H12-731-ENU試験をパスするなら弊社のHuawei Specialist試験パッケージを今すぐゲットして合格せよ
完全版最新の2023年最新のH12-731-ENU試験問題集テストガイド、専門トレーニングFast2test
Huawei H12-731-ENU試験では、ネットワークセキュリティ技術やプロトコル、セキュリティ管理と監視、アクセス制御やVPN技術、ファイアウォールや侵入防止システムなど、広範なトピックがカバーされます。この試験は、セキュリティの概念や原則を実際のシナリオに適用し、Huaweiの技術を使用して安全なネットワークを設計・実装する能力を評価するために設計されています。試験は複数のセクションに分かれており、それぞれが特定のネットワークセキュリティの領域に焦点を当てています。候補者は、各セクションでの熟練度を証明して試験に合格し、HCIE-Security認定を取得する必要があります。
Huawei H12-731-ENU HCIE-Security認定は、ネットワークセキュリティにおける知識とスキルを向上させるための優れた機会です。この認定は、広範なトピックをカバーし、候補者が安全なネットワークインフラストラクチャを設計、実装、管理するスキルを示すことを求めます。IT業界で高く評価され、多くの主要な組織に認められています。ネットワークセキュリティの専門家で、キャリアの見通しを向上させたい場合は、HCIE-Security認定を検討する価値があります。
質問 # 44
The IPsecVPN tunnel is successfully established, but the speed of accessing the peer's private network web page is slow or the access is intermittent. The influence of the Internet network quality has been ruled out. The following possible faults are:
- A. There is a NAT device in the middle of the network
- B. Packet filtering policy is not enabled
- C. The problem of packet fragmentation
- D. The CPU usage of the egress gateway is too high
正解:C、D
質問 # 45
According to the following networking, a customer uses the following configuration on the cleaning equipment. The following statement is correct:
ip route-static 0.0.0.0 0 10.1.2.1
- A. The default route is used for BGP diversion
- B. This default route is used to send probe traffic for attack prevention
- C. This default route is used for traffic back injection
- D. The default route is used for static route diversion
正解:B
質問 # 46
Which statement is correct about the Portal authentication process?
- A. When the switch receives the Portal online message, it will send a Radius authentication request to the Radius server.
- B. The result information of the security check will not be carried in the Portal authentication process.
- C. The server will only send an authentication message to one Portal device for Portal authentication of one terminal.
- D. Portal authentication flow is only used in web authentication.
正解:A
質問 # 47
Which of the following options fall under the scope of visitor management?
- A. Guest Account Approval
- B. Guest Account Creation
- C. Visitor page customization
- D. The guest uses the account to authenticate
- E. Visitor online behavior audit
- F. Visitors register on the registration page
正解:A、B、C、E
質問 # 48
The Trust zone of the USG firewall of a certain network is connected to the terminal host, and the Untrust zone is connected to the security controller. If the security controller can issue rules to the USG, which of the following security policies must be configured?
- A. security-policy rule name untrust_to_local source-zone untrust destination-zone local action permit rule name local_to_trust source-zone local destination-zone trust action permit
- B. security-policy rule name to_local source-zone untrust trust destination-zone local action permit
- C. security-policy rule name local_to_trust source-zone local destination-zone trust action permit
- D. security-policy rule name untrust_to_local source-zone untrust destination-zone local action permit
正解:D
質問 # 49
What are the mechanisms for implementing intrusion prevention?
- A. Response handling
- B. Blacklist match
- C. feature matching
- D. Protocol identification and protocol resolution
正解:A、C、D
質問 # 50
In the USG, the planning UTM statement is correct
- A. UTM will reassemble all fragments, and if the packet exceeds the cache range, the packet will be discarded.
- B. It is recommended to regularly upgrade the signature database
- C. When the USG cannot connect to the security service center, it can only be upgraded locally, and the signature database cannot be upgraded in a unified manner.
