• Home
  • Articles
  • [Jun 22, 2023] 100% Real & Accurate H12-731-ENU Questions with Free and Fast Updates [Q51-Q76]

[Jun 22, 2023] 100% Real & Accurate H12-731-ENU Questions with Free and Fast Updates [Q51-Q76]

Share

[Jun 22, 2023] 100% Real & Accurate H12-731-ENU Questions with Free and Fast Updates

Self-Study Guide for Becoming an HCIE-Security (Huawei Certified Internetwork Expert-Security) Expert


The Huawei H12-731-ENU exam is a certification exam for professionals seeking to validate their skills in the field of network security. The exam is designed to test the candidate's ability to design, implement, and troubleshoot complex security solutions using Huawei technologies. The exam covers a wide range of topics, including network security technologies, network security protocols, network security management, and network security deployment.

 

NEW QUESTION # 51
SYN Flood attacks can be prevented through TCP reverse source detection and TCP proxy technology. Comparing the two defense technologies, the correct statement is:

  • A. The defense technology of reverse source detection mechanism and TCP proxy mode must enable state detection mechanism.
  • B. Only when the rate of SYN packets reaches the alarm value alert-rate-number, the device can check the SYN packets by the TCP proxy.
  • C. The use of TCP proxy mode can be used in scenarios where the round-trip paths are inconsistent.
  • D. When the SYN packet rate reaches the alarm value alert-rate-number, the device can perform source authentication check on SYN packets.

Answer: A,D


NEW QUESTION # 52
Which of the following commands cannot be backed up in the command backup function of the firewall's dual-system hot backup?

  • A. IPS command
  • B. IP address configuration
  • C. routing table
  • D. Forwarding Policy Commands

Answer: B,C


NEW QUESTION # 53
As shown in the figure, the corresponding defense methods are:

  • A. Authenticate the user through the associated TCP protocol
  • B. Payload Check Defense
  • C. Defense by TTL checking
  • D. Method defense through source authentication
  • E. Fingerprint Learning Defense

Answer: A,B,E


NEW QUESTION # 54
When the network traffic is heavy, if you do not want the downstream network to be congested or directly discard a large number of packets due to the excessive data traffic sent by the upstream, you can limit and cache the traffic on the outbound interface of the upstream device, so that such packets can be compared with each other. Send out at an even speed.
This technique can be:

  • A. Car
  • B. WRED
  • C. CBWFQ
  • D. GTS

Answer: D


NEW QUESTION # 55
The DHCP Snooping function is used to prevent man-in-the-middle attacks and IP/MAC Spoofing attacks. The following attack principles and defense principles are correct:

  • A. Identify forged packets according to the DHCP Snooping binding table.
  • B. Check that the CHADDR field in the DHCP request message matches the source MAC in the header of the data frame.
  • C. Identify attacks by setting Trusted and Untrusted interfaces.
  • D. The attack principle is to pretend to be a legitimate DHCP client to apply for an IP address to the DHCP server, so that the legitimate DHCP client cannot obtain an IP address normally.

Answer: A


NEW QUESTION # 56
As shown in the figure, the routing example between the virtual firewall vpn1 and the root firewall needs to be configured.
Which of the following is correct:

  • A. [USG-vpn1] ip route-static 202.168.10.0 255.255.255.0 202.168.20.3 public [USG] ip route-static 10.1.1.0 255.255.255.0 10.1.2.2.2
  • B. [USG-vpn1] ip route-static 202.168.10.0 255.255.255.0 202.168.20.3 vpn-instance vpn1 [USG] ip route-static 10.1.1.0 255.255.255.0 vpn-instance vpn1 10.1.2.2.2
  • C. [USG-vpn1] ip route-static 202.168.10.0 255.255.255.0 202.168.20.3 [USG] ip route-static 10.1.1.0 255.255.255.0 vpn-instance vpn1 10.1.2.2.2
  • D. [USG-vpn1] ip route-static 202.168.10.0 255.255.255.0 public [USG] ip route-static 10.1.1.0 255.255.255.0 vpn-instance vpn1 10.1.2.2.2 [USG] ip route-static 202.168 .10.0 255.255.255.0 250.168.20.3

Answer: D


NEW QUESTION # 57
What are the advantages of PortaI authentication compared to 802.1X authentication?

  • A. Portal authentication is compatible with MAC authentication.
  • B. Portal authentication is more suitable for casual visitors to the network.
  • C. Portal authentication does not require installation of client software.
  • D. Portal can be used in dumb terminal access scenarios.

Answer: B,C


NEW QUESTION # 58
Due to the network upgrade of the new USG_A and USG_B software versions, how to upgrade without affecting services:
USG_A is Active device, USG B is Standby device
① Log in to USG_B through Telnet or SSH. The operations are as follows:
[USG-B] hrp enable
② Log in to USG_A through Telnet or SSH. The operations are as follows:
HRP_M [USG_A] undo hrp enable
③ Execute the undo hrp enable command on USG_B, then upgrade the software version of USG_B, and restart the USG_B device.
④ Upgrade the software version of USG_A and restart the USG_A device.
⑤ Test whether the USG_B service is normal.

