H12-731-ENU試験2023 Huawei Specialist Unlimited 205 Questions [Q67-Q90]の最高の準備

発行日 7月 12, 2023

この記事を評価する

Best Preparations of H12-731-ENU Exam 2023 Huawei Specialist Unlimited 205 Questions

Focus on H12-731-ENU All-in-One Exam Guide For Quick Preparation.

The Huawei H12-731-ENU exam aims to evaluate the candidate’s knowledge and competency in various domains of network security, including network security design and implementation, network security technologies, operations, and maintenance. It covers a wide range of security technologies, such as firewalls, intrusion detection and prevention systems, VPNs, wireless security, and virtualization security.

Huawei H12-731-ENU exam is a challenging exam that requires a solid understanding of network security concepts and technologies. IT professionals who are preparing for H12-731-ENU exam should have a strong background in network security, as well as experience working with Huawei network security products and solutions.

新しい質問 67
The correct statement about UDP Flood and TCP Flood attack prevention is:

The UDP protocol is connectionless and therefore cannot be implemented by source detection.

Prevent UDP Flood By analyzing the rules and characteristics of UDP packets sent by a certain host, the rules and characteristics are called fingerprint learning.

The fingerprint learning function of UDP packets learns all fields of the packet data segment.

UDP and TCP protocols can be implemented through proxy technology.

新しい質問 68
Which of the following is a correct description of the stateful inspection firewall forwarding principle:

The non-first packet forwarding is based on the session table, which can only be forwarded if it matches the session table.

ICMP packets will not be checked for status.

Establish a connection for this UDP data stream when processing UDP protocol packets.

The firewall does not support the stateful inspection mechanism when deployed as a Layer 2 device.

Session state detection based on TCP connection three-way handshake.

新しい質問 69
In the dual-system hot-standby network, the management group status on the two USGs is Active. What is the possible reason?

The physical line of the heartbeat has failed

Backup channel interface not configured

Fast session backup not set

set a long preemption delay

新しい質問 70
Which of the following IPsec modes and encapsulation methods can be used in the application scenarios of IPSEC NAT traversal?

IPSEC tunnel mode + ESP encapsulation

IPSEC tunnel mode + AH encapsulation

IPSEC transport mode + ESP encapsulation

IPSEC transport mode + AH encapsulation

新しい質問 71
Huawei NIP5000 products are based on signature security.

真

偽

新しい質問 72
A network expects to use URPF technology to improve network security. Which mode of URPF is used in the following networking scenarios:

strict mode

loose mode

strict mode or loose mode

According to the stem information, the corresponding mode cannot be judged

新しい質問 73
In the Remote Access VPN scenario, the remote PC uses the Secoway VPN Client and the firewall to establish a VPN. Which of the following statements is correct?

Tunnel mode is used by default

Default use transfer mode

use l2tp over ipsec dial by default

use l2tp dialing by default

新しい質問 74
When configuring the firewall security policy, which of the following configuration commands is correct to match the data packets sent from the 192.168.10.0 network segment?

source-address 192.168.10.0 0.0.0.255

source-address 192.168.10.0 255.255.255.0

destination-address 192.168.10.0 0.0.0.255

destination-address 192.168.10.0 255.255.255.0

新しい質問 75
Which of the following descriptions about dual-system hot standby is incorrect?

After automatic backup is enabled, all sessions on the host will be automatically backed up to the standby.

After enabling fast backup, the configuration of the host can also be backed up to the standby.

VGMP is currently in the active state. After the VRRP interface belonging to the VGMP goes down, the VGMP state will definitely switch to the standby state.

The firewall configuration backup direction must be from the VGMP master state device to the backup state device.

新しい質問 76
In the dual-system hot-standby network, the service interface works at Layer 3, the upstream and downstream are connected to the router, the firewall and the upstream and downstream run an OSPF process, which provides the dual-system hot-standby burden sharing network, and the firewall provides the NAT function. The following Incorrect planning deployment advice:

For consistency of uplink and downlink status, the firewall’s uplink and downlink interfaces are added to the same Link-Group.

Configure a static black hole route (network segment route) in the NAT address pool, import it into OSPF and advertise it.

Enable HRP to adjust OSPF COST function.

Allows the packet filtering policy between the domain where the heartbeat port Eth-Trunk is located and the local domain, so as to allow heartbeat packets to pass.

新しい質問 77
Use NGFW for SSL VPN connection, use certificate authentication, certificate can be selected, but after clicking login, you cannot log in to the resource page. After using debug check on NGFW, it prompts that the certificate is wrong.
<NGFW>debugging ssl error
<NGFW>terminal debugging
<NGFW>terminal monitor
*0.10012266 USG2130 SSL/7/error:
SSL 3.0, Alert, write, fatal bad certificate
But check that the certificate is complete and the contents of the certificate are correct.
What are the possible reasons for this certificate validation error?

The system clock is correct, but the certificate has expired.

A browser that does not support SSL3.0 is used.

The certificate is within the validity period, but the system clock is wrong, and the system clock is not within the validity period.

When the certificate expires, the system clock is not the current time, but is configured within the certificate’s validity period.

