The correct statement about UDP Flood and TCP Flood attack prevention is: (Multiple Choice)
- A . The UDP protocol is connectionless, so it cannot be implemented by source detection.
- B . Prevent UDP Flood by analyzing the rules and characteristics of UDP packets sent by a certain host, the rules and characteristics are called fingerprint learning.
- C . The fingerprint learning function of UDP packets learns all fields of the packet data segment.
- D . UDP and TCP protocols can be implemented through proxy technology.
When the IPsec negotiation fails, turn on the IKE debug switch, and the following information is displayed: got NOTIFY of type INVALID_ID_INFORMATION or drop message from ABCD due to notification type INVALID_ID_INFORMATION, what does it mean?
- A . The IKE proposals at both ends do not match
- B . IPsec proposals at both ends do not match
- C . The ACL configurations at both ends do not match
- D . The LOCAL-ID-TYPE configuration at both ends do not match
What are the implementation mechanisms of intrusion prevention? (Multiple Choice)
- A . Blacklist matching
- B . Protocol Identification and Protocol Resolution
- C . Feature matching
- D . Response handling
Which statement about MTU and PMTU is correct? (Multiple Choice)
- A . MTU (Maximum Transfer Unit) refers to the size of the largest data packet that can be transmitted in the network, in bytes.
- B . The device will check the MTU on the inbound interface, and if the packet size exceeds the MTU value, it will be discarded.
- C . In an IP network, interfaces with different MTU values may be passed from the source address to the destination address, and the largest MTU value is the PMTU of the path.
- D . PMTU detection is to obtain the PMTU value of the specified destination IPv4 address through detection, and then use the MTU value to send packets.
In NGFW, to use the RBL blacklist, which of the following key options need to be configured by the network administrator? (Multiple Choice)
- A . DNS server
- B . Response code
- C . RBL server IP address
- D . SMTP server IP address
Regarding the relationship between 802.1X and RADIUS, which of the following descriptions is correct?
- A . 802.1X and RADIUS are different names for the same technology.
- B . 802.1X is a technical system that includes RADIUS.
- C . 802.1X and RADIUS are different technologies, but they are often used together to complete access control to end users.
- D . 802.1X and RADIUS are two completely different technologies and are usually not used together.
Which of the following aspects are included in the host reinforcement? (Multiple Choice)
- A . Operating system hardening
- B . Database hardening
- C . Account password security
- D . Network management system reinforcement
- E . Vulnerability scanning
What functions does content filtering include in the Huawei USG firewall? (Multiple Choice)
- A . File Content Filtering
- B . Apply Content Filtering
- C . File extension filtering
- D . Mail filtering
The intranet IP address of a Web Server deployed in the DMZ area of an enterprise is 10.1.1.3, the port is 8080, the public network address announced to the outside world is 1.1.1.2, and the external port number is 80.
Configure the following commands on the firewall:
[USG6600] security-policy
[[USG6600-policy-security] rule name untrust_to_mz
[USG6600-policy-security-rule-untrust_to_mz] source-zone untrust
[USG6600-policy-security-rule-untrust_to_mz] destination-zone dmz
[USG6600-policy-security-rule-untrust_to_mz] destination-address 1.1.1.2 32
[USG6600-policy-security-rule-untrust_to_mz] service http
[USG6600-policy-security-rule-untrust_to_mz] action permit
[USG6600] nat server webserver protocol tcp global 1.1.1.2 www inside 10.1.1.3 8080
The external network PC cannot access the Web Server at 10.1.1.3 within the enterprise. Please analyze the most likely reasons for this:
- A . The firewall does not open the default packet filtering policy from the untmut zone to the DMZ zone
- B . The firewall untrust to DMZ zone security policy should be configured as service 8080
- C . The firewall untrust to DMZ zone security policy should be configured as destination-address 10.1.1.3 32
- D . Firewall should be configured as nat server webserver protocol tcp global 1.1.1.2 80 inside 10.1.1.3 8080
The whitelist + blacklist mode is adopted in terminal security management. Which of the following are normal behaviors?
