Huawei HCIP-Security H12-725_V4 0-ENU Dumps Questions

Text Material Preview

H12-725_V4.0-ENU HCIP-Security V4.0 exam dumps questions are the best
material for you to test all the related Huawei exam topics. By using the
H12-725_V4.0-ENU exam dumps questions and practicing your skills, you can
increase your confidence and chances of passing the H12-725_V4.0-ENU exam.
Features of Dumpsinfo’s products
Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support
Besides, Dumpsinfo also provides unlimited access. You can get all
Dumpsinfo files at lowest price.
HCIP-Security V4.0 H12-725_V4.0-ENU exam free dumps questions are
available below for you to study. 
Full version: H12-725_V4.0-ENU Exam Dumps Questions
1. Habits such as keeping the browser version updated, paying attention to browser pop-ups and not
actively visiting unknown websites can effectively prevent phishing attacks.
A. True
B. False
Answer: A
2. If the firewall recognizes keywords during content filtering detection, what impact actions can it
take? (Multiple choice)
A. Delete attachments
B. Block
C. Allow
D. Alarm
 1 / 24
https://www.dumpsinfo.com/unlimited-access/
https://www.dumpsinfo.com/exam/h12-725_v4-0-enu
Answer: BD
3. Special control message attack is a potential attack behavior that does not have direct destructive
behavior. The attacker detects the network structure by sending special control messages to prepare
for subsequent real attacks.
A. True
B. False
Answer: A
4. Since the HTTP protocol is based on the TCP protocol, all HTTP Flood attacks can be prevented
by using the method of preventing TCP Flood.
A. True
B. False
Answer: B
5. The main way of SQL injection attack is to construct clever SQL statements and submit them as
input items to the server to implement the attack.
Specific methods of SQL injection attacks include which of the following? (Multiple choice)
A. Use union statement for joint query
B. Use insert or update statements to insert or modify data
C. Use comment symbols
D. Use identities (such as 1=1)
Answer: ABCD
6. As shown in the figure, the firewalls at both ends establish GRE over IPSec. The original packet is
first encapsulated by IPSec and then GRE encapsulated.
A. True
B. False
Answer: B
7. Undo shutdown the business interface of the standby machine;
8.Which of the following resources are manually allocated to the virtual system? (Multiple choice)
A. VLAN
B. Safe area
C. Bandwidth
D. Interface
Answer: ACD
 2 / 24
https://www.dumpsinfo.com/
9. Anti-DDoS’s session inspection mechanism can prevent multiple-select which of the following
attacks? (Multiple choice)
A. TCP connection exhaustion attack
B. ACK
C. TCP abnormal session attack
D. UDP
Answer: ABC
10. Please match the following network attack methods with their corresponding description
information one by one.
Answer:
 3 / 24
https://www.dumpsinfo.com/
11. Which of the following functions can be achieved when Huawei IPS equipment is deployed in the
network? (Multiple choice)
A. Active defense against scanning attacks
B. Control P2P abuse traffic in the network
C. Prevent intranet users from SQL injection attacks
D. Active defense against vulnerabilities
Answer: ABCD
12. Which of the following descriptions of abnormal file type identification results is incorrect?
A. The file type cannot be recognized means that the file type cannot be recognized and there is no
file extension.
B. Unrecognized file type means that neither the file type nor the file extension can be recognized.
C. File extension mismatch means that the file type and file extension are inconsistent.
D. File corruption refers to the inability to identify the file type due to the file being damaged.
Answer: B
13. WAF can protect HTTPS traffic. Its implementation principle is to decrypt, filter, and re-encrypt
messages through the public key, private key, and certificate chain uploaded to the WAF device to
detect and protect HTTPS encrypted messages.
A. True
B. False
Answer: A
14. Use IKE v1 main mode to establish an IPSec VPN. After detecting the presence of a NAT device,
 4 / 24
https://www.dumpsinfo.com/
which of the following ISAKMP messages will be followed by port number conversion?
A. Message 5
B. Message 6
C. Message 3
D. Message 4
Answer: A
15. Turn on the email filtering function to detect viruses carried in emails.
A. True
B. False
Answer: B
16. As shown in the figure, the firewall is deployed as a gateway dual-machine hot standby, and the
upstream and downstream devices are switches.
 5 / 24
https://www.dumpsinfo.com/
To achieve round-trip traffic load balancing, at least how many VRRP backup groups need to be
configured in this scenario?
A. 4
B. 6
C. 2
D. 3
Answer: C
 6 / 24
https://www.dumpsinfo.com/
17.Which of the following attacks uses return timeout messages with a TTL of 0 to spy on the
structure of the target network?
