• Home
  • Articles
  • [Jun-2023] H12-731-ENU Exam Dumps Pass with Updated 2023 HCIE-Security (Huawei Certified Internetwork Expert-Security) [Q101-Q126]

[Jun-2023] H12-731-ENU Exam Dumps Pass with Updated 2023 HCIE-Security (Huawei Certified Internetwork Expert-Security) [Q101-Q126]

Share

[Jun-2023] H12-731-ENU Exam Dumps Pass with Updated 2023 HCIE-Security (Huawei Certified Internetwork Expert-Security)

Free H12-731-ENU Exam Dumps to Pass Exam Easily

NEW QUESTION # 101
The WeChat voice (TCP) service of a site experienced a large delay, and the delay reached 3 seconds. As its egress NAT gateway, the firewall is configured with easy-ip nat mode (single egress), with link state detection disabled, TCP aging time of 30 seconds, small business traffic, and nearly 50,000 sessions to the voice server. Through the session, you can see a large number of packets of one-way access to the voice server.
What is the correct cause and solution for this failure?

  • A. After the firewall session is aging, the port after the NAT of the new connection is inconsistent with the port used to establish the connection with the server, resulting in no response from the server. The client needs to re-establish the connection after timeout before sending data.
  • B. The solution could increase the TCP aging time to 600 seconds.
  • C. The aging time of the TCF session is too short, and it takes time for the firewall to create a new session.
  • D. If there is no inconsistency between the round-trip paths on the link, you can enable the link status detection function, and the aging time is default, which can solve this problem.

Answer: A,D


NEW QUESTION # 102
Which statement about MTU and PMTU is correct?

  • A. The device will check the MTU on the inbound interface, and if the packet size exceeds the MTU value, it will be discarded.
  • B. MTU (Maximum Transfer Unit) refers to the size of the largest data packet that can be transmitted in the network, in bytes.
  • C. In an IP network, interfaces with different MTU values may be passed from the source address to the destination address, and the largest MTU value is the PMTU of the path.
  • D. PMTU detection is to obtain the PMTU value of the specified destination IPv4 address through detection, and then use the MTU value to send packets.

Answer: B,D


NEW QUESTION # 103
In the networking shown in the figure, the default gateway for accessing the external network is not configured on the Web server. To ensure that users on the external network can normally access the Web server through the NAT Server, which one of the following configuration plans for the firewall is correct:

  • A. It is necessary to configure the source NAT in the direction from DMZ to Untrust on the firewall, so that the web server can access the external network, so that the response message of the web server can be returned to the external network user.
  • B. It is necessary to configure nat server on the firewall to ensure that external network users can access the Web server by accessing 202.20.1.5.
  • C. It is necessary to configure destination-nat for external network users on the firewall to convert the public network address of the accessed web server into the internal network address
  • D. It is necessary to configure the source NAT from Untrust to the DMZ on the firewall to translate the source address of the data packets from the external network users accessing the Web server to 192.168.1.1.

Answer: B,D


NEW QUESTION # 104
Which of the following descriptions about dual-system hot standby is incorrect?

  • A. After enabling fast backup, the configuration of the host can also be backed up to the standby.
  • B. After automatic backup is enabled, all sessions on the host will be automatically backed up to the standby.
  • C. The firewall configuration backup direction must be from the VGMP master state device to the backup state device.
  • D. VGMP is currently in the active state. After the VRRP interface belonging to the VGMP goes down, the VGMP state will definitely switch to the standby state.

Answer: A


NEW QUESTION # 105
In a new campus network of an enterprise, there is a requirement for ordinary PC users and dumb terminal users to connect to the Internet at the same time under an access switch.
Which authentication method is recommended to be deployed on this switch?

  • A. Portal Authentication
  • B. MAC bypass authentication
  • C. 802.1X Authentication
  • D. MAC Authentication

Answer: B


NEW QUESTION # 106
The following HWTACACS configuration has been made on the firewall:
<sysname> system-view
[sysname] hwtacacs-server template server1
[sysname-hwtacacs-server1] hwtacacs-server authentication 3.3.3.3 10000
[sysname-hwtacacs-server1] hwtacacs-server accounting 3.3.3.3 10010
Please point out the problem in this configuration:

  • A. The authorization server is not configured.
  • B. The port number used by the configured authentication server is incorrect.
  • C. Authentication and accounting servers should not use the same IP address.
  • D. The port number used to configure the accounting server is incorrect.

Answer: A


NEW QUESTION # 107
The whitelist + blacklist mode is adopted in terminal security management. Which of the following are normal behaviors?