- A . The terminal host does not have the software in the whitelist installed, nor the software in the blacklist.
- B . The terminal host installs all the software in the white list, but does not install the software in the black list.
- C . Some software in the whitelist is installed on the terminal host, but the software in the blacklist is not installed.
- D . The terminal host installs all the software of the whitelist terminal, and installs some software in the blacklist.
There are hundreds of people in a medium-sized enterprise network accessing the Internet through the company’s firewall, and the company has deployed a corporate portal website in the firewall DMZ. Which of the following criteria should be followed as an IT security officer for purchasing and deploying Internet access auditing products?
- A . Order No. 82 of the Ministry of Public Security
- B . ISO27002
- C . State Office issued No. 28
- D . NIST800-53
The centralized networking scheme of three servers, as shown in the figure, the administrator found that only one of the three Agile Controllers in the resource pool was alive.
In this case, which of the following descriptions is correct? (Multiple Choice)
- A . All three database servers cannot work properly, and only one of the three Agile Controllers in the resource pool is alive. In this case, all Agile Controller services are transferred to the surviving Agile Controller and can operate normally, and terminal identity authentication, access control, software distribution, patch installation, and asset management will not be affected.
- B . After the Agile Controller is started, each Agile Controller will immediately read the database and save it on the local hard disk as a cache. If all databases become unavailable due to a failure, the Agile Controller will continue to maintain the operation of the Agile Controller service by using the cache saved at that time as the data source.
- C . At this point, you can try to restart the surviving Agile Controller, and repair the database server when restarting.
- D . At this time, the escape channel on the firewall has been opened.
For border network security, which of the following options are recommended for planning and deployment priorities? (Multiple Choice)
- A . Security Domain Isolation
- B . IPS real-time intrusion prevention
- C . Enable device virtualization
- D . Deploy a VPN
- E . Enable DDoS function
Regarding the description of NAT Server, which of the following is correct?
- A . If the public network address of the NAT Server and the corresponding public network interface address are in the same network segment, you do not need to configure black hole routing.
- B . If the public network address of the NAT Server and the corresponding public network interface address are not in the same network segment, you do not need to configure black hole routing.
- C . If the public network address of the NAT Server is an interface address, if a black hole route is configured for this address, service access to the firewall itself will be abnormal.
- D . The NAT Server cannot be configured on the virtual firewall for users of the root firewall.
Regarding the way SAC equipment accesses the network, which of the following descriptions are correct? (Multiple Choice)
- A . SACG equipment is required to communicate with the terminal at Layer 2.
- B . The SACG is usually side-mounted on the core switch device and uses policy routing to divert traffic.
- C . SACG supports side-hanging on non-Huawei devices.
- D . SACG devices are required to communicate with the Agile Controller at Layer 2.
The USG firewall is directly connected to other devices at Layer 3. During commissioning, it was found that the peer IP address directly connected from the firewall could not be pinged. It was confirmed that there was no problem with the peer device. What are the possible reasons? (Multiple Choice)
- A . Routing configuration error on the firewall
- B . The firewall interface is not added to the security domain
- C . The packet filtering from the firewall local to the corresponding security domain is not enabled
- D . The intra-domain packet filtering policy of the corresponding domain of the firewall is not enabled
What is the online certificate application method supported by firewall PKI?
- A . HTTP
- B . LDAP
- C . TFTP
- D . SCEP
- E . FTP
Which of the following description about SACG certification is correct? (Multiple Choice)
- A . SACG certification is generally used for existing wired networks.
- B . SACG certification is generally used for new wireless networks.
- C . SACG is generally deployed in a bypass mode without changing the original network topology.
- D . SACG essentially controls access users through 802.1X technology.
When the firewall uses the IPsec function, which protocols and ports need to be opened? (Multiple Choice)
- A . The protocols are IP packets with AH and ESP.
