New Year Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

An administrator can view the IPSec status information and debugging information as follows. What is the most likely fault?

A.

local ike policy does not match the peer ike policy.

B.

local ike remote namet and peer ikename do not match

C.

local ipsec proposal does not match the peer ipsec proposal.

D.

The local security acl or the peer security acl does not match.

Full Access
Question # 5

The Tracert packet attack is an ICMP timeout packet returned by the attacker when the TTL is ____, and the ICMP port unreachable packet returned when the destination address is reached to find the path through which the packet arrives at the destination. Spying on the structure of the network

A.

0

B.

1

C.

2

D.

varies according to actual conditions

Full Access
Question # 6

After the NAT server is configured (no-reverse parameter is added), the firewall automatically generates static Server-Map entries. The first packet matches the Server-Map entry and does not match the session table.

A.

TRUE

B.

FALSE

Full Access
Question # 7

On the USG, you need to delete sslconfig.cfg in the hda1:/ directory. Which of the following commands can complete the operation?

A.

cd hda 1:/remove sslconfig.cfg

B.

cd hda 1:/delete sslconfig.cfg

C.

cd hda 1:/rmdir sslconfig.cfg

D.

cd hda 1:/mkdir sslconfig.cfg

Full Access
Question # 8

When using the Radius server to authenticate users, (the topology is as shown below), not only must the username and password be stored on the Radius server, but the username and password must also be configured on the firewall.

A.

TRUE

B.

FALSE

Full Access
Question # 9

The server health check mechanism is enabled on the USG firewall of an enterprise to detect the running status of the back-end real server (the three servers are Server A, Server B, and Server C). When the USG fails to receive the response from Server B multiple times. When the message is received, Server B will be disabled and the traffic will be distributed to other servers according to the configured policy.

A.

TRUE

B.

FALSE

Full Access
Question # 10

In which of the following cases, IKE negotiation cannot use the main mode?

A.

IKE is in pre-shared mode, and the peer ID is ID

B.

IKE is in pre-shared mode, and the firewall external network exit uses DHCP to dynamically allocate addresses.

C.

IKE is in pre-shared mode and there is a NAT device on the link.

D.

IKE is in RSA certificate mode, and there is a NAT device on the link.

Full Access
Question # 11

Which of the following is correct about the configuration of the firewall interface bound to the VPN instance?

A.

ip binding vpn-instance vpn-id

B.

ip binding vpn-instance vpn-instance-name

C.

ip binding vpn-id

D.

ip binding vpn-id vpn-instance-name

Full Access
Question # 12

USG dual-machine hot standby must meet certain conditions and can be used below. What are the following statements correct?

A.

major and backup equipment must have the same product model

B.

The software version of the active and standby devices must be the same.

C.

The interface IP of the active and standby devices must be the same.

D.

The primary device must be configured, and the standby device does not require any configuration.

Full Access
Question # 13

Connecting the internal network interface address from the firewall By pinging the internal network address of the peer, the IPSec tunnel can be successfully triggered. The internal PC cannot trigger the tunnel establishment. What are the possible reasons?

A.

IKE proposal configuration problem

B.

IPSec proposal configuration problem

C.

interested traffic ACL source network segment does not include the PC

D.

packet filtering (inter-domain policy) configuration problem

Full Access
Question # 14

The enterprise network is as shown in the figure. On the USG_A and USG_B, hot standby is configured, and USG_A is the master device. The administrator wants to configure SSL VPN on the firewall so that branch employees can access the headquarters through SSL VPN. Which virtual gateway address should the SSL VPN be?

A.

202.38.10.2/24

B.

202.38.10.3/24

C.

202.38.10.1/24

D.

10.100.10.2/24

Full Access
Question # 15

The ip-link principle is to continuously send ICMP packets or ARP request packets to the specified destination address, and check whether the ICMP echo reply or ARP reply packet of the destination IP response can be received.

A.

TRUE

B.

FALSE

Full Access
Question # 16

An attack source will spoof the server and send a large number of SYN-ACK packets to the attacking target network or server. If the destination port of the packet is the TCP service port of the attacked server, the TCP protocol stack of the server will be abnormal. What is it?

A.

SYN Flood

B.

SYN-ACK Flood

C.

ACK-Flood

D.

Connection Flood

Full Access
Question # 17

In the active/standby mode of the USG dual-system hot backup, the service interface works at Layer 3, and the upstream and downstream routers are connected. The administrator checks that the USG_A state has been switched to HRP_M[USG_A] and the USG_B state is also HRP_M[USG_B]. What are the most likely reasons?

A.

uses the wrong HRP channel interface

B.

Heartbeat connectivity is problematic

C.

does not configure session fast backup

D.

no hrp enable

Full Access
Question # 18

Networking as shown in the figure: PC1--USG--Router--PC2. If PC1 sends a packet to PC2, what are the three modes for the USG to process fragmented packets?

A.

fragment cache

B.

fragmentation

C.

slice direct forwarding

D.

slice defense

Full Access
Question # 19

What type of message is the VRRP hello message?