  • A. The terminal host does not install the software in the white list, nor the software in the black list.
  • B. Some software in the whitelist is installed on the terminal host, but the software in the blacklist is not installed.
  • C. The terminal host installs all the software on the whitelist terminal, and also installs some software in the blacklist.
  • D. The terminal host installs all the software in the whitelist, but does not install the software in the blacklist.

Answer: D


NEW QUESTION # 108
The main differences between the RADIUS and HWTACACS protocols include:

  • A. HWTACACS encrypts the entire body of the message, and RADIUS only encrypts the password field in the authentication message.
  • B. RADIUS authentication and authorization are separated, and HWTACACS authentication and authorization are processed together.
  • C. RADIUS uses TCP protocol, network transmission is more reliable, HWTACACS uses UDP protocol.
  • D. HWTACACS supports authorization of configuration commands, RADIUS does not support authorization of configuration commands.

Answer: A,D


NEW QUESTION # 109
Which statement is true about certificate OCSP and CRL technology?

  • A. CRL is more time-sensitive than OCSP.
  • B. OCSP must frequently download the certificate list on the client side to keep the list updated.
  • C. The OCSP protocol obtains the revocation status of a certificate in an online manner to check whether the other party's certificate is revoked.
  • D. The CDP (CPL Distribution Points) information automatically obtained from the client certificate will not be stored in the configuration file, so when the USG restarts, the automatically obtained CDP information will not be saved.
  • E. OCSP can obtain the revocation status of the certificate in real time.

Answer: C,D,E


NEW QUESTION # 110
When configuring an IKE proposal, which of the following three parameters must be configured?

  • A. DH-group
  • B. security acl
  • C. PFS
  • D. encryption algorithm
  • E. Hash algorithm

Answer: A,D,E


NEW QUESTION # 111
Configure the firewall as follows:
[USG-policy-security] rule name Trust Local
[USG-policy-security-rule-Untrust Local] source-zone trust
[USG-policy-security-rule-Untrust Local] destination-zone local
[USG-policy-security-rule-Untrust Local] source-address 192.168.5.2 32
[USG-policy-security-rule-Untrust Local] destination-address 192.168.5.1 32
[USG-policy-security-rule-Untrust Local] service http
[USG-policy-security-rule-Untrust Local] service telnet
[USG-policy-security-rule-Untrust Local] action permit
Please select the correct description below:

  • A. Allow the firewall to log in to the device at 192.168.5.1 through the Web.
  • B. Allow the firewall to log in to the device at 192.168.5.1 through Telnet.
  • C. Allow the IP address 192.168.5.2/24 to log in to the firewall through Telnet.
  • D. Allow the 192.168.5.2/24 address segment to log in to the firewall via Web.

Answer: C,D


NEW QUESTION # 112
Which interfaces does the firewall support to configure IPsec policies?

  • A. Tunnel port
  • B. Virtual Template port
  • C. Virtual Ethernet interface
  • D. Dialer mouth
  • E. normal physical port

Answer: A,D,E


NEW QUESTION # 113
For the description of NAT Server, which is correct?

  • A. If the public network address of the NAT Server and the corresponding public network interface address are not in the same network segment, you do not need to configure black hole routing.
  • B. NAT Server cannot be configured on the virtual firewall for users of the root firewall.
  • C. If the public network address of the NAT Server and the corresponding public network interface address are in the same network segment, you do not need to configure black hole routing.
  • D. If the public network address of the NAT Server is the interface address, if the black hole route of this address is configured, the service access to the firewall itself will be abnormal.

Answer: C


NEW QUESTION # 114
Which of the following statements about BFD is correct?

  • A. The BFD protocol specifies that the sending interval and receiving interval are in milliseconds.
  • B. Implement link detection based on ICMP echo request or ARP request.
  • C. Can be linked with policy routing, OSPF, DHCP, FRR, static routing, etc.
  • D. BFD can detect indirect links.

Answer: C,D


NEW QUESTION # 115
The correct statement of the principle of virtual firewall technology is:

  • A. Virtual firewall and root firewall cannot be accessed.
  • B. Different virtual firewalls have the same way-in-table, so address overlap is not supported on different virtual firewalls.
  • C. Each virtual firewall system can support TRUST, UNTRUST, DMZ, LOCAL and other security zones, with flexible interface division and allocation.
  • D. Independent allocation of virtual system resources, independent provision of security services, and support for multiple VPN instances.