- B . UDP packets with source ports 500 and 4500.
- C . UDP packets with destination ports 500 and 4500.
- D . UDP packets with destination port 1701.
The firewall is deployed between the mobile terminal of the wireless user and the WAP gateway, the mobile terminal is in the trust zone, and the WAP gateway is in the untrust zone, and the following configurations are made:
[USG] ad 3000
[USG-acl-adv-3000] rule permit ip destination 202.10.10.2 0
[USG-acl-adv-3000] quit
[USG] fir-all zone trust
[USG-zone-trust] destination-nat 3000 address 200.10.10.2
[USG-zone-trust] quit
Which of the following descriptions are correct?
- A . This configuration can also be applied to server address mapping scenarios
- B . The command firewall zone trust should be changed to firewall interzone trust untrust outbound
- C . The firewall translates the destination address of the packet accessing the gateway address of 202.10.10.2 to 200.10.10.2
- D . The command firewall zone trust should be changed to firewall interzone untrust trust
The networking of a certain network is as follows: PC—-ADSL router—–USG—–LAN
The key configurations of the USG are as follows:
l2tp enable
interface Virtual-Template1
ppp authentication-mode pap
ip address 4.1.1.1 255.255.255.0
remote address pool 1
l2tp-group 1
mandatory-Icp
allow 12tp virtual-template 1
#
user-ma page user pc1
password admin@123
aaa
domain default
ip pool 1 4.1.1.1 4.1.1.99
Assuming that other configurations are complete and correct, what is the problem with this configuration in actual work?
- A . You can dial successfully, and you can also access the intranet server.
- B . Cannot dial successfully.
- C . Disconnect immediately after successful dialing.
- D . The dial-up is successful, but the intranet server cannot be accessed.
Which of the following attack methods are network layer attacks? (Multiple Choice)
- A . Constructing data packets with wrong TTL value, causing the device to handle abnormally.
- B . Constructing many SYN packets, leading to exhaustion of host resources.
- C . Construct a packet with abnormal TCP flag bit, causing the host to process abnormally.
- D . Constructing a packet with an incorrect IP fragment flag, causing the host to process abnormally.
When the dual-system hot backup network is used, according to this configuration, PC2 sends an ARP request to the Mac of IP10.100.30.8. Which of the following options is correct?
sysname NGFW_A
#
hrp enable
hrp interface GigabitEthernet 0/0/3
#
interface GigabitEthernet0/0/1
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.1 active
#
interface GigabitEthernet0/0/2
ip address 10.100.30.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.100.30.1 active
#
Nat address-group 1
section 0 10.100.30.8 10.100.30.9
#
nat-policy
rule name trust to untrust
source-zone trust
destination-zone untrust
source-address 192.2163.10.0 24
action nat address-group 1
- A . NGFW_A responds to this ARP with VMAC
- B . NGFW_B responds to this ARP with VMAC
- C . The MAC of the NGFW_A interface responds to this ARP
- D . The MAC of the NGFW_B interface responds to this ARP
If the content of the visited web page contains filtered content, what will be the result?
- A . Display "Cannot open webpage"
- B . Display "The web page has been filtered".
- C . The filtered content is deleted and will not be displayed.
- D . The filter content is replaced with “*”.
The Trust zone of the USG firewall of a certain network is connected to the terminal host, and the Untrust zone is connected to the security controller. If the security controller can issue rules to the USG, which of the following security policies must be configured?
- A . security-policy
rule name local_to_trust
source-zone local
destination-zone trust
action permit - B . security-policy
rule name untrust_to_local
source-zone untrust
destination-zone local
action permit - C . security-policy
rule name to_local
source-zone untrust trust
destination-zone local
action permit - D . security-policy
rule name untrust_to_local
source-zone untrust
destination-zone local
action permit
rule name local_to_trust
source-zone local
destination-zone trust
action permit
When the network traffic is heavy, if you do not want the downstream network to be congested or directly discard many packets due to the excessive data traffic sent upstream, you can limit and cache the traffic on the outbound interface of the upstream device, so that such packets can be blocked. The text is sent out at a relatively uniform speed.
