QUESTION 121
For applications such as P2P download and online video streaming, the traditional method of limiting the bandwidth cannot deal with such activities as slow but prolonged P2P downloads and caching. In this case, the quota control policy can be used to rate-limit the traffic.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 122
Which of the following statements is false about sticky session on firewalls?
A. After this function is enabled, the traffic of both new and original users is always forwarded through the overloaded link, but the session is not interrupted.
B. If this function is disabled, sessions may be re-established when the link is overloaded.
C. This function can be used together with the global route selection policy.
D. You can run the display session persistence table command to view sticky session entries.
Correct Answer: A
QUESTION 123
The figure shows the global route selection policy in the active/ standby backup mode based on the link priority. Which of the following statements are true?
A. The link connected to ISP1 has the highest priority. Therefore, the firewall’s interface connected to ISP1 is the main interface.
B. If no overload protection threshold is specified for the main interface, the firewall will not use other links to transmit traffic even if the link on which the main interface resides is overloaded.
C. When the link on which the main interface resides is faulty, the remaining backup interfaces work in load balancing mode.
D. If the bandwidth, forwarding delay, and lease cost of each link differ greatly, you can preferentially use some links to transmit traffic and use the other links as backup links or load balancing links to improve service reliability. In this case, global route selection in the active/standby backup mode based on the link priority is recommended.
Correct Answer: AB
QUESTION 124
Which of the following is not a matching condition of PBR?
A. Source port number
B. Source security zone
C. Source IP address
D. DSCP priority
Correct Answer: A
QUESTION 125
When AH-ESP is used for packet encapsulation in IPsec, packets are encapsulated with ESP and then with AH.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 126
When gateways are connected using GRE over IPsec, the IPsec encapsulation mode must be tunnel mode.
A. TRUE
B. FALSE
Correct Answer: B
QUESTION 127
If a NAT device sits between two NAT gateways with NAT traversal enabled, NAT traversal encapsulates ESP packets with an additional layer of UDP headers. Which of the following is the source and destination port numbers in the UDP header?
A. Source port: 500; destination port: 500
B. Source port: 4500; destination port: 4500
C. Source port: 4500; destination port: 500
D. Source port: 500; destination port: 4500
Correct Answer: B
QUESTION 128
IPsec VPN uses symmetric keys to encrypt service data.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 129
Encapsulating Security Payload (ESP) is an IPsec protocol used to provide confidentiality and anti-replay services for IP data, including confidentiality of message contents and limited traffic flow confidentiality. Which of the following is the protocol number of ESP?
A. 500
B. 51
C. 50
D. 4500
Correct Answer: C
QUESTION 130
An IPsec VPN is established in IKEv1 aggressive mode. When a NAT device is detected, port number translation starts from which of the following ISAKMP messages?
A. Message 2
B. Message 1
C. Message 4
D. Message 3
Correct Answer: D
QUESTION 131
Which of the following protocols are supported by the file sharing function of SSL VPN?
A. HTTP
B. FTP
C. SMB
D. NFS
Correct Answer: CD
QUESTION 132
Which of the following statements is false about SSL VPN features?
A. SSL VPN supports various IP applications.
B. SSL VPN enables access to application-layer resources and supports application release in a refined manner.
C. The SSL VPN login uses a browser, and no client is needed. In this way, users can quickly log in to the device anytime, anywhere, relieving the maintenance workload of network administrators.
D. SSL VPN supports only a few authentication types and is difficult to integrate with the original identity authentication system.
Correct Answer: D
QUESTION 133
The network extension service of the SSL VPN can implement network-wide access to all complex applications on the intranet. Which of the following is not the routing mode of the network extension service?
A. Full tunnel
B. Split tunnel
C. Manual tunnel
D. Aggregation
Correct Answer: D
QUESTION 134
In a UDP flood attack, a large amount of traffic is initiated to occupy protocol stack resources, resulting in the server refusing to provide services for authorized users.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 135
Which of the following mirroring modes are supported by Huawei anti-DDoS system?
A. Optical splitting through an optical splitter
B. BGP traffic diversion
C. Port mirroring on the egress device
D. PBR-based traffic diversion
Correct Answer: AC
QUESTION 136
The following figure shows the network topology of an enterprise. Which of the following is a proper traffic injection mode?

A. Static route injection
B. Layer 2 injection
C. PBR-based Injection
D. GRE VPN injection
Correct Answer: A
QUESTION 137
Which of the following statements is false about the cleaning center?
A. The cleaning device supports a wide range of flexible attack defense technologies, but cannot defend against CC attacks or ICMP flood attacks.
B. Traffic injection modes include PBR-based injection, static route injection, VPN injection, and Layer 2 injection.
C. There are two traffic diversion modes: static traffic diversion and dynamic traffic diversion.
D. The cleaning center diverts and cleans abnormal traffic, and injects clean traffic back to the original link.
Correct Answer: A
QUESTION 138
There are many types of single-packet attacks. Which of the following is a common single-packet attack shown in the figure?

A. WinNuke attack
B. Teardrop attack
C. Fraggle attack
D. LAND attack
Correct Answer: B
QUESTION 139
If a firewall identifies the keyword during data filtering detection, the firewall performs the response action. Which of the following response actions cannot be performed by the firewall?
A. Delete
B. Operate by weight
C. Alert
D. Block
Correct Answer: B
QUESTION 140
To control user behaviors such as thread posting and user login, which of the following HTTP behavior control should be configured?
A. Redirection
B. File download
C. File upload
D. POST
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.