Huawei Huawei Certification H12-721 Questions & Answers

• Question 51:

  In the use of virtual firewall technology: The two VPN users can travel over the public network Root VFW, log on to their respective private network VPN and get direct access to the private network resources.

  According to the characteristics of VPN Firewall that provides multiple instances of business, which of the following statements is correct? (Choose three answers)

  A. safe, VPN user authentication and authorization access through the firewall, after a visit with independent access virtual firewall system for users to manage different resources VPN users are completely isolated.

  B. VPN flexible and reliable access to support from the public network to the VPN, can also support VPN to VPN from two modes.

  C. easy to maintain, the user does not have superuser privileges on the system administrator account can manage the entire firewall (including each virtual firewall service).

  D. strict access control permissions, firewall can control access VPN access permissions based on user name, password, so that employees can make a business trip, the super user (VPN require access to different resources), such as different users with different access rights.

  Correct Answer: ABD

• Question 52:

  In USG2200 series of products, GigabitEthernet 0/0/0 is the band management interface by default.

  A. TRUE

  B. FALSE

  Correct Answer: B

• Question 53:

  An administrator to view the status information and IPsec Debug information is shown below. After going through the output, what is the most likely reason for failure?

  

  A. The end ike ike peer strategies and policies do not match

  B. The end ike remote name and peer ike name does not match

  C. The end ipsec proposal and peer ipsec proposal does not match

  D. The end of the Security acl or does not match the peer Security acl

  Correct Answer: A

• Question 54:

  An enterprise network cutover has just been done. The old network equipment is off the assembly line and the line is now on new network equipment. After operational testing we found that the majority of traffic will not work.

  What will be administrators quickest way to restore business?

  A. stratification

  B. Break Law

  C. substitution method

  D. Block Method

  Correct Answer: C

• Question 55:

  Three FTP servers are configured with load balancing on a USG firewall. The address and weights of the three real servers are 10.1.1.3/24 (weight 16), 10.1.1.4/24 (weight 32), 10.1.1.5 / 24 (weight 16), while the virtual server address is 202.152.26.123/24. A host address with the IP address 202.152.26.3/24 initiates access to the FTP server.

  On the firewall running the display firewall session table command detection configuration, which of the following situations illustrate the successful implementation of load balancing?

  A. display firewall session table Current total sessions: 1 ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.4:21

  B. display firewall session table Current total sessions: 3 ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21 [10.1.1.3:21] ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21 [10.1.1.4:21] ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21 [10.1.1.5:21]

  C. display firewall session table Current total sessions: 1 ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21

  D. display firewall session table Current total sessions: 3 ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.3:21 ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.4:21 ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.5:21

  Correct Answer: B

• Question 56:

  As shown below, for the L2TP over IPsec scenarios, the following configuration shows how to protect data on the IPsec flow. Which one is correct?

  

  A. [LNS] acl number 2001 [LNS-acl-basic-2001] rule permit udp source 10.10.1.0 0.0.0.255

  B. [LNS] acl number 3001 [LNS-acl-adv-3001] rule permit source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255

  C. [LNS] acl number 3001 [LNS-acl-adv-3001] rule permit tcp source-port 1701

  D. [LNS] acl number 3001 [LNS-acl-adv-3001] rule permit udp source-port eq 1701

  Correct Answer: D

• Question 57:

  In the IPsec NAT traversal application scenarios, the firewall must be configured to initiate party NAT traversal, and the other end can not configure firewall NAT traversal related commands.

  A. TRUE

  B. FALSE

  Correct Answer: B

• Question 58:

  When using digital certificates for authentication in IPsec VPN, it should adopt IKE main mode negotiation and validation of certificate is completed in the 5th 6th packet of the packet exchange.

  A. TRUE

  B. FALSE

  Correct Answer: A

• Question 59:

  Which of the following statements about IPsec and IKE following are correct? (Choose three answers)

  A. With IPsec there are two ways to establish the security association, manual mode (manual) and IKE auto-negotiation (Isakmp) mode.

  B. IKE aggressive mode can be selected based on negotitations initiated by the tunnel endpoint IP address or ID, to find the corresponding authentication word and finalize negotiations.

  C. The NAT traversal function is used to delete the IKE negotiation verification process for UDP port numbers, while achieving a VPN tunnel to discover the NAT gateway function. If a NAT gateway device is used, then the data transfer after the IPsec uses UDP encapsulation.

  D. IKE security mechanisms include DH Diffie-Hellman key exchange and distribution; improve the security front (Perfect Forward Secrecy PFS), encryption, and SHA1 algorithms.

  Correct Answer: ABC

• Question 60:

  SSL works at the application layer and is encrypted for specific applications, while IPsec operates at which layer and provides transparent encryption protection for this level and above?

  A. The data link layer

  B. Network Layer

  C. Transport Layer

  D. Presentation Layer

  Correct Answer: B