This technique can be:
- A . GTS
- B . Car
- C . WRED
- D . CBWFQ
VGMP unified management of VRRP backup group status, VGMP management group Active priority is 65001, Standby priority is 65000. When the VGMP management group detects that the interface is Down through the VRRP backup group or directly, the priority of the VGMP management group is recalculated. When each interface is Down, the priority of the VGMP management group decreases by 2.
- A . TRUE
- B . FALSE
NGFW_A and NGFW_B, NGFW_A and NGFW_C configure static routes respectively. NGFW_A -> NGFW_B is the primary link, and NGFW_A -> NGFW_C is the backup link. It is required that the traffic can be quickly switched to the backup link when the primary link fails; the traffic can be switched to the primary chromium road after the primary link is restored.
Which of the following configuration is correct? (Multiple Choice)
A. [USG_A] bfd
[USG_A] bfd ab bind peer-ip 10.1.1.2
[USG_A-bfd-session-ab] discriminator local 10
[USG_A-bfd-session-ab] discriminator remote 20
[USG_A-bfd-session-ab] commit
[USG_A] ip route-static 0.0.0.0 0 10.1.1.2 track bfd-session ab
[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100
B. [USG_A] bfd
[USG_A] bfd ab bind peer-ip 10.1.1.2
[USG_A-bfd-session-ab] discriminator local 10
[USG_A-bfd-session-ab] discriminator remote 20
[USG_A-bfd-session-ab] commit
[USG_A] ip route-static 0.0.0.0 0 10.1.1.2
[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100 track bfd-session ab
C. [USG_B] bfd
[BSG_B] bfd ab bind peer-ip 10.1.1.1
[USG_B-bfd-session-ab] discriminator local 20
[USG_B-bfd-session-ab] discriminator remote 10
[USG_B-bfd-session-ab] commit
D. [USG_B] bfd
[BSG_B] bfd ab bind peer-ip 10.1.1.1
[USG_B-bfd-session-ab] discriminator local 10
[USG_B-bfd-session-ab] discriminator remote 20
[USG_B-bfd-session-ab] commit
NGFW_A and NGFW_B, NGFW_A and NGFW_C configure static routes respectively. NGFW_A -> NGFW_B is the primary link, and NGFW_A -> NGFW_C is the backup link. It is required that the traffic can be quickly switched to the backup link when the primary link fails; the traffic can be switched to the primary chromium road after the primary link is restored.
Which of the following configuration is correct? (Multiple Choice)
A. [USG_A] bfd
[USG_A] bfd ab bind peer-ip 10.1.1.2
[USG_A-bfd-session-ab] discriminator local 10
[USG_A-bfd-session-ab] discriminator remote 20
[USG_A-bfd-session-ab] commit
[USG_A] ip route-static 0.0.0.0 0 10.1.1.2 track bfd-session ab
[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100
B. [USG_A] bfd
[USG_A] bfd ab bind peer-ip 10.1.1.2
[USG_A-bfd-session-ab] discriminator local 10
[USG_A-bfd-session-ab] discriminator remote 20
[USG_A-bfd-session-ab] commit
[USG_A] ip route-static 0.0.0.0 0 10.1.1.2
[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100 track bfd-session ab
C. [USG_B] bfd
[BSG_B] bfd ab bind peer-ip 10.1.1.1
[USG_B-bfd-session-ab] discriminator local 20
[USG_B-bfd-session-ab] discriminator remote 10
[USG_B-bfd-session-ab] commit
D. [USG_B] bfd
[BSG_B] bfd ab bind peer-ip 10.1.1.1
[USG_B-bfd-session-ab] discriminator local 10
[USG_B-bfd-session-ab] discriminator remote 20
[USG_B-bfd-session-ab] commit
NGFW_A and NGFW_B, NGFW_A and NGFW_C configure static routes respectively. NGFW_A -> NGFW_B is the primary link, and NGFW_A -> NGFW_C is the backup link. It is required that the traffic can be quickly switched to the backup link when the primary link fails; the traffic can be switched to the primary chromium road after the primary link is restored.
