H12-721 Online Practice Questions and Answers

Virtual firewall technology can be implemented using IP address overlap.

A. TRUE

B. FALSE

Virtual firewall technology does not include which of the following characteristics?

A. Provides multi-instance routing, security, multi-instance, multi-instance configuration, NAT multi-instance, VPN multi-instance application flexibility to meet a variety of networking needs.

B. Each virtual firewalls can support four separate security zones TRUST, UNTRUST, DMZ, etc., flexible interface partitioning and allocation.

C. It guarantee that every virtual system and a separate firewall instance, and can be safely implement access between each virtual system.

D. Each virtual system provides independent administrator privileges.

In IP-link, how many successive packets must not be recived for it to be considered a failure, by default?

A. 1 times

B. 2 times

C. 3 times

D. 5 times

Which ofthe following statements is correct about the blacklist? (Choose three answers)

A. When you log into a device and incorrectly enter the username/password three times, the IP address of the administrator will be added to the blacklist via Web or Telnet.

B. Blacklist is divided into static and dynamic.

C. When the device is perceived to have behavioral characteristics of packets to a user's attempt to attack a specific IP address, it will use a dynamic IP address blacklist technology.

D. When the packet reaches the firewall, the first thing to check for is packet filtering, and then it will match the blacklist.

ACK Flood attacks use botnets to send a large number of ACK packets and impacts the network bandwidth, resulting in network link congestion. If a large number of attack packets are sent, server processing power is exhausted, thereby refusing access to normal service.

Which statement is correct about the Huawei Anti-DDos equipment to prevent this attack, when the comparison of two treatments are strict mode and basic mode? (Choose two answers)

A. Bypass deploy dynamic drainage using strict mode.

B. In strict mode, the cleaning device is not checked already established session, if session ACK packets do not match, the device discards the packet.

C. If the cleaning equipment checks to hit a session ACK packet, regardless of the strict mode and basic mode will create a reason to check session.

D. Using the "basic model" even though checks on the cleaning equipment is less than a session, the device will first few ACK packet discard and start checking the session.

In IPsec VPN with NAT traversal, you must use IKE aggressive mode.

A. TRUE

B. FALSE

When using manual IPsec negotiation, if there is a NAT device on the network then we need to use NAT traversal.

A. TRUE

B. FALSE

A man in the middle attack refers to an intermediate that sees the data exchange between server and client. To the server, all messages appear to be sent to or received from the client; and to the client all the packets appear to have been sent to or received from the server. If a hacker is using the man-in-the-middle attack, the hacker will send at least two data packets as shown to achieve this attack.

Which of the following packet 1 and packet 2 Field Description is correct? (Choose two answers)

A. Packet 1: Source IP 1.1.1.1 Source MAC C-C-C

The purpose of IP 1.1.1.2

The purpose of Mac B-B-B

B. Packet 1: Source IP 1.1.1.3 Source MAC C-C-C The purpose of IP 1.1.1.2 The purpose of Mac B-B-B

C. Packet 2: Source IP 1.1.1.2 Source MAC C-C-C The purpose of IP 1.1.1.1 The purpose of Mac A-A-A

D. Packet 2: Source IP 1.1.1.3 Source MAC C-C-C The purpose of IP 1.1.1.1 The purpose of Mac A-A-A

If the two sides wish to establish an IPsec VPN tunnel and using just one of the IP addresses, which of the

following configuration methods can not be applied in the gateway?

A. Policy Template

B. Strategy Name savage mode authentication

C. Pre-share

D. Savage mode key certification

Figure 1 is the first to be attacked host. A packet capture screenshots is shown in line no 132, Figure 2 is a

screenshot of attacked first host with line no. 133 packet capture.

Analyse what type of attack is this?

A. UDP Flood

B. UDP Flood attack slice

C. IP fragmentation attack

D. TAP Fragment Flood

IPSec with AH and ESP support NAT traversal.

A. TRUE

B. FALSE

In static fingerprint filtering for different packets with different processing methods, which of the following statements is correct? (Choose two answers)

A. TCP / UDP / custom services can be based on the load (ie, packet data segment) fingerprints.

B. DNS packets fingerprints for Query ID.

C. HTTP packets fingerprints for Universal Resource Identifier URI (Uniform Resource Identifier).

D. ICMP packets through fingerprints identifier.

Which of the following packets are not sent during IP-link detection? (Choose two answers)

A. ARP packets

B. IGMP packets

C. ICMP packets

D. Hello packets

Comparing URPF strict mode and loose mode, which of the following statement is incorrect?

A. Strict mode requires not only the presence of the corresponding entries in the forwarding table also called the interface but it must match in order to pass the URPF check.

B. If using strict mode, the source address of the packet in the FIB USG does not exist, but the situation has configured a default route and doing allow-default-route, the packet will pass the URPF check for normal forwarding.

C. Under a symmetrical environment, it is recommended to use the route URPF strict mode.

D. Loose mode does not check whether the interface matches the source address of the packet as long as the existence of the USG's FIB table, packets can be passed.

About L2TP over IPsec VPN, which of the following statements is correct? (Choose two answers)

A. IPSEC L2TP tunnel packets trigger

B. L2TP packets trigger IPSEC SA

C. L2TP tunnel first establish

D. IPSEC tunnel first establish