Answer: C,D


NEW QUESTION # 116
Which of the following is a correct description of the stateful inspection firewall forwarding principle:

  • A. The non-first packet forwarding is based on the session table, which can only be forwarded if it matches the session table.
  • B. Establish a connection for this UDP data stream when processing UDP protocol packets.
  • C. Session state detection based on TCP connection three-way handshake.
  • D. The firewall does not support the stateful inspection mechanism when deployed as a Layer 2 device.
  • E. ICMP packets will not be checked for status.

Answer: A,B,C


NEW QUESTION # 117
In the 4-way handshake of TCP disconnection as shown in the figure, ① and ② should be:

  • A. a+1 and b+1
  • B. a and b+1
  • C. a and b
  • D. a+1 and b

Answer: A


NEW QUESTION # 118
What is the matching priority order of the URL filtering of the USG firewall?

  • A. Blacklist, Whitelist, Custom Classification, Predefined Classification
  • B. Whitelist, Blacklist, Custom Classification, Predefined Classification
  • C. blacklist, whitelist, predefined classification, custom classification
  • D. Whitelist, Blacklist, Predefined Classification, Custom Classification

Answer: B


NEW QUESTION # 119
In the TCP spoofing attack, in order to establish a fake TCP connection with the victim host, the attacker must obtain the key information in the TCP session through calculation or guessing:

  • A. Acknowledgement Number responded by the victim host
  • B. Chechsum responded by the victim host
  • C. Urgent Pointer responded by the victim host
  • D. Sequence Number responded by the victim host

Answer: D


NEW QUESTION # 120
A customer network topology is shown in the figure.

An LZTP tunnel is established between the PC and the FW, with the PC as the client and the FW as the LNS side. After the administrator completes the configuration, it is found that the L2TP tunnel cannot be established successfully.
Execute the command debug l2tp packet in the user view to enable the debug switch, and see the following debug information:
USG %%01L2TP/8/L2TDBG (d): L2TP::Check SCCRQ MSG Type 1
USG %%01L2TP/8/L2TDBG (d): L2TP::Parse AVP Protocol version: 100
USG %%01L2TP/8/L2TDBG (d): L2TP::Parse AVP Framing capability: 1
USG %%01L2TP/8/L2TDBG (d): L2TP::Parse AVP Bearer capability, value: 0
USG %%01L2TP/8/L2TDBG (d): L2TP::Parse AVP Firmware revision, value: 1200
USG %%01L2TP/8/L2TDBG (d): L2TP::Parse AVP Host name, value: maple-54b160e59
USG %%01L2TP/8/L2TDBG (d): L2TP::requested Host isn't in the define l2tp group, refuse the requested
USG %%01L2TP/8/L2TDBG (d): L2TP::Clear Calls On Tunnel ID=1 Reason=1
Based on the above information, which failure analysis option is correct?

  • A. LNS remote tunnel name configuration is incorrect
  • B. The Virtual Template interface is not added to the security domain
  • C. Client LNS IP address configuration error
  • D. L2TP Group tunnel authentication failed

Answer: A


NEW QUESTION # 121
Which fields in the packet need to be analyzed in the firewall's IP packet fragmentation and reassembly?

  • A. Flags
  • B. Total Length
  • C. Fragment Offset
  • D. Identifier
  • E. Lifetime TTL

Answer: A,C,D


NEW QUESTION # 122
With the continuous advancement of informatization and information security assurance in our country, strengthening and standardizing the management of information security service qualifications has become an important basic work in information security management.
Which of the following are the qualification certifications provided by China Information Security Certification Center?

  • A. Risk Assessment Service Qualification Certification
  • B. Emergency Treatment Service Qualification Certification
  • C. Safety R&D Service Qualification Certification
  • D. Security Deployment Service Qualification Certification

Answer: A,B


NEW QUESTION # 123
What functions are included in the firewall UTM feature?

  • A. IPS
  • B. URL filtering
  • C. AV
  • D. content filtering
  • E. Traffic-based attack defense

Answer: A,B,C,D


NEW QUESTION # 124
What are the mechanisms for implementing intrusion prevention?

  • A. Response handling
  • B. Blacklist match
  • C. feature matching
  • D. Protocol identification and protocol resolution

Answer: A,C,D


NEW QUESTION # 125
For border network security, which of the following options are recommended for planning and deployment priorities?

  • A. Security Domain Isolation
  • B. Enable DDoS function
  • C. Enable device virtualization
  • D. IPS Real-Time Intrusion Prevention
  • E. Deploy VPN

Answer: A,B,D


NEW QUESTION # 126
......

H12-731-ENU Exam Dumps, H12-731-ENU Practice Test Questions: https://testking.vceprep.com/H12-731-ENU-latest-vce-prep.html

Related Articles

more
Huawei H12-731-ENU Certification Practice Exam