Question # 15

Which of the following methods is used to switch between active and standby links in the IPSec backup and backup system?

A.

hot standby

B.

link-group

C.

Eth-trunk

D.

ip-link

Full Access
Question # 16

Avoid DHCP server spoofing attacks. DHCP snooping is usually enabled. What is the correct statement?

A.

connected user's firewall interface is configured in trusted mode

B.

The firewall interface connected to the DHCP server is configured as untrusted mode.

C.

DHCP relay packets received on the interface in the untrusted mode are discarded.

D.

The DHCP relay packet received in the D trusted mode and passed the DHCP snooping check.

Full Access
Question # 17

Virtual firewall technology can achieve overlapping IP addresses.

A.

TRUE

B.

FALSE

Full Access
Question # 18

According to the dual-system hot backup network diagram, what are the correct descriptions in the following dual-system hot backup preemption function?

H12-721 question answer

A.

VRRP backup group itself has a preemption function. As shown in the figure, after USG_A fails and recovers, USG_A will use the preemption function to change to the master state again.

B.

The preemption function of the V VGMP management group is similar to that of the VRRP backup group. When the faulty backup group in the management group recovers, the management group priority will be restored.

C.

By default, when the preemption delay is 0, the preemption is never preempted.

D.

After the VRRP backup group is added to the VGMP management group, the original preemption function on the backup group will be invalid.

Full Access
Question # 19

In IPSec VPN, which one is incorrect about the difference between the barbaric mode and the main mode?

A.

main mode does not support NAT traversal in pre-shared key mode, but aggressive mode support

B.

main mode negotiation message is 6, and barb mode is 3

C.

In the NAT traversal scenario, the peer ID cannot use the IP address.

D.

main mode encrypts the exchange of identity information, while barbaric mode does not encrypt identity information

Full Access
Question # 20

Which of the following is correct about the configuration of the firewall interface bound to the VPN instance?

A.

ip binding vpn-instance vpn-id

B.

ip binding vpn-instance vpn-instance-name

C.

ip binding vpn-id

D.

ip binding vpn-id vpn-instance-name

Full Access
Question # 21

The following are traffic-type attacks.

A.

IP Flood attack

B.

HTTP Flood attack

C.

IP address scanning attack

D.

ICMP redirect packet attack

Full Access
Question # 22

Which of the following technologies can enhance the security of mobile users accessing the company's intranet VPN solution?

A.

SSL

B.

PPPoE

C.

GRE

D.

L2TP

Full Access
Question # 23

Two USG firewalls establish an IPSec VPN through the Site to Site mode. When viewing the status of a USG A, the following is displayed: display ipsec statistics the security packet statistics: input/output security paskets: 40 input/output security bytes: 400/0 input /output dropped security packets: 0/0 By status information, what information can be obtained correctly?

A.

USG A has already encrypted 4 packets, and USG A has decrypted packets.

B.

USG A has decrypted the data packet is 4, USG A has encrypted data packet is 0

C.

Site A device on the intranet, there is no route, so the protection data may not be sent to USG A.

D.

IPSec tunnel is not established

Full Access
Question # 24

The firewall device defends against the SYN Flood attack by using the technology of source legality verification. The device receives the SYN packet and sends the SYN-ACK probe packet to the source IP address host in the SYN packet. If the host exists, it will Which message is sent?

A.

RST message

B.

FIN message

C.

ACK message

D.

SYN message

Full Access
Question # 25

The IPSec establishment of a device is unsuccessful. The debug print information is as follows. What are the possible causes of the fault?

? %%01IKE/4/WARING(1):phase2:proposal mismatch,please check ipsec proposal configuration 0 34476900 %%01IKE/7/DEBUG(d) dropped message from 3.3.3.1 due to notification type NO_PROPOSAL_CHOSEN

A.

IKE proposal parameters are inconsistent

B.

IPSec proposal parameters are inconsistent

C.

ike peer configuration error

D.

Security acl configuration error

Full Access
Question # 26

The default interval for sending VGMP hello packets is 1 second. That is, when the hello packet sent by the peer is not received within the range of three hello packets, the peer is considered to be faulty. Master status.

A.

TRUE

B.

FALSE

Full Access
Question # 27

After the NAT server is configured (no-reverse parameter is added), the firewall automatically generates static Server-Map entries. The first packet matches the Server-Map entry and does not match the session table.

A.

TRUE

B.

FALSE

Full Access
Question # 28

Which of the following protocols does the USG firewall hot standby not include?

A.

HRP

B.

VRRP

C.

VGMP

D.

IGMP

Full Access
Question # 29

USG A and USG B are configured with a static BFD session. The following is true about the process of establishing and tearing down a BFD session.

A.