  • A. ②③①④⑤
  • B. ①⑤③②④
  • C. ③②④①⑤
  • D. ③②①⑤④

Answer: D


NEW QUESTION # 59
In Huawei NGFW, the network with inconsistent packet return paths is as follows, using the IPS function, which of the following statements is correct?

  • A. The IPS function supports networks with inconsistent packets going back and forth.
  • B. Disable link status detection
  • C. It is recommended to enable bidirectional packet filtering
  • D. It is recommended to use dual-system hot backup networking

Answer: B


NEW QUESTION # 60
In the scenario of using Remote access VPN access, the VPN-Client configuration is as shown in the figure, as indicated by the red box, what is the main function?

  • A. The VPN-Client software no longer issues the default route to the virtual network card.
  • B. The VPN-Client software issues the public network address route to the virtual network card.
  • C. The VPN-Client software will no longer issue the public network address route to the virtual network card.
  • D. The VPN-Client software will issue a default route to the virtual network card.

Answer: A


NEW QUESTION # 61
The correct order of URL filtering processing flow is:
① The NGFW matches the URL information with the blacklist.
② The NGFW matches the URL information with the whitelist.
③ NGFW matches URL information with custom categories.
④ Start remote server classification query.
⑤ NGFW matches URL information with predefined categories in the local cache.

  • A. ④③⑤①②
  • B. ①②③⑤④
  • C. ②①③⑤④
  • D. ①②③④⑤

Answer: C


NEW QUESTION # 62
In the USG, the planning UTM statement is correct:

  • A. SA function requires license support.
  • B. UTM cannot be used in dual-system hot backup load balancing scenarios.
  • C. The firewall link-state inspection mechanism must be enabled first.
  • D. UTM can support inconsistent return path networking.

Answer: B,C


NEW QUESTION # 63
In the networking application of the dual-system hot-standby mode using the USG6600, which aspects should be paid attention to?

  • A. Fast session backup
  • B. The back and forth paths should be the same
  • C. NAT address pool and VRRP should be bound
  • D. The IP addresses of the active and standby interfaces should be the same

Answer: A,B


NEW QUESTION # 64
For the description of NAT Server, which is correct?

  • A. If the public network address of the NAT Server and the corresponding public network interface address are not in the same network segment, you do not need to configure black hole routing.
  • B. NAT Server cannot be configured on the virtual firewall for users of the root firewall.
  • C. If the public network address of the NAT Server is the interface address, if the black hole route of this address is configured, the service access to the firewall itself will be abnormal.
  • D. If the public network address of the NAT Server and the corresponding public network interface address are in the same network segment, you do not need to configure black hole routing.

Answer: D


NEW QUESTION # 65
Which route distribution modes does the SSL VPN network extension support?

  • A. dynamic mode ( dynamic )
  • B. full routing mode ( full )
  • C. split mode ( split )
  • D. automatic mode ( auto )
  • E. Manual mode ( manual )

Answer: B,C,E


NEW QUESTION # 66
Which authentication methods does L2TP over IPsec dial-up support?

  • A. TSM Certified
  • B. Radius
  • C. Support local authentication
  • D. LDAP
  • E. PEAP authentication

Answer: B,C,D


NEW QUESTION # 67
Regarding the firewall IP-Link feature, the following description is incorrect:

  • A. ARP detection mode only supports detection of direct links.
  • B. The firewall continuously sends ARP request packets to the target network segment, and when it receives ARP response packets, it considers the link to be normal.
  • C. The firewall continuously sends ICMP packets to the specified destination address, and if no ICMP echo reply is received for 3 seconds (default), the link is considered to be faulty.
  • D. The ICMP detection method can be used to detect the reliability of the chromium road across the network segment.

Answer: B


NEW QUESTION # 68
The whitelist + blacklist mode is adopted in terminal security management. Which of the following are normal behaviors?

  • A. The terminal host installs all the software in the whitelist, but does not install the software in the blacklist.
  • B. The terminal host installs all the software on the whitelist terminal, and also installs some software in the blacklist.
  • C. Some software in the whitelist is installed on the terminal host, but the software in the blacklist is not installed.
  • D. The terminal host does not install the software in the white list, nor the software in the black list.

Answer: A


NEW QUESTION # 69
A customer uses multiple branch devices to connect with the USG_A device in the headquarters for IPsec connection, and uses point-to-multipoint IPsec and sub-policy to establish a VPN. Multiple branches have fixed IP addresses, most of the branches can communicate with the headquarters IPsec link normally, and the intranet (branch to headquarters) can communicate with each other, except that the intranet PC of one branch and the headquarters intranet can communicate with each other. can not communicate normally, but the IPsec VPN tunnel has been negotiated successfully.
What could be the reasons?

