Users cannot access intranet resources when using the network extension function. Which of the following is not the possible cause of the failure?
- A . Has a virtual IP address been obtained on the virtual network card of the user PC?
- B . The route between the firewall and the intranet server is unreachable.
- C . User connection timed out.
- D . The virtual IP address conflicts with the FW interface address, intranet server address, and DHCP address pool address.
In a dual-system hot-standby network, when configuring an HRP heartbeat interface, if the address of the peer heartbeat interface is specified, which of the following types of VGMP Hello packets are sent between firewalls?
- A . Unicast message
- B . Broadcast message
- C . Multicast message
- D . UDP packets
The dual-system hot backup networking diagram is shown below. The gateway address of PC1 in the figure should be the interface IP address of the active device, that is, 10.100.10.2/24.
- A . TRUE
- B . FALSE
The bandwidth management function only supports limiting the number of connections initiated by a specified IP.
- A . TRUE
- B . FALSE
When using the Radius server to authenticate users, it is necessary to configure the corresponding user name and password on both the Radius server and the firewall.
- A . TRUE
- B . FALSE
As shown in the figure, the firewall dual-system hot-standby networking environment. In this networking environment, which of the following commands can ensure that the device can automatically adjust the priority of the VGMP management group and automatically perform the active-standby switchover?
- A . hrp ospf-cost adjust-enable
- B . hrp preempt delay 60
- C . hrp interface GigabitEthernet 0/0/2
- D . hrp auto-sync config
Which of the following description of the working process of network expansion is wrong?
- A . After the network extension function is triggered, an SSL VPN tunnel needs to be established between the remote user and the virtual gateway.
- B . The local PC of the remote user will automatically generate a virtual network card. The virtual gateway randomly selects an IP address from the address pool and assigns it to the virtual network card of the remote user.
- C . After the remote user virtual network card obtains the private network IP address, the route to the intranet server needs to be manually configured to access intranet resources normally.
- D . The remote user sends a service request packet to the server on the intranet. The packet flows through the SSL VPN tunnel to the virtual gateway.
In the IDC room, a Huawei USG6000 series firewall can be used to divide into several virtual systems, and then the root firewall administrator can generate virtual system administrators to manage each virtual system.
- A . TRUE
- B . FALSE
The two FWs are interconnected through IPSec. Execute display ike sa on FW_A. The result is as follows. Which of the following statements is correct? (Multiple choice)
- A . FW_A is the initiator of IKE secure channel negotiation
- B . FW_B is the initiator of IKE secure channel negotiation
- C . SA between firewalls has been established successfully
- D . SA between firewalls has not been established successfully
In dual-system hot backup, how many cycles does the Slave consider that the peer is faulty when it does not receive the HRP HELLO message sent by the peer?
- A . 1
- B . 2
- C . 3
- D . 5
Which of the following resource allocation methods does Huawei USG6000 product resource allocation support? (Multiple choice)
- A . Quota allocation
- B . Automatic allocation
- C . Manual distribution
- D . Indefinite allocation
The networking of an enterprise is shown in the figure. Dual-system hot backup is configured on USG_A and USG_B, and USG_A is the master device. The administrator wants to configure SSL VPN on the firewall so that branch office employees can access the headquarters through SSL VPN. What should be the virtual gateway address of the SSL VPN?
- A . 202.38.10.2/24
- B . 202.38.10.3/24
- C . 202.38.10.1/24
- D . 10.100.10.2/24
GRE Over IPSec tunnel can realize the transmission of IPX packets.
- A . TRUE
- B . FALSE
Huawei UMA products can be deployed in a logical series connection. Which of the following statements regarding the logical mode of this deployment method is correct?
- A . Logical mode: person -> slave account -> authorization -> master account -> target system.
- B . Logical mode: person -> master account -> authorization -> slave account -> target system.
- C . Logical mode: authorization -> slave account -> person -> master account -> target system.
- D . Logical mode: target system -> slave account -> authorization -> master account -> person.
Global route selection means that when there are multiple equal-cost routes to the destination network, the Huawei USG6000 firewall can dynamically select the outgoing interface according to the link bandwidth, weight, priority set by the administrator or the automatically detected link quality to realize the reasonable utilization of link resources and improvement of user experience.
- A . TRUE
- B . FALSE
When the traffic is finally sent from the outgoing interface, it is limited by the bandwidth of the outgoing interface. If the traffic is greater than the bandwidth of the outgoing interface, which of the following will the traffic be queued to ensure that high-priority packets are sent first?
- A . Remark DSCP priority
- B . Forwarding Priority
- C . Bandwidth Policy Matching Order
- D . QoS
Regarding server load balancing, which of the following technologies can be used to sense changes in server status and ensure that user requests will not be sent to faulty servers?