- D. Before using UTM functions, the operation mode must be configured as UTM mode.
正解:A、B
質問 # 51
There are hundreds of people in a medium-sized enterprise network accessing the Internet through the company's firewall, and the company has deployed a corporate portal website in the firewall DMZ. Which of the following criteria should be followed as an IT security professional for purchasing and deploying Internet access auditing products.
- A. ISO27002
- B. NIST800-53
- C. State Office issued No. 28
- D. Order No. 82 of the Ministry of Public Security
正解:D
質問 # 52
The user cannot log in to the management device through SSH, and the following configuration information is obtained. Please analyze the possible causes:
aaa
manager-user sshuser
password cipher Admin@123
service-type ssh
ssh authentication-type password
ssh service-type stelnet
authentication-scheme admin_local
#
user-interface vty o 4
authentication-mode aaa
protocol inbound ssh
#
return
- A. The domain of aaa is not configured and its authentication method is specified as local
- B. The administrator has not configured the stelnet server enable command in the system view
- C. level 3 not configured for sshuser user
- D. If the login interface is not the device management interface, you need to execute service-manager ssh permit under the interface
正解:B、C、D
質問 # 53
Regarding the trigger mechanism of 802.1X authentication, which of the following descriptions are correct?
- A. The 802.1X authentication trigger can only be initiated by the client.
- B. The authentication device can trigger authentication in multicast or unicast.
- C. 802.1X authentication can only be initiated by an authentication device (such as an 802.1X switch).
- D. The 802.1X client can trigger authentication by multicast or broadcast.
正解:B、D
質問 # 54
The correct order of URL filtering processing flow is:
① The NGFW matches the URL information with the blacklist.
② The NGFW matches the URL information with the whitelist.
③ NGFW matches URL information with custom categories.
④ Start remote server classification query.
⑤ NGFW matches URL information with predefined categories in the local cache.
- A. ②①③⑤④
- B. ①②③⑤④
- C. ④③⑤①②
- D. ①②③④⑤
正解:A
質問 # 55
What are the possible reasons why the local license cannot be activated?
- A. The device cannot connect to sec.huawei.com
- B. ESN mismatch
- C. The device does not have an activation password configured
- D. The feature item in the License has expired
正解:B、D
質問 # 56
Which of the following conditions does not trigger re-authentication for the 802.1x process?
- A. In isolation, the end user clicks the repair operation (complete the repair of serious violations).
- B. In the post-authentication domain state, the user performs business system authentication.
- C. In the isolated state, the end user manually repairs it, then clicks logout, and then clicks the authentication operation.
- D. In the post-authentication domain state, the Agile Controller AGENT periodically checks the security state of the terminal and needs to be isolated.
正解:B
質問 # 57
A company's egress gateway dual links are connected to different operators, and have the following requirements:
Users can access the Internet through two operators. When the links to the two operators work normally, all traffic is forwarded by the primary link (ISP1), and when the primary link fails, all traffic is transmitted by the backup link. Road (ISP2) forwarding.
Which of the following options is correct?
- A. [USG] ip-link check enable [USG] ip-link 1 destination 200.1.1.8 mode icmp [USG] ip-link 2 destination 234.1.1.8 mode icmp [USG] ip route-static 0.0.0.0 0.0. 0.0 GigabitEthernet 0/0/2 200.1.1.8 preference 30 track ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/3 234.1.1.8 preference 20 track ip-link 2
- B. [USG] ip-link check enable [USG] ip-link 1 destination 200.1.1.8 mode icmp [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/2 200.1.1.8 track ip- link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/3 234.1.1.8
- C. [USG] ip-link check enable [USG] ip-link 2 destination 234.1.1.8 mode icmp [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/2 200.1.1.8 preference 20 [ USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/3 234.1.1.8 preference 30 track ip-link 2
- D. [USG] ip-link check enable [USG] ip-link 1 destination 200.1.1.8 mode icmp [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/2 200.1.1.8 preference 20 track ip-link 1 [USG] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/3 234.1.1.8 preference 30
正解:D
質問 # 58
The firewall single sign-on authentication process as shown in the figure includes the following main links:
a. Find user group information on AD server
b. The device has created an online user list, and the user directly accesses external resources
c. Send information such as username and group to the device
d. User requests authentication
e. Actively send a message to the AD monitoring service (username, user IP address)
f . Server authentication passed
Please select the correct correspondence between letters and numbers ?