A.

unicast message

B.

broadcast message

C.

multicast packet

D.

UDP packet

Full Access
Question # 20

An administrator can view the IPSec status information and Debug information as follows. What is the most likely fault?

A.

local IKE policy does not match the peer IKE policy.

B.

local ike remote name does not match peer ike name

C.

local ipsec proposal does not match the peer ipsec proposal

D.

The local security acl or the peer security acl does not match.

Full Access
Question # 21

What are the three elements of an abnormal flow cleaning solution?

A.

cleaning center

B.

Testing Center

C.

Management Center

D.

Collection Center

Full Access
Question # 22

Which of the following attacks is a SYN Flood attack?

A.

attacker sends a large number of SYN packets, which causes a large number of incomplete TCP connections to occupy the resources of the attacker.

B.

means that the attacker and the attacked object normally establish a TCP full connection, but there is no subsequent message.

C.

means that the attacker sends a large number of ICMP packets, such as ping, to the attacker.

D.

means that the attacker occupies the link bandwidth of the server by sending a large number of UDP packets to the attacker.

Full Access
Question # 23

In the IDC room, a USG firewall can be used to divide into several virtual firewalls, and then the root firewall administrator generates a virtual firewall administrator to manage each virtual firewall.

A.

TRUE

B.

FALSE

Full Access
Question # 24

USG A and USG B are configured with a static BFD session. The following is true about the process of establishing and tearing down a BFD session.

A.

USG A and USG B each start the BFD state machine. The initial state is Down and the BFD packet is Down. The value of Your Discriminator is 0.

B.

After the local BFD status of B USG B is Init, if you continue to receive packets with the status Down, you can re-process and update its local status.

C.

After receiving the BFD packet in the init state, C USG B switches the local state to Up.

D.

After the state transition of "DOWN-->INIT" occurs on D USG A and USG B, a timeout timer is started. If the BFD packet is in the Init or Up state, the local state is automatically switched back to Down.

Full Access
Question # 25

When configuring the USG hot standby, (assuming the backup group number is 1), the configuration command of the virtual address is correct?

A.

vrrp vrid 1 vitual-ip ip address master

B.

vrrp vitual-ip ip address vrid 1 master

C.

vrrp vitual-ip ip address master vrid 1

D.

vrrp master vitual-ip address vrid 1

Full Access
Question # 26

IPSec NAT traversal does not support IKE main mode, aggressive mode IP address + pre-shared key mode authentication, because pre-shared key mode authentication needs to extract the source IP address in the IP address to find the pre-shared key corresponding to this address. . The address change caused by the presence of NAT prevents the device from finding the pre-shared key.

A.

TRUE

B.

FALSE

Full Access
Question # 27

Because the policy in the traffic limiting policy does not restrict the deny rule, you do not need to use the deny rule.

A.

TRUE

B.

FALSE

Full Access
Question # 28

The virtual firewall forwards multiple instances. The firewall has multiple routing tables and forwarding tables. The addresses are overlapped and are implemented on the same configuration interface. Users with configuration rights can configure and view all data.

A.

TRUE

B.

FALSE

Full Access
Question # 29

A data flow has established a session in the firewall. If the packet filtering policy corresponding to the data is modified, how should the firewall execute?

A.

When the new packet arrives at the firewall, it immediately performs filtering according to the latest policy and refreshes the session table.

B.

immediately performs filtering according to the latest policy, does not refresh the session table

C.

The session is not aged, the new policy is not executed, and the previously established session is matched.

D.

modification will fail, you need to clear the session to modify

Full Access
Question # 30

Man-in-the-middle attacks are: the middleman completes the data exchange between the server and the client. In the server's view, all messages are sent or sent to the client. From the client's point of view, all messages are also sent or sent.

A.

Packet 1: Source IP 1.1.1.1 Source MAC C-C-C Destination IP 1.1.1.2 Destination MAC B-B-B

B.

Packet 1: Source IP 1.1.1.3 Source MAC C-C-C Destination IP 1.1.1.2 Destination MAC B-B-B

C.

Packet 2: Source IP 1.1.1.2 Source MAC C-C-C Destination IP 1.1.1.1 Destination MAC A-A-A

D.

Packet 2: Source IP 1.1.1.3 Source MAC C-C-C Destination IP 1.1.1.1 Destination MAC A-A-A

Full Access
Question # 31

DDoS is an abnormal packet that an attacker sends a small amount of non-traffic traffic to the attack target (usually a server, such as DNS or WEB) through the network, so that the attacked server resolves the packet when the system crashes or the system is busy.

A.

TRUE

B.

FALSE

Full Access
Question # 32

An administrator can view the status of the device components by the following command: The status of the Slot3 board is Abnormal. What are the possible causes of the following faults?

A.

This slot is not supported in this slot of device A.

B.

interface card is damaged

C.

The pin on the backplane or motherboard is damaged. If the incorrect board is installed, the pin is tilted.

D.

ADSL telephone line failure

Full Access