新しい質問 78
In the networking shown in the figure, the traffic from the PC to access the Web Server must go through the firewall, and the traffic from the Web Server to the PC must go through the firewall.
With intra-domain bidirectional NAT properly configured on the firewall, the following descriptions of packet IP addresses may be correct:

The source IP address of the data packet received by the web server for PC access to its web service is 10.1.1.5.

The source IP address of the data packet received by the web server for accessing its web service from the PC is the IP address of the interface (1).

The source IP address of the data packet received by the PC from the web server is 10.1.1.2.

The source IP address of the data packet received by the factory PC from the web server is the IP address of the interface (2).

新しい質問 79
In the scenario of using Remote access VPN access, the VPN-Client configuration is as shown in the figure, as indicated by the red box, what is the main function?

The VPN-Client software will issue a default route to the virtual network card.

The VPN-Client software no longer issues the default route to the virtual network card.

The VPN-Client software issues the public network address route to the virtual network card.

The VPN-Client software will no longer issue the public network address route to the virtual network card.

新しい質問 80
Which interfaces does the firewall support to configure IPsec policies?

normal physical port

Virtual Template port

Tunnel port

Dialer mouth

Virtual Ethernet interface

新しい質問 81
Which of the following options can be used as conditions for Portal push ?

Endpoint IP address range

Terminal browser type

Terminal device type

SSID of the access AP

MAC address of the access AP

MAC address of the connected AC

新しい質問 82
A company’s egress gateway dual links are connected to different operators, and have the following requirements:
Users can access the Internet through two operators. When the links to the two operators work normally, all traffic is forwarded by the primary link (ISP1), and when the primary link fails, all traffic is transmitted by the backup link. Road (ISP2) forwarding.
Which of the following options is correct?

[USG] ip-link check enable [USG] ip-link 1 destination 200.1.1.8 mode icmp [USG] ip-link 2 destination 234.1.1.8 mode icmp [USG] ip route-static 0.0.0.0 0.0. 0.0 GigabitEthernet 0/0/2 200.1.1.8 preference 30 track ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/3 234.1.1.8 preference 20 track ip-link 2

[USG] ip-link check enable [USG] ip-link 1 destination 200.1.1.8 mode icmp [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/2 200.1.1.8 track ip- link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/3 234.1.1.8

[USG] ip-link check enable [USG] ip-link 2 destination 234.1.1.8 mode icmp [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/2 200.1.1.8 preference 20 [ USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/3 234.1.1.8 preference 30 track ip-link 2

[USG] ip-link check enable [USG] ip-link 1 destination 200.1.1.8 mode icmp [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/2 200.1.1.8 preference 20 track ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/3 234.1.1.8 preference 30

新しい質問 83
The USG and the Router establish a Site-to-Site IPsec VPN. Based on the following information, which of the following options may be correct?
<USG> display ike sa
current ike sa number: 0
<USG> display ipsec statistics
the security packet statistics:
……
negotiate about packet statistics:
IP packet ok: 0, err: 0, drop: 0
IP rcv other cpu to ike: 0, drop:
0
IKE packet inbound ok: 0, err: 0
IKE packet outbound ok: 0, err: 0
SoftExpr: 0, HardExpr: 0,
DPDOper: 0, SwapSa: 0
ModpCnt: 0, SaeSucc: 0,
SoftwareSucc: 0

Interzone packet filtering configuration error

NAT policy interferes with IPsec protected traffic

Route reachability problem of IKE peer private network

IPsec proposal configuration is inconsistent

新しい質問 84
MAC authentication is applicable in which of the following situations?

Office Windows host

Linux host for testing

Mobile clients, such as smartphones, etc.

network printer

新しい質問 85
If the hardware security access control gateway adopts the next generation firewall, in “Policy > Admission Control > SAC Configuration > Hardware SACG”, select the “Controlled Domain” tab, and add the controlled domain ERP (172.10.11.1/32 ) and DB_Oracle ( 172.10.12.32/32 ), then query the firewall configuration through the CLI to obtain the following information:
display acl all
…………
Advanced ACL 3100, 1 rule, not binding with vpn-instance
Acl’s step is 1
rule 1 deny ip (0 times matched)
Advanced ACL 3101, 1 rule, not binding with vpn-instance
Acl’s step is 1
rule 1 permit ip (0 times matched)
Advanced ACL 3102, 1 rule, not binding with vpn-instance
Acl’s step is 1
rule 1 deny ip destination 172.13.11.10 (0 times matched)
Advanced ACL 3103, 1 rule, not binding with vpn-instance
Ad’s step is 1
rule 1 permit ip destination 172.13.11.10 (0 times matched)
Advanced ACL 3354,
Which of the following statements is correct about the above ACL configuration?

The current controlled domain is not completely delivered to the hardware security access control gateway.

The controlled domain can be delivered to the hardware security access control gateway by manually synchronizing the controlled domain on the Agile Controller manager.

The Agile Controller manager will regularly check and deliver the control domain configuration, and the problem will be automatically fixed.

You can only log in to the hardware security access control gateway, execute the controlled domain refresh command sync role-info in diagnostic mode, and actively request to refresh the controlled domain from the Agile Controller manager.

新しい質問 86
Which of the following options fall under the scope of visitor management?

Guest Account Creation

Guest Account Approval

Visitor page customization

The guest uses the account to authenticate

Visitors register on the registration page