  • A. It may be negotiated using IKEv2 at one end and IKEv1 at the other end.
  • B. The IPsec proposal algorithms at both ends are inconsistent, so the packets cannot be decrypted.
  • C. The headquarters does not have a backhaul route to the failed branch.
  • D. ACL scope configuration error.

Answer: C,D


NEW QUESTION # 70
In Agile Controller, what is the correct statement about the screen saver check policy ?

  • A. Can check if the screen saver password is enabled
  • B. You can check if the screen saver is enabled on the terminal
  • C. Only supports Windows OS
  • D. Screen saver settings cannot be fixed automatically

Answer: A,B,C


NEW QUESTION # 71
The centralized networking scheme of three servers, as shown in the figure, the administrator found that only one of the three Agile Controllers in the resource pool was alive.
In this case, which of the following statements is correct?

  • A. At this point, you can try to restart the surviving Agile Controller, and repair the database server while restarting.
  • B. All three database servers cannot work normally, and only one of the three Agile Controllers in the resource pool is alive. In this case, all Agile Controller services are transferred to the surviving Agile Controller and can operate normally, and terminal identity authentication, access control, software distribution, patch installation, and asset management will not be affected.
  • C. At this point, the escape channel on the firewall has been opened.
  • D. After the Agile Controller is started, each Agile Controller will immediately read the database and save it on the local hard disk in a cached manner. If all databases become unavailable due to a failure, the Agile Controller will continue to maintain the operation of the Agile Controller business with the cache saved at that time as the data source.

Answer: B,D


NEW QUESTION # 72
The difference between IKEv1 and IKEv2, which of the following descriptions are correct?

  • A. IKEv2 is compatible with IKEv1 protocol.
  • B. NAT traversal is an optional feature of both IKEv1 and IKEv2.
  • C. Both IKEv1 and IKEv2 use INITIAL_CONTACT to synchronize the SAs of the local and peer ends.
  • D. IKEv1 uses the IKE_AUTH exchange for user authentication, and IKEv2 uses the X_AUTH exchange.
  • E. IKEv2 supports EAP authentication, IKEv1 does not.

Answer: B,C,E


NEW QUESTION # 73
A server on the network has been responding very slowly recently. By looking at its running status, it is found that its CPU and memory usage ratio is high, but there is little or no data transmission in these TCP session connections.
For the following judgments about this problem phenomenon, please choose the best one:

  • A. The server is under HTTP POST slow attack.
  • B. The server is under SYN flood attack.
  • C. The server is under UDP flood attack.
  • D. The server is under a TCP spoofing attack.

Answer: A


NEW QUESTION # 74
In the Anti-DDoS abnormal traffic cleaning solution, the correct recommendations for planning and deployment are:

  • A. Learn the traffic baseline values of each service type in the protection object through the baseline learning cycle, and generate learning results according to the settings of the learning task.
  • B. The priority deployment defense mode is automatic, after running for a period of time, the Anti-DDoS works normally and then the deployment defense mode is manual.
  • C. The cleaning equipment is directly deployed at the entrance of the enterprise. At the same time, the cleaning equipment has a built-in Bypass card to enhance the reliability of the solution.
  • D. In scenarios with heavy traffic, it is recommended to deploy in a straight path.

Answer: A,C


NEW QUESTION # 75
Which of the following attacks is a network layer attack?

  • A. A packet with an incorrect TTL value is constructed, causing the device to process abnormally.
  • B. Construct a packet with an incorrect IP fragment flag bit, causing the host to process exceptions.
  • C. Constructing a large number of SYN packets, leading to exhaustion of host resources.
  • D. Constructs a packet with abnormal TCP flag bit, causing the host to process abnormally.

Answer: A,B


NEW QUESTION # 76
......


The Huawei H12-731-ENU certification exam is a challenging exam that requires extensive knowledge and skills in the field of network security. The exam covers a wide range of topics, including network security technologies, security policies and procedures, network security design, and implementation. The exam is designed to test the candidate's ability to design, implement, and maintain secure networks, as well as their ability to troubleshoot network security issues.


The Huawei H12-731-ENU exam is a professional certification exam designed for IT professionals who specialize in network security. This certification is also known as HCIE-Security (Huawei Certified Internetwork Expert-Security) and is highly recognized in the industry as a validation of expertise in network security. The exam is designed to test an individual's knowledge and skills in various areas related to security, including network security technologies, security management, security architecture, and security services.

 

H12-731-ENU Study Guide Realistic Verified H12-731-ENU Dumps: https://www.pass4sures.top/Huawei-Specialist/H12-731-ENU-testking-braindumps.html

Related Articles

more
Huawei H12-731-ENU Certification Practice Exam