Which of the following configuration is correct? (Multiple Choice)
A. [USG_A] bfd
[USG_A] bfd ab bind peer-ip 10.1.1.2
[USG_A-bfd-session-ab] discriminator local 10
[USG_A-bfd-session-ab] discriminator remote 20
[USG_A-bfd-session-ab] commit
[USG_A] ip route-static 0.0.0.0 0 10.1.1.2 track bfd-session ab
[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100
B. [USG_A] bfd
[USG_A] bfd ab bind peer-ip 10.1.1.2
[USG_A-bfd-session-ab] discriminator local 10
[USG_A-bfd-session-ab] discriminator remote 20
[USG_A-bfd-session-ab] commit
[USG_A] ip route-static 0.0.0.0 0 10.1.1.2
[USG_A] ip route-static 0.0.0.0 0 20.1.1.2 preference 100 track bfd-session ab
C. [USG_B] bfd
[BSG_B] bfd ab bind peer-ip 10.1.1.1
[USG_B-bfd-session-ab] discriminator local 20
[USG_B-bfd-session-ab] discriminator remote 10
[USG_B-bfd-session-ab] commit
D. [USG_B] bfd
[BSG_B] bfd ab bind peer-ip 10.1.1.1
[USG_B-bfd-session-ab] discriminator local 10
[USG_B-bfd-session-ab] discriminator remote 20
[USG_B-bfd-session-ab] commit
168.22.122:22 <– 192.168.22.151:4354
- A . Because the SSH client supports packet retransmission during the login process.
- B . When the PC logs in to the standby firewall FW2, the round-trip paths are inconsistent.
- C . The problem may be caused by turning off hrp mirror session enable.
- D . The problem caused by the indo firewall session link-state check function is turned off.
What are the possible reasons why the local license cannot be activated? (Multiple Choice)
- A . ESN mismatch
- B . The device cannot connect to sec.huawei.com
- C . The function item in the License has expired
- D . The device is not configured with an activation password
What are the possible reasons why the local license cannot be activated? (Multiple Choice)
- A . ESN mismatch
- B . The device cannot connect to sec.huawei.com
- C . The function item in the License has expired
- D . The device is not configured with an activation password
168.1.2:44012[1.1.1.3:6103] –> 2.2.2.2:2048
Which of the following descriptions are correct? (Multiple Choice)
- A . The device with the address 192.160.1.2 is pinging the public network address 2.2.2.2.
- B . The device with the address 1.1.1.3 is performing a ping test on the public network address 2.2.2.2.
- C . NAT destination address one-to-one address mapping is configured on the firewall.
- D . Many-to-one address mapping of NAPT source addresses is configured on the firewall.
What are the URL matching methods in the URL filtering function in USG? (Multiple Choice)
- A . Prefix
- B . Suffix
- C . Parameters
- D . to be precise
- E . Keywords
Which of the following functional modules can be used in conjunction with the IP-Link function? (Multiple Choice)
- A . DHCP
- B . Routing Policy
- C . VRRP
- D . OSPF
As shown in the figure, which illustrates the negotiation process of IPsec, which of the following descriptions are correct? (Multiple Choice)
- A . This process is the IKEv2 negotiation process.
- B . The red box part is the EAP authentication process.
- C . ①② means that the two parties negotiate the data flow to be protected and the IPsec security proposal.
- D . The red box is a mandatory negotiation process
In a new campus network of an enterprise, under an access switch, ordinary PC users and dumb terminal users need to connect to the Internet at the same time.