- A. ① -> d ② -> e ③ -> f ④ -> a ⑤ -> C ⑥ -> b
- B. ① -> d ② -> f ③ -> d ④ -> e ⑤ -> C ⑥ -> b
- C. ① -> d ② -> e ③ -> d ④ -> f ⑤ -> C ⑥ -> b
- D. ① -> d ② -> f ③ -> e ④ -> d ⑤ -> C ⑥ -> b
正解:D
質問 # 59
Regarding the firewall NAPT technology, the following description is incorrect:
- A. NAPT is a technique for extending Layer 3 addresses with Layer 4 information.
- B. NAPT can theoretically achieve 65535 private network addresses sharing a public network address to access the public network.
- C. When configuring NAPT on the firewall, the security policy should match the IP address after address translation.
- D. NAPT translates both the source IP address and the source port number.
正解:C
質問 # 60
The terminal uses Agent for 802.1x authentication, the IP address of SC and Radius server is 172.18.10.68, and it always prompts network communication failure during authentication;
Viewing the Radius authentication log shows that the Radius authentication is successful and the authorization is ACL3001. The switch configuration is as follows:
dot1x enable
dot1x authentication-method eap
radius-server template lzy
radius-server shared-key simple 123456
radius-server authentication 172.18.10.68 1812
radius-server accounting1 72.1 3.10.63 1813
radius-server authorization 172.18.10.68 shared-key simple 123456
aaa
authentication-scheme default
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 3
domain default
authentication-scheme auth
accounting-scheme acco
radius-server lzy
interface GigabitEthernet0/0/14
description connect 222
port hybrid pvid vlan 105
port hybrid untagged vlan 105
dot1x enable
acl number 3001
rule 1 permit ip destination 172.18.100.235 0
rule 2 permit ip destination 172.18.100.237 0
rule 10 deny ip
What could be the reason for the failure of network communication?
- A. Authorization rule ACL configuration error
- B. AAA configuration error
- C. GigabitEthernet0/0/14 port configuration error
- D. Billing configuration may be wrong
正解:A
質問 # 61
Which of the following descriptions about dual-system hot standby is incorrect?
- A. After enabling fast backup, the configuration of the host can also be backed up to the standby.
- B. VGMP is currently in the active state. After the VRRP interface belonging to the VGMP goes down, the VGMP state will definitely switch to the standby state.
- C. The firewall configuration backup direction must be from the VGMP master state device to the backup state device.
- D. After automatic backup is enabled, all sessions on the host will be automatically backed up to the standby.
正解:A
質問 # 62
Which of the following attacks is a network layer attack?
- A. Constructs a packet with abnormal TCP flag bit, causing the host to process abnormally.
- B. Construct a packet with an incorrect IP fragment flag bit, causing the host to process exceptions.
- C. A packet with an incorrect TTL value is constructed, causing the device to process abnormally.
- D. Constructing a large number of SYN packets, leading to exhaustion of host resources.
正解:B、C
質問 # 63
In the scenario of dual-system hot backup of firewalls, IPsec VPN does not support real-time backup of tunnels.
- A. FALSE
- B. TRUE
正解:A
質問 # 64
When configuring the address set on the firewall, the configuration command is as follows:
[sysname] ip address-set abc type object
[sysname-object-address-set-abc] address 192.168.1.1 0
[sysname-object-address-set-abc] address 192.168.2.0 mask 24
The following descriptions are correct:
- A. address 192.168.2.0 mask 24 can be replaced with the command address 192.168.2.0 0.0.0.255.