A. HTTP
B. Tracert attack
C. UDP
D. ICMP redirect attack
Answer: B
18. There are two ways to achieve high reliability of the firewall heartbeat line, the multi-heartbeat
interface method and Eth-Trunk. Compared with the multi-heartbeat interface method, the advantage
of Eth-runk is that it can increase the communication bandwidth of the link and realize more traffic
load sharing.
A. True
B. False
Answer: A
19.In the URL filtering process, which of the following actions is performed as the first step?
A. Detect HTTP message anomalies
B. Match black and white lists
C. Remote query
D. Match URL classification
Answer: A
20. An engineer is deploying a wireless network. Portal authentication is used for guest access, the
authentication point is the wireless controller, and the authentication server uses iMaster NCE-
CGampus.
The content of the Portal server template configured on the wireless controller is as follows. Which of
the following configuration descriptions are correct? (Multiple choice)
A. The port number for processing Portal protocol packets on the device is 50200.
B. The IP address for communication between the device and the Portal server is 10.10.10.254
C. The URL redirected to the user will contain the ssid name.
D. The IP address of the Portal server is 10.23.200.1
Answer: BCD
21. After the dual-machine hot standby system software version upgrade is completed, which of the
following items need to be verified? (Multiple choice)
A. System software version
 7 / 24
https://www.dumpsinfo.com/
B. Firewall active and standby status
C. Dual-machine switching
D. Session table
Answer: BCD
22.Which of the following are the contents contained in the session persistence table entry? (Multiple
choice)
A. Port number
B. Outbound interface
C. Source IP address
D. Aging time
Answer: BCD
23. As shown in the figure, this is a single-server smart DNS scenario in the outbound interface mode.
Please sort the following descriptions in the correct order.
 8 / 24
https://www.dumpsinfo.com/
Answer:
 9 / 24
https://www.dumpsinfo.com/
24. As shown in the figure, firewall A and firewall B use IKE v1 main mode to establish IPSec VPN.
Which of the following ISAKMP messages can detect the existence of NAT devices between the
firewalls? (Multiple choice)
A. Message 6
B. Message 3
C. Message 5
D. Message 4
Answer: BC
25. Which of the following descriptions about 802.1× authentication is incorrect?
A. In EAP termination mode, EAP messages are directly encapsulated into RADIUS
B. The 802.1X authentication method is divided into EAP relay method and EAP termination method.
In comparison, EAP relay method supports more authentication methods.
C. The 802.1X authentication system uses the EAP protocol to realize information exchange between
the client, device and authentication server.
D. In the 802.1X authentication method, the client must support the 802.1x protocol.
Answer: D
26.Link-Group improveslink reliability by binding multiple physical interfaces. When one interface
fails, traffic is forwarded from other interfaces.
A. True
 10 / 24
https://www.dumpsinfo.com/
B. False
Answer: B
27.DoS attacks are traffic-based attacks that aim to prevent the target computer or network from
providing normal services or resource access, causing the target system service system to stop
responding or even crash.
A. True
B. False
Answer: A
28. As shown in the figure, the firewall load balancing network is used, and the upstream and
downstream devices are switches.
Which of the following descriptions of the firewall VGMP group status in this scenario is correct?
A. Firewall A: Active, Firewall B: Standby
B. Firewall A: Master, Firewall B: Backup
C. Firewall A: Master, Firewall B: Master
D. Firewall A: Active, Firewall B: Active
Answer: D
29. When using iMaster NCE-Campus as the Portal server, in the Portal server template on the AC,
the destination port number used when the device actively sends packets to the Portal server should
be configured as ().
Answer: 2000
30. In the URL category, _____URL category is a category preset library that is preset with the device
and does not require manual loading by the user. This can help users control access to common
websites.
Answer: Predefined
31. BFD is a bidirectional forwarding detection mechanism that can provide millisecond-level
detection, achieve rapid detection of links, and can be used in conjunction with which of the following
technologies? (Multiple choice)
A. Static routing
B. BGP
C. Policy routing
D. Dual-machine hot backup
Answer: ABCD
32. If server authentication is used, which of the following devices may be included in the network
access control system architecture? (Multiple choice)
A. Data source server
B. User terminal
C. Authentication server
D. Network access equipment
Answer: BCD
 11 / 24
https://www.dumpsinfo.com/
33. Which of the following descriptions about Huawei IPS equipment upgrade is correct?
A. Upgrading the signature database of Huawei IPS does not require license authorization.
B. Upgrading the system version of Huawei IPS will take effect without restarting the device.
C. Upgrading the signature database of Huawei IPS requires restarting the device to take effect.
D. Upgrade the Huawei IPS signature database to take effect without restarting the device.
Answer: D
34. When IPSec uses certificate authentication, it is necessary to verify the legitimacy of the peer
certificate. Which of the following is not a factor that needs to be considered to verify the legitimacy of
the certificate?