Which authentication method is recommended to be deployed on this switch?
- A . 802.1X authentication
- B . Portal Authentication
- C . MAC Authentication
- D . MAC bypass authentication
Which of the following is a correct description of the stateful inspection firewall forwarding principle? (Multiple Choice)
- A . The non-first packet forwarding is based on the session table, which can only be forwarded if it matches the session table.
- B . ICMP packets do not perform stateful inspection.
- C . Establish a connection for the UDP data stream when processing UDP protocol packets.
- D . The firewall does not support the stateful inspection mechanism when deployed as a Layer 2 device.
- E . Session state detection is performed based on the three-way handshake of the TCP connection.
Using the SSL function of the USG gateway, the administrator can quickly and securely access all resources in the enterprise intranet, not only Web resources, but also ensure that the communication between the client and the virtual gateway adopts the SSL security protocol, and must ensure that the SSL client does not affect access to other network resources and can directly access Internet resources _______________.
- A . Network expansion in full routing mode
- B . Network Expansion in Split Mode
- C . Network expansion in manual mode
- D . Port forwarding
In the abnormal flow cleaning scheme, automatic drainage means that the detection equipment reports abnormal flow to the management center, and the management center automatically generates drainage tasks and automatically sends drainage tasks to the cleaning equipment.
Which specific drainage technology is generally required to achieve automatic drainage?
- A . BGP drainage
- B . Static route diversion
- C . Policy routing diversion
- D . GRE drainage
If you use a mobile terminal (Android or Apple system) to access intranet resources through a web proxy, which of the following methods should be recommended?
- A . Only use web link
- B . Can only be rewritten using the web
- C . You can use web link or web rewrite
- D . Such mobile phones cannot access intranet resources through web proxy at all
If you use a mobile terminal (Android or Apple system) to access intranet resources through a web proxy, which of the following methods should be recommended?
- A . Only use web link
- B . Can only be rewritten using the web
- C . You can use web link or web rewrite
- D . Such mobile phones cannot access intranet resources through web proxy at all
168.100.28:1036 [58.251.159.112:2048] –> 111.206.79.100:80
Which of the following descriptions is incorrect?
- A . The firewall interface GigabitEthernet0/0/1 belongs to the untrust zone.
- B . The MAC address of the outgoing interface of the firewall is 00-0f-e2-a2-a2-61.
- C . The internal network 192.168.100.28 host establishes an http connection with the external network 111.206.79.100.
- D . The address after NAT translation is 58.251.159.112.
Which of the following applications cannot be secured using packet filtering alone? (Multiple Choice)
- A . WWW service
- B . Telnet Service
- C . FTP service
- D . H.323
A network needs to replace the dual-system hot-standby USG_A and USG_B due to the network upgrade of the new hardware USG. On the premise of not affecting the business, how to upgrade:
USG_A is the Active device, and USG_B is the Standby device.
Which of the following are the correct cutover steps?
① Connect the 5th line to the new USG_B in sequence.
② Connect lines 1, 2, and 3 from the old USG_A to the new USG A in turn,
③ Power on the new USG_B and the new USG_A, and import the configuration.
④ Enter undo hrp enable in USG_B, and cut off lines 4, 5, and 3 in turn.
⑤ Adjust the routing cost so that all traffic passes through USB_B.
⑥ Enter hrp enable for the new USG_A and new USG_B, and adjust the routing cost to meet the expectations.
- A . ③ -> ④ -> ① -> ⑤ -> ② -> ⑥
- B . ③ -> ④ -> ① -> ② -> ⑥ -> ⑤
- C . ④ -> ① -> ⑤ -> ③ -> ② -> ⑥
- D . ③ -> ④ -> ⑤ -> ① -> ② -> ⑥
An enterprise has the following requirements:
The intranet users in the Trust zone are on the 192.168.1.0/24 network segment and can access the Internet. There are a total of 50 hosts (192.168.1.1-192.168.1.50) with a total curtain size of 500M.