USG A and USG B each start the BFD state machine. The initial state is Down and the BFD packet is Down. The value of Your Discriminator is 0.

B.

After the local BFD status of B USG B is Init, if you continue to receive packets with the status Down, you can re-process and update its local status.

C.

After receiving the BFD packet in the init state, C USG B switches the local state to Up.

D.

After the state transition of "DOWN-->INIT" occurs on D USG A and USG B, a timeout timer is started. If the BFD packet is in the Init or Up state, the local state is automatically switched back to Down.

Full Access
Question # 30

112. The ESP only verifies the IP payload and can perform NAT traversal, but the ESP encrypts the Layer 4 port information and causes the PAT function to be unusable. This problem can be solved by using the IPSec transparent NAT function, which encapsulates the ESP packet in the UDP header and comes with the necessary port information to make the PAT work normally.

A.

TRUE

B.

FALSE

Full Access
Question # 31

The DHCP snooping function needs to maintain the binding table. What are the contents of the binding table?

A.

MAC

B.

Vlan

C.

interface

D.

DHCP Server IP

Full Access
Question # 32

In the active/standby mode of the USG dual-system hot standby, the service interface works at Layer 3, and the upstream and downstream routers are connected to the router. The administrator can view: USG_A status is HRP_M[USG_A], USG_B status is HRP_S[USG_B], current 15000+ session Table, every time a switchover occurs, all traffic is interrupted for a period of time, and seamless switching is impossible.

H12-721 question answer

A.

Execute the command hrp preempt delay 64 to lengthen the delay of preemption.

B.

Check connectivity between heartbeat lines

C.

does not configure session fast backup

D.

no hrp enable

Full Access
Question # 33

The topology of the BFD-bound static route is as follows: The administrator has configured the following on firewall A: [USG9000_A] bfd [USG9000_A-bfd] quit [USG9000_A] bfd aa bind peer-ip 1.1.1.2 [USG9000_A- Bfd session-aa] discriminator local 10 [USG9000_A-bfd session-aa] discriminator remote 20 Which of the following configurations can be added to the firewall to implement BFD-bound static routes?

H12-721 question answer

A.

[USG9000_A-bfd session-aa] commit

B.

[USG9000_A]bfd aa bind local-ip 1.1.1.1

C.

[USG9000_A]ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa

D.

[USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 bfd-session aa

Full Access
Question # 34

When there are a large number of BFD sessions in a system, what mode can be used to prevent BFD detection when the cost of sending BFD control packets periodically affects the normal operation of the system?

A.

sync mode

B.

detection mode

C.

asynchronous mode

D.

query mode

Full Access
Question # 35

Which of the following security services can a secure multi-instance provide for a virtual firewall?

A.

address binding

B.

blacklist

C.

ASPF

D.

VPN routing

Full Access
Question # 36

As shown in the figure, the firewall is dual-system hot standby. In this networking environment, all service interfaces of the firewall work in routing mode, and OSPF is configured on the upper and lower routers. Assume that the convergence time of OSPF is 30s after the fault is rectified. What is the best configuration for HRP preemption management?

H12-721 question answer

A.

hrp preempt delay 20

B.

hrp preempt delay 40

C.

hrp preempt delay 30

D.

undo hrp preempt delay

Full Access
Question # 37

A certain network is as follows: LAN----G0/0/0 USG G0/0/1 ----Server. After the administrator analyzes the Attarcker on the LAN network connected to G0/0/0, if you want to prevent ARP flood attacks, limit the ARP traffic to 100 packets/minute. Which is the correct configuration?

A.

firewall defend arp-flood enable firewall defend arp-flood interface GigabitEthernet 0/0/0 max-rate 100

B.

firewall defend arp-flood enable firewall defend arp-flood interface GigabitEthernet 0/0/0 max-rate 6000

C.

firewall defend arp-flood enable firewall defend arp-flood interface GigabitEthernet 0/0/1 max-rate 100

D.

firewall defend arp-flood enable firewall defend arp-flood interface GigabitEthernet 0/0/1 max-rate 6000

Full Access
Question # 38

In Huawei's abnormal traffic cleaning solution, the characteristics of the straight-line deployment mode and the bypass deployment mode are correct.

A.

straight path deployment method requires separate deployment of detection equipment

B.

side deployment mode requires separate deployment of detection equipment

C.

bypass deployment mode is more flexible than the direct route deployment mode. You can use static drainage or dynamic drainage.

D.

Straight-line deployment mode Anti-DDoS device performs real-time drainage on all traffic passing through

Full Access
Question # 39

Comparing URPF strict mode and loose mode, which of the following statements is incorrect?

A.

strict mode requires not only the corresponding entry in the forwarding table, but also the interface must match to pass the URPF check.