A. Whether the certificate is applied for in the same way
B. Whether the certificate is within the validity period
C. Whether the certificate is located in the CRL repository
D. Whether the certificate is issued by the same CA
Answer: D
35.Which of the following are traffic-based attacks? (Multiple choice)
A. DoS attack
B. Malformed message attack
C. Scanning and snooping attacks
D. DDoS attack
Answer: AD
36. By checking the /var/log/secure log file of the Linux host, you can determine whether the host has
been attacked by brute force cracking of the login password.
A. True
B. False
Answer: A
37. Which of the following descriptions about the classification of bandwidth resources in virtual
systems are correct? (Multiple choice)
A. Traffic flowing from the private network interface to the public network interface is limited by the
outbound bandwidth.
B. In the scenario of cross-virtual system forwarding, the Virtual-if interface defaults to the public
network interface.
C. The public network interface refers to the interface through which the firewall connects to the
Internet.
D. Traffic flowing from the public network interface to the private network interface is limited by the
bandwidth in the inbound direction.
Answer: ABD
38.There are two types of virtual systems on the firewall, namely _____ and virtual systems.
Answer: root system
 12 / 24
https://www.dumpsinfo.com/
39.1. During the dual-machine hot standby system version upgrade process, which of the following
sequences should be followed for the backup machine upgrade steps?
40. When a firewall performs email filtering, which of the following email transfer protocols does it
support?
A. SMTPS
B. SMTP
C. P0P3
D. IMAP
Answer: A
41. To implement the access control function through Huawei iMaster NCE-Campus controller, which
of the following is not required for authentication and authorization configuration?
A. Certification results
B. Authorization results
C. Certification rules
D. Authorization rules
Answer: C
42. Which of the following descriptions about using ACLs as IPSec interesting flow matching rules are
correct? (Multiple choice)
A. ACLs configured in the same IPSec security policy group can contain the same rules.
B. If different data flows have different security requirements, different ACLs and corresponding IPSec
security policies need to be created.
C. If the interface to which the IPSec security policy is applied is also configured with NAT, IPSec will
not take effect because the device performs NAT first. At this time, you need to match the ACL rules
referenced by IPSec to the IP address after NAT translation.
D. The protocol types defined by ACL rules at both ends of the IPSec tunnel must be consistent. For
example, if one end uses the IP protocol, the other end must also use the IP protocol
Answer: BCD
43. User identity authentication and authorization can be completed on the access control device or
can be completed by the server. When an access device is used for authentication and authorization,
it is local authentication. Which of the following descriptions of local authentication methods are
correct? (Multiple choice)
A. When configuring local authorization, the supported authorization parameters are: VLAN, ACL, etc.
B. The amount of stored information is limited by the device hardware conditions and is generally
used for device login authentication.
C. When using local authentication, a third-party server is also required for user information storage,
verification, etc.
D. Local certification is fast and can reduce operational costs.
Answer: BD
44. Which of the following descriptions about bandwidth resource allocation is incorrect?
A. Which type of bandwidth resource limits a data flow is subject to depends on the outgoing interface
or incoming interface of the traffic.
 13 / 24
https://www.dumpsinfo.com/
B. The public network interface refers to the interface connecting to the Internet
C. Bandwidth resources in the resource category are divided into three categories: inbound
bandwidth, outbound bandwidth and overall bandwidth.
D. In the cross-virtual system forwarding scenario, the Virtual-if interface defaults to the public
network interface.
Answer: B
45.Which of the following types of virtual systems exist on the firewall? (Multiple choice)
A. Configure the system
B. Virtual system
C. Management system
D. Root system
Answer: BD
46.Which of the following attacks does not expose network topology information?
A. Tracert message attack
B. Attacker side of IP packets with routing record entries
C. Scanning attack
D. Teardrop
Answer: D
47. Which of the following descriptions of the RADIUS and HWTACACS protocols is incorrect?
A. All use shared keys to encrypt transmitted user information
B. Both have good flexibility and scalability
C. The structure adopts client/server model.
D. All support the authorization of configuration commands on the device.
Answer: D
48.SSL VPN uses a web proxy to allow mobile users to access intranet web server resources through
the firewall as a proxy.