Which of the following plans are reasonable?
- A . The overall bandwidth is limited to 500M, and the maximum bandwidth of each IP is 12M.
- B . The overall bandwidth is limited to 400M, and the maximum bandwidth per IP is 12M.
- C . The overall bandwidth is limited to 500M, and the maximum bandwidth of 192.168.1.1-192.168.1.50 per IP is 12M.
- D . The overall belt curtain is limited to 500M, the guaranteed belt curtain is 500M, and the maximum belt curtain per IP is 10M.
Do the following configuration on the firewall:
[USG-policy-security] rule name Trust Local
[USG-policy-security-rule-Untrust Local] source-zone trust
[USG-policy-security-rule-Untrust Local] destination-zone local
[USG-policy-security-rule-Untrust Local] source-address 192.168.5.2 32
[USG-policy-security-rule-Untrust Local] destination-address 192.168.5.1 32
[USG-policy-security-rule-Untrust Local] service http
[USG-policy-security-rule-Untrust Local] service telnet
[USG-policy-security-rule-Untrust Local] action permit
Please select the correct description below: (Multiple Choice)
- A . Allow the firewall to log in to the device at 192.168.5.1 through Telnet.
- B . Allow the IP address 192.168.5.2/24 to log in to the firewall through Telnet.
- C . Allow the firewall to log in to the device at 192.168.5.1 through the Web.
- D . Allow the 192.168.5.2/24 address segment to log in to the firewall through the Web.
The IPsecVPN tunnel is successfully established, but the speed of accessing the peer’s private network web page is slow or the access is intermittent. The influence of the Internet network quality has been eliminated. The following possible faults are: (Multiple Choice)
- A . The problem of packet fragmentation
- B . The CPU usage of the egress gateway is too high
- C . There is a NAT device in the middle of the network
- D . The packet filtering policy is not enabled
When using the SSL VPN network extension function, the virtual IP address pool can be set to the same network segment as the IP address of the internal network interface of the device.
If the virtual IP address pool and the IP address of the internal network interface are not on the same network segment, manually configure the route to the address pool on the device. The outbound interface is the internal network interface, and the next hop is the next hop of the internal network interface.
- A . TRUE
- B . FALSE
When a corporate intranet user accesses the Internet through the USG firewall, a certain URL has been added to the blacklist, but the user can still access it. What are the possible reasons for the failure of the URL filtering function? (Multiple Choice)
- A . Not updating the list of remote URLs
- B . The URL filtering policy is not applied in the corresponding inter-domain direction
- C . The URL remote query function is not enabled
- D . No URL filtering configuration file submitted
Which of the following options can be used as a condition for Portal push? (Multiple Choice)
- A . Terminal IP address range
- B . Terminal browser type
- C . Terminal Equipment Type
- D . SSID of the access AP
- E . The MAC address of the access AP
- F . MAC address of the access AC
Mobile employees access the headquarters through the L2TP over IPsec tunnel. The correct statement about the planning and deployment is: (Multiple Choice)
- A . The Security ACL of the headquarters USG gateway should be
[USG] acl 3000
[USG-acl-adv-3000] rule permit udp source-port eq 1701 - B . Since IKE V1 cannot assign addresses to remote users, address assignment must be implemented through L2TP.
- C . L2TP generally uses NAS-Initialized mode.
- D . The NAT traversal function cannot be used.
Which of the following statements about dual-system hot standby is correct? (Multiple Choice)
- A . The firewall is connected to the router upstream and connected to the Layer 2 switch downstream. OSPF+VRRP can be used to achieve load balancing.
- B . When link state detection is enabled, and incoming and outgoing packets are forwarded by the active and standby USGs respectively, and the USG does not enable rate-dependent backup, the TCP service can pass smoothly.
- C . The default priority of the Active group is 65001, and the default priority of the Standby group is 65000.
- D . The slot numbers of the physical cards of the two devices can be different.