B.

If the source address of the packet does not exist in the FIB table of the USG, and the default route is configured, the packet will be forwarded through the URPF check.

URPF strict mode is recommended in a

C.

route symmetric environment.

D.

Loose mode does not check whether the interface matches. As long as the source address of the packet exists in the FIB table of the USG, the packet can pass.

Full Access
Question # 40

What are the following attacks that are malformed?

A.

Smurf attack

B.

Fraggle attack

C.

large ICMP packet attack

D.

IP packet attack with routing entries

Full Access
Question # 41

87. The SSL VPN scenario under dual-system hot standby is shown in the following figure. The administrator has enabled the SSL network extension function. The following is about the configuration of the SSL VPN function.

H12-721 question answer

A.

virtual gateway created on the master side will not be synchronized to the slave side.

B.

Bind the address pool to VRRP backup group 2 when configuring network extensions.

C.

The virtual gateway IP address of the SSL VPN in C USG_A must use 202.38.10.2

D.

The virtual gateway IP address of the SSL VPN in D USG_B must use 10.100.10.2.

Full Access
Question # 42

The ip-link sends a probe packet to the specified IP address. By default, after 3 probe failures, the link to this IP address is considered faulty.

A.

TRUE

B.

FALSE

Full Access
Question # 43

In the IDC room, a USG firewall can be used to divide into several virtual firewalls, and then the root firewall administrator generates a virtual firewall administrator to manage each virtual firewall.

A.

TRUE

B.

FALSE

Full Access
Question # 44

A data flow has established a session in the firewall. If the packet filtering policy corresponding to the data is modified, how should the firewall execute?

A.

When the new packet arrives at the firewall, it immediately performs filtering according to the latest policy and refreshes the session table.

B.

immediately performs filtering according to the latest policy, does not refresh the session table

C.

The session is not aged, the new policy is not executed, and the previously established session is matched.

D.

modification will fail, you need to clear the session to modify

Full Access
Question # 45

Huawei's abnormal traffic cleaning solution must deploy an independent testing center.

A.

TRUE

B.

FALSE

Full Access
Question # 46

On the web configuration page, choose System --> High Reliability --> Hot Standby and click Check for HRP Configuration Consistency. Button. The following window pops up. Which of the following configurations can solve the problem (assuming the heartbeat is added to the DMZ area)?

H12-721 question answer

A.

firewall packet-filter default permit interzone trust local

B.

firewall packet-filter default permit interzone trust dmz

C.

firewall packet-filter default permit interzone untrust dmz

D.

firewall packet-filter default permit interzone local

Full Access
Question # 47

Which is incorrect about IPSec NAT Traversal?

A.

Both A AH and ESP support NAT traversal

B.

IPSec NAT traversal does not support IKE main mode (pre-shared mode)

C.

IPSec ESP packets are encapsulated through NAT using UDP packets.

D.

All IKE messages exchanged with the initiator use 4500 port communication

Full Access
Question # 48

Which attack method is CC attack?

A.

denial of service attack

B.

scan snooping attack

C.

malformed packet attack

D.

System-based vulnerability attacks

Full Access
Question # 49

Using the virtual firewall technology, users on the two VPNs can log in to their private VPNs through the Root VFW on the public network to directly access private network resources. What are the following statements about the characteristics of the VPN multi-instance service provided by the firewall?

A.

security is high, VPN users access through the firewall authentication and authorization, access after access is to use a separate virtual firewall system to manage users, the resources of different VPN users are completely isolated

B.

VPN access mode is flexible and reliable. It can support from public network to VPN, and can also support from VPN to VPN.

C.

is easy to maintain, users can manage the entire firewall (including each virtual firewall) without a system administrator account with super user privileges.

D.

The access control authority is strict. The firewall can control the access rights of the VPN according to the user name and password. This allows different users such as travel employees and super users (need to access different VPN resources) to have different access rights.

Full Access
Question # 50

What are the correct statements about link-group below?

A.

supports interface state management across switches

B.

supports interface state management across interface boards

C.

supports remote interface state management

D.

support interface board hot swap

Full Access
Question # 51

When the user's SSL VPN has been successfully authenticated, the user cannot access the Web-link resource. On the Web server, view the information as follows: netstat -anp tcp With the following information, which of the following statements is correct?

H12-721 question answer

A.

intranet server does not open web service

B.

virtual gateway policy configuration error

C.

The connection between the virtual gateway and the intranet server is incorrect.

D.

Virtual gateway and intranet server are unreachable

 

Full Access
Question # 52

When the ip-link link health check is performed, if it is unable to receive the message several times in the absence of the link, it will be considered as a link failure.

A.

1 time

B.

2 times

C.