- A . VGMP Hello message
- B . VRRP packets
- C . DPD
- D . Service Health Check
As shown in the figure, BFD is bound to a static route, and the administrator has made the following configuration on firewall A:
[USG6000_A] bfd
[USG6000_A-bfd] quit
[USG6000_A] bfd as bind peer-ip 1.1.1.2
[USG6000_A-bfd-session-aa] discriminator local 10
[USG6000_A-bfd-session-aa] discriminator remote 20
[USG6000_A-bfd-session-aa] commit
[USG6000_A-bfd-session-aa] quit
Which of the following statements about this configuration is true? (Multiple Choice)
- A . The command "bfd as bind peer-ip 1.1.1.2" is used to create a BFD session binding policy for link status detection
- B . The [USG6000_A] bfd configuration in this command is incorrect, it should be changed to [USG6000_A] bfd enable to enable the BFD function
- C . [USG6000_A-bfd-session-aa] commit is an optional configuration. If not configured, the system will submit the configuration by default and generate BFD session log information, but will not create a session table
- D . The command on the firewall also needs to bind the BFD session to the static route:
[USG6000_A] ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa
Use the web page to log in to the SSL VPN gateway, and it will automatically log out after a period of time. The possible reason is that the session of the VPN gateway has timed out.
- A . TRUE
- B . FALSE
Which of the following scenarios can achieve bandwidth multiplexing? (Multiple choice)
- A . Multiple flows are matched to the same bandwidth policy, and bandwidth multiplexing can be achieved between multiple flows.
- B . Multiple bandwidth policies refer to the bandwidth channel in the way of policy sharing, so that bandwidth multiplexing can be achieved among multiple flows that match the bandwidth policy.
- C . Bandwidth multiplexing can be achieved between multiple flows that match multiple child policies in the parent-child policy.
- D . Multiple bandwidth policies refer to the bandwidth channel in a policy-exclusive manner, and bandwidth multiplexing can be achieved among multiple flows that match the bandwidth policy.
Which statements about virtual interfaces are correct? (Multiple choice)
- A . The virtual interface may cause the protocol layer DOWN because the IP address is not configured.
- B . The virtual interface must be added to the security zone to work.
- C . The virtual interface may not be configured with an IP address.
- D . A virtual interface is a logical interface for which an IP address needs to be configured.
To ensure that traffic transmission is not affected by server or link failures, the administrator has configured the health check of the link, but after the configuration is completed, it is found that the status of the health check is still Down. What are the possible reasons? (Multiple choice)
- A . The TRUE end device has not released the corresponding protocol and port
- B . The security policy does not allow traffic
- C . The link for the health check fails
- D . The health check is not called on the interface
Regarding the configuration commands in the intelligent routing below, which of the following are correct? (Multiple choice)
#
multi-interface
mode priority-of-link-quality
priority-of-link-quality parameter delay jitter loss
priority-of-link-quality protocol tcp-simple
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
- A . The bandwidth-based load sharing method is used
- B . The parameters of link quality detection are delay, jitter and packet loss rate
- C . The TCP protocol used for detection
- D . 3 links are selected for load balancing
The following figure shows the application scenario of L2TP over IPSec. The client uses the pre-shared-key method for IPSec authentication. How should the IPSec security policy be configured on the LNS side? (Multiple choice)
- A . Negotiate using IKE v1 main mode
- B . Negotiate using IKE v2
- C . Configure IPSec security policy
- D . Configure IPSec Policy Template
What algorithm can session persistence be based on?
- A . Least Connection algorithm
- B . Source IP hash algorithm
- C . Simple polling algorithm
- D . Weighted Round Robin algorithm
In order to prevent applications such as Email and ERP from being affected during normal working hours, an enterprise hopes that the minimum bandwidth available for such traffic is not less than 60Mbps. Which of the following configuration meets the requirements?
- A . time-range work_time
period-range 09: 00: 00 to 18: 00: 00 working-day
traffic-policy
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_email
source-zone trust
destination-zone untrust
application app BT
application app YouKu
time-range work_time
action qos profile profile_email - B . time-range work_time
period-range 00: 00: 00 to 09: 00: 00 working-day
traffic-policy
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_email
source-zone trust
destination-zone untrust
application app LotusNotes
application app OWA
time-range work_time
action qos profile profile_email - C . time-range work_time
period-range 09: 00: 00 to 18: 00: 00 working-day
traffic-policy
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_email
source-zone trust
destination-zone untrust
application app LotusNotes
application app OWA
time-range work_time
action qos profile profile_email - D . time-range work_time
period-range 09: 00: 00 to 18: 00: 00 working-day
traffic-policy
profile profile_email
bandwidth maximum-bandwidth whole both 60000
rule name policy_email
source-zone trust
destination-zone untrust
application app LotusNotes
application app OWA
time-range work_time
action qos profile profile_email
Which of the following information is included in the main mode negotiation process in the first phase of IKE v1 negotiation? (Multiple choice)
- A . IKE Proposal Set
- B . IPSec Proposal Set
- C . DH key exchange public information
- D . Identity information of both parties
Which of the following log categories does the firewall log, content log, policy hit log, mail filtering log, URL filtering log and audit log all belong to?
