QUESTION 161
If a bandwidth profile is referenced by bandwidth policies and the working mode is policy sharing, all the bandwidth policies that reference the bandwidth profile are restricted by the bandwidth profile.
A. TRUE
B. FALSE
Correct Answer: B
QUESTION 162
PBR can interwork with IP-link or BFD to enable the firewall to determine the availability of PBR based on the IP-Link or BFD status check result.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 163
Which of the following statements is false about PBR matching rules?
A. Multiple values can be configured for a matching condition and these values are ORed. That is, a packet matches a condition as long as it meets any of the values.
B. By default, the system has a default PBR named default, which is located at the bottom of the policy list and has the lowest priority. In the PBR, all matching conditions are any, and the action is to not perform policy-based routing.
C. When multiple PBR rules are configured, they are sorted in the order in which they are configured by default.
D. Each PBR contains only one matching condition.
Correct Answer: D
QUESTION 164
A PBR consists of matching conditions and an action. After receiving traffic, the firewall identifies traffic attributes, and matches the traffic attributes with the matching conditions of the PBR.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 165
In the figure, an IPsec tunnel is established between FW_A and FW_B. After the display like sa command is run on FW_A, the following information is displayed:
A. The encryption algorithms are inconsistent.
B. The route to the IKE peer is unreachable.
C. The peer gateway on the local device and the local address on the peer end do not match.
D. The ACLs at both ends do not overlap.
Correct Answer: D
QUESTION 166
Which of the following statements are true about IPsec policies configured manually?
A. The local inbound SA parameters may not be the same as the peer outbound SA parameters.
B. In manual mode, all security parameters of an IPsec policy must be manually configured.
C. The configuration workload is heavy for administrators.
D. This mode is applicable to small-scale static environments.
Correct Answer: BCD
QUESTION 167
In the figure, an IPsec tunnel is established between the headquarters and branch. When the active firewall FW A1 is faulty, traffic is diverted to the standby firewall FW A2 for IPsec forwarding. To ensure uninterrupted IPsec traffic during active/standby link switchover, what is the minimum number of IPsec tunnels that need to be established?
A. 1
B. 2
C. 3
D. 4
Correct Answer: A
QUESTION 168
IPsec uses an asymmetric encryption algorithm to encrypt and transmit data.
A. TRUE
B. FALSE
Correct Answer: B
QUESTION 169
An SA is uniquely identified by a 3-tuple, which comprises the Security Parameter Index (SPI), source IP address, and security protocol number.
A. TRUE
B. FALSE
Correct Answer: B
QUESTION 170
In the figure, enterprise A and enterprise B need to communicate securely, and an IPsec tunnel is established between firewall A and firewall B. Which of the following security protocols and encapsulation modes can meet the requirements of this scenario?
A. ESP; tunnel mode
B. AH; tunnel mode
C. AH+ESP; transport mode
D. ESP; transport mode
Correct Answer: A
QUESTION 171
After the display ike sa command is run on the firewall, the following command output is displayed:
display ike sa current ike sa number: 0
The output indicates that the IKE SA is not established.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 172
A user uses SSL to access intranet network resources. The administrator enables the file sharing and web proxy services for the user and permits the service traffic on the firewall. However, after the user enters the virtual gateway address on the PC, the file sharing and web proxy lists are not displayed on the web page. Which of the following are possible causes?
A. The virtual network adapter of the user PC fails to obtain the virtual IP address.
B. The route between the firewall and the client is unreachable.
C. The administrator does not configure file sharing and web proxy authorization for the user.
D. The external NAT port of the virtual gateway is incorrect.
Correct Answer: C
QUESTION 173
In quick transmission mode, SSL VPN uses SSL to encapsulate packets and UDP to transmit packets.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 174
Which of the following methods are used by flood attacks to cause denial of services?
A. Exhaust available bandwidth.
B. Exhaust network device resources.
C. Exhaust server-side resources.
D. Control network host rights.
Correct Answer: ABC
QUESTION 175
Attackers use IP sweep attacks to determine which target systems are active on the target network.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 176
Which of the following technologies can be used by Huawei firewalls to defend against SIP flood attacks?
A. First-packet drop
B. Fingerprint prevention
C. Source IP address detection
D. Traffic limiting
Correct Answer: C
QUESTION 177
Which of the following statements is false about the source IP address detection technology?
A. This technology can be used to detect source IP addresses and discard packets from forged source IP addresses.
B. The source IP address detection technology for SYN flood attacks can verify the real source of the client.
C. To defend against HTTP flood attacks, if the number of HTTP request packets with the same destination address received by the firewall exceeds the threshold, HTTP source authentication is enabled.
D. The source IP address detection technology can defend against UDP flood attacks.
Correct Answer: D
QUESTION 178
Fixed anti-DDoS devices with a single CPU can only serve as the detecting center or cleaning center.
A. TRUE
B. FALSE
Correct Answer: A
QUESTION 179
Which of the following traffic diversion modes are supported by Huawei anti-DDoS system?
A. BGP traffic diversion
B. PBR-based traffic diversion
C. GRE VPN traffic diversion
D. Traffic diversion using static routes
Correct Answer: AB
QUESTION 180
Which of the following methods is used to defend against Tracert packet attacks?
A. The device discards ICMP unreachable packets and logs attack events.
B. You can set the maximum size of ICMP packets that are allowed to pass through according to the actual network requirements. When the size of an ICMP packet exceeds the maximum, the packet is discarded.
C. The device discards IP packets with timestamps.
D. The device discards ICMP or UDP timeout packets, or destination port unreachable packets.
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.