- B. After the address set abc is created successfully, no new address or address segment can be added directly, and an address set must be re-created.
- C. The addresses in the address set must not contain or overlap each other.
- D. The matching network segment can be added to the address set abc by nesting the address set.
- E. The address set abc matches the 192.168.1.1 host and the 192.168.2.0/24 network segment.
正解:A、D、E
質問 # 65
Which protocols can the NGFW perform virus scanning and corresponding processing on files transmitted by?
- A. POP3 (Post Office Protocol 3), Post Office Protocol version 3
- B. HTTPS (Hypertext Transfer Protocol Security) Secure Hypertext Transfer Protocol
- C. FTP (File Transfer Protocol), file transfer protocol
- D. HTTP (Hypertext Transfer Protocol), hypertext transfer protocol
- E. SNMP (Simple Network Management Protocol), Simple Network Management Protocol
正解:A、C、D
質問 # 66
The ARP protocol is used to map the IP address to the correct MAC address, so that the device can encapsulate the correct frame header on the data frame to complete the data forwarding.
If the ARP table is abnormal, it will directly cause the device to fail to forward packets. In the dual-system hot backup scenario, which of the following descriptions are correct when the active and standby firewalls respond to ARP?
- A. Configure the ARP proxy to request ARP source IP and destination IP in the same network segment at the same time.
- B. Request the real IP address of the interface and reply with the real MAC of the interface.
- C. Request VRRP virtual IP address, the current master device responds with virtual MAC, and the standby device does not respond.
- D. Request the IP address of the NAT address pool, the current master device responds with a virtual MAC, and the standby device does not respond.
正解:A、B
質問 # 67
Which of the following is correct for the functional comparison of NIP5000 and NIP5000D:
- A. Regarding DDOS, NIP5000 supports two defense modes: automatic defense and no defense, while NIP5500D can only support automatic defense.
- B. NIP5000 can analyze, limit and block specific application protocol traffic; NIP5000D can only analyze application traffic.
- C. The NIP5000 can be directly connected to the female, while the NIP5000D must be linked through the firewall to achieve the blocking action.
- D. NIP5000 is generally connected directly, and NIP5000D is generally connected by bypass.
正解:B、C、D
質問 # 68
The DHCP Snooping function is used to prevent man-in-the-middle attacks and IP/MAC Spoofing attacks. The following attack principles and defense principles are correct:
- A. The attack principle is to pretend to be a legitimate DHCP client to apply for an IP address to the DHCP server, so that the legitimate DHCP client cannot obtain an IP address normally.
- B. Identify forged packets according to the DHCP Snooping binding table.
- C. Check that the CHADDR field in the DHCP request message matches the source MAC in the header of the data frame.
- D. Identify attacks by setting Trusted and Untrusted interfaces.
正解:B
質問 # 69
......
Huawei H12-731-ENU試験は、ネットワークセキュリティの概念や技術に深い理解が必要な難しい試験です。受験者は、安全なネットワークソリューションを設計、実装、トラブルシューティングする能力を証明する必要があります。試験は、筆記と実技の両方で構成されており、受験者は両方の部分に合格する必要があります。認定プログラムは、最新のセキュリティ技術やベストプラクティスをカバーする包括的で最新のカリキュラムを提供し、キャリアアップを目指すセキュリティの専門家にとって貴重な認定資格となります。
2023年最新の問題Huawei Specialist合格目指してH12-731-ENUリアル試験をマスターせよ!:https://jp.fast2test.com/H12-731-ENU-premium-file.html
練習問題H12-731-ENUには画期的なHCIE-Security (Huawei Certified Internetwork Expert-Security)練習試験問題:https://drive.google.com/open?id=1R2djqfXpKJxl8SPnHoOIVWYvHTxM9g0m