- A . Session log
- B . Packet Loss Log
- C . Business log
- D . System log
As shown in the figure below, the firewall GE0/0/0 interface is directly connected to the PC host through a network cable.
Which of the following commands can work together to complete the backup operation of the system configuration file vrpcfg.cfg? (Multiple choice)
- A . Complete the following commands on the firewall:
[USG] ftp server enable
Info: Start FTP server
[USG] aaa
[USG-aaa] local-user ftpuser password simple Ftppass#
[USG-aaa] local-user ftpuser service-type ftp
[USG-aaa] local-user ftpuser ftp-directory hda1:/ - B . Complete the following commands on the firewall:
<USG> ftp 192.168.0.2
Trying 192.168.0.2
Press CTRL+K to abort
Connected to 192.168.0.2.
220 FTP Server ready.
User ( 192.168.0.2: ( none)): ftpuser
331 Password required for ftpuser.
Password:
230 User ftpuser logged in.
[ftp] get vrpcfg .cfg - C . Complete the following commands on the PC:
C:Documents and SettingsAdministrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User ( 192.168.0.1: ( none)): ftpuser
331 Password required for ftpuser.
Password:
230 User logged in.
ftp> get vrpcfg.cfg - D . Complete the following commands on the PC:
C:Documents and SettingsAdministrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FFP service ready.
User ( 192.168.0.1: ( none)): ftpuser
331 Password required for ftpuser.
Password:
230 User logged in.
ftp> put vrpcfg.cfg
Which of the following statements about IPsec is false?
- A . In transport mode, ESP does not validate IP packet headers
- B . AH can only verify data packets and cannot encrypt them
- C . ESP can support NAT traversal
- D . AH protocol uses 3DES algorithm for data authentication
If using SSL VPN to provide file sharing function, all files under the shared directory are visible to end users.
Which of the following statements regarding the configuration of file share paths is correct?
- A . The format of SMB type resource is: //IP address (hostname)/shared folder. The SMB type resource path can be a multi-level shared folder directory.
- B . The format of NFS type resource is: //IP address (hostname)/dir1/dir2/shared folder. An NFS type resource path can only have a first-level shared folder directory.
- C . Select SMB for file sharing resources under Windows system.
- D . Select SMB for file sharing resources under Linux system.
Which of the descriptions of the virtual system is incorrect?
- A . There are two types of virtual systems on the NGFW: root system and virtual system.
- B . A special virtual system that exists by default on the NGFW is called the root system.
- C . The logical devices that are divided and run independently on the NGFW are called virtual systems.
- D . If the virtual system function is not enabled, the root system does not exist.
Which of the following devices can detect unknown malicious files transmitted in the network in a virtual environment?
- A . eSight
- B . LogCenter
- C . FireHunter
- D . WAF
Regarding the server load balancing technology, the commands executed on the firewall and the output obtained are as follows:
Which of the following statement is correct?
- A . The load balancing policy enables the service health check function, and the detection packets used are TCP packets.
- B . The load balancing policy uses a weighted round-robin algorithm.
- C . The load balancing policy adopts the weighted least connection algorithm.
- D . The real servers of the load balancing policy are all in the mandatory unavailable state.
After completing the configuration of intelligent routing, it is found that the traffic is not forwarded according to the configuration. What measures can the administrator take? (Multiple choices)
- A . Reconfigure the intelligent routing strategy
- B . Wait for the session table to age
- C . Manually clear session table information through the command line reset firewall session table
- D . Submit the configuration for it to take effect
When configuring the IPSec VPN certificate authentication method, if you choose the "RSA signature" authentication method, which of the following steps need to be configured? (Multiple choice)
- A . Upload the CA certificate
- B . Upload the local certificate
- C . Upload the peer device certificate
- D . Create a public-private key pair for the local device
When the BFD session state is "Init", which of the following statements is true?
- A . The session has just been created
- B . The local end wants to make the session enter the Up state
- C . The session has been established successfully
- D . The session is in an administrative Down state
Which of the following is the possible cause of the failure?
- A . The route between the gateway and the intranet server is unreachable.
- B . The user is not assigned to the resources of the web proxy.
- C . The security policy does not allow traffic from the extranet to the intranet server.
- D . The SSL VPN one-arm deployment is attached to the firewall. It is necessary to use NAT to map the private network address of the SSL VPN gateway to the public network address. The address mapping is incorrect.
IP-Link will send a detection packet to the specified IP address. By default, when the detection fails for 3 times, the link to this IP address is considered to be faulty.
- A . TRUE
- B . FALSE
Which of the following is not the purpose of bandwidth management?
- A . Limit bandwidth
- B . Guaranteed number of connections
- C . Limit the number of connections
- D . Guaranteed bandwidth