3 times

D.

5 times

Full Access
Question # 53

Which of the following is the correct description of the SMURF attack?

A.

The attacker sends an ICMP request with the destination address or the source address as the broadcast address, causing all hosts or designated hosts of the attacked network to answer, eventually causing the network to crash or the host to crash.

B.

The attacker sends the SYN-ACK message to the attacker's IP address.

C.

The attacker can send UDP packets to the network where the attacker is located. The source address of the packet is the address of the attacked host. The destination address is the broadcast address or network address of the subnet where the attacked host resides. The destination port number is 7 or 19.

D.

The attacker uses the network or the host to receive unreachable ICMP packets. The subsequent packets destined for this destination address are considered unreachable, thus disconnecting the destination from the host.

Full Access
Question # 54

The main function of URPF is to prevent network attack behavior based on destination address spoofing.

A.

TRUE

B.

FALSE

Full Access
Question # 55

As shown below, the domain abc address pool is the address pool where the L2TP VPN user is located. What is wrong with the following statement?

H12-721 question answer

A.

L2TP user can authenticate by domain account

B.

If the value of the used-addr-number field is smaller than the value of the Pool-length field, the number of online users does not exceed the maximum number of users.

C.

The PC behind C can obtain the IP address, but cannot dial the L2TP VPN.

D.

The address range of the D address pool is 100.0.0.2--100.0.0.99

Full Access
Question # 56

Connecting the internal network interface address from the firewall By pinging the internal network address of the peer, the IPSec tunnel can be successfully triggered. The internal PC cannot trigger the tunnel establishment. What are the possible reasons?

A.

IKE proposal configuration problem

B.

IPSec proposal configuration problem

C.

interested traffic ACL source network segment does not include the PC

D.

packet filtering (inter-domain policy) configuration problem

Full Access
Question # 57

The USG_B status is HRP_M[USG_A], and the USG_B status is HRP_S[USG_B]. The status of the USG_A is HRP_M[USG_A]. However, all traffic did not pass USG_A completely, and half of the traffic also passed USG_B.

A.

[USG_A]hrp ospf-cost adjust-enable [USG_B]hrp ospf-cost adjust-enable

B.

[USG_B]interface GigabitEthernet 0/0/1 [USG_B- GigabitEthernet 0/0/1]hrp track master

   [USG_B]interface GigabitEthernet 0/0/3 [USG_B- GigabitEthernet 0/0/3]hrp track master

C.

hrp preempt delay 60

D.

The address of the heartbeat is not released to OSPF.

Full Access
Question # 58

What are the possible reasons why the firewall 2 IPSec VPN cannot be established successfully?

A.

device does not have a route to the intranet

B.

. The ACL referenced by the security policy configured on the gateways at both ends is incorrect.

C.

The IPSec proposal configured on the gateways at both ends is inconsistent.

D.

is not configured with DPD at both ends

Full Access
Question # 59

Which of the following is incorrect about IKE V1 and IKE V2?

A.

IKE V2 establishes a pair of IPSec SAs. Normally, an IKE SA and a pair of IPSec SAs can be completed by exchanging 4 messages twice.

B.

IKE V2 does not have the concept of master mode and barb mode

C.

To establish a pair of IPSec SAs, only 6 messages need to be exchanged in the IKE V1 master mode.

D.

When the IPSec SA established by D IKE V2 is greater than one pair, each pair of SAs needs only one additional exchange, that is, two messages can be completed.

Full Access
Question # 60

In the IPSec VPN, the digital certificate is used for identity authentication. If the IKE main mode is used for negotiation, the certificate verification is completed in message 5 and message 6.

A.

TRUE

B.

FALSE

Full Access
Question # 61

The classification of cyber-attacks includes traffic-based attacks, scanning and snooping attacks, malformed packet attacks, and special packet attacks.

A.

TRUE

B.

FALSE

Full Access
Question # 62

What are the three elements of an abnormal flow cleaning solution?

A.

cleaning center

B.

Testing Center

C.

Management Center

D.

Collection Center

Full Access
Question # 63

In the IPSec active/standby link backup application scenario, gateway B uses IPSec tunneling technology and gateway A to establish an IPSec VPN.

H12-721 question answer

A.

TRUE

B.

FALSE

Full Access
Question # 64

After a new security instance is created on the firewall, there is no security zone on the firewall, and the administrator needs to plan the configuration.

A.

TRUE

B.

FALSE

Full Access
Question # 65

The static fingerprint filtering function is to defend the attack traffic by configuring a static fingerprint to process the packets that hit the fingerprint. Generally, the anti-DDoS device capture function can be used to input fingerprint information to static fingerprint filtering.

A.

TRUE

B.

FALSE

Full Access