A. True
B. False
Answer: A
49. Which of the following descriptions about deploying a firewall virtual system is incorrect?
A. A resource class can be bound to multiple virtual systems at the same time
B. You can view the created virtual systems and allocatedresources in the "Virtual System List"
C. Configure the resource class first, and then enable the virtual system for binding
D. Resource class r0 is bound to the root system by default and cannot be deleted or modified.
Answer: C
50. Which of the following descriptions of 802.1X authentication are correct? (Multiple choice)
A. The client can send DHCP/ARP or any message to initiate 802.1X authentication.
B. The 802.1X authentication system uses the Extensible Authentication Protocol EAP to realize
information exchange between the client, device and authentication server.
C. The 802.1X protocol is a Layer 2 protocol and does not need to reach Layer 3. It does not have
 14 / 24
https://www.dumpsinfo.com/
high requirements on the overall performance of the access device and can effectively reduce
network construction costs.
D. The client can trigger 802.1X authentication by sending an EAPoL-Start message.
Answer: BCD
51.BFD control packets are encapsulated in TCP packets and transmitted, and their destination port
number is 3784.
A. True
B. False
Answer: B
52. In a NAT traversal scenario, if a NAT device is detected, the destination port number of the
ISAKMP message will become which of the following?
A. 4500
B. 51
C. 50
D. 500
Answer: A
53. The third-party access device added on iWaster NCE Campus supports the use of TACACS
protocol for docking.
A. True
B. False
Answer: A
54. Which of the following descriptions of outbound traffic in the firewall virtual system is correct?
A. Traffic flowing from the private network interface to the public network interface is limited by the
bandwidth in the inbound direction.
B. Traffic flowing from the public network interface to the private network interface is limited by the
bandwidth in the inbound direction.
C. Traffic flowing from the private network interface to the public network interface is limited by the
outbound bandwidth.
D. Traffic flowing from the public network interface to the private network interface is limited by the
outbound bandwidth.
Answer: C
55. Which of the following descriptions of manual IPSec security policies are correct? (Multiple
choice)
A. During configuration, the inbound SA parameters of the local end do not necessarily need to be the
same as the outbound SA parameters of the opposite end.
B. All security parameters of the manual IPSec security policy need to be configured manually.
C. Suitable for small static environments
D. Administrator configuration workload is heavy
Answer: BCD
56. Which vulnerability in the TCP port does the "WannaCry" ransomware exploit to launch network
 15 / 24
https://www.dumpsinfo.com/
attacks on Windows systems?
A. 139
B. 443
C. 3389
D. 445
Answer: D
57. Which of the following descriptions of keywords in content filtering are correct? (Multiple choice)
A. Keywords are content that the device needs to identify when filtering content.
B. Keywords include predefined keywords and custom keywords
C. The minimum length of keywords that can be matched by text is 2 bytes
D. Custom keywords can only be defined in text mode
Answer: AB
58. To check whether there is an abnormal task plan (not set by the user) on the Linux host, which of
the following commands can be used?
A. crontab -u mysql
B. crontab -e
C. crontab -r
D. crontab -l
Answer: D
59. Which of the following descriptions of IPS top definition signatures is incorrect?
A. The content of predefined signatures is not fixed and can be created, modified or deleted.
B. When the action of the predefined signature is blocking, block the packets that hit the signature
and record the log.
C. When the action of the predefined signature is release, the packets that hit the signature will be
released and no log will be recorded.
D. When the action of the predefined signature is alarm, the packets that hit the signature will be
released, but the log will be recorded.
Answer: A
60. As shown in the figure is the global routing strategy based on link priority active and backup
backup.
 16 / 24
https://www.dumpsinfo.com/
Which of the following descriptions of this scenario is incorrect? (Multiple choice)
A. This method can improve the reliability of the business
B. If no overload protection threshold is specified for the main interface link, the firewall will not use
other links to transmit traffic even if a link overload occurs.
C. The ISP1 link has the highest priority, so the interface connecting the fire protection environment to
the ISP is the main interface.
D. If the main interface link fails, the firewall's interface connecting ISP2 and ISP3 is enabled for load
balancing.
Answer: BC
61. When administrators create a firewall virtual system, they also need to create a VPN instance with
the same name to isolate routes.
A. True
B. False
Answer: B
62. Which of the following descriptions of cleaning centers is incorrect?
A. Back-injection methods include: policy routing back-injection, static route back-injection, VPN back-
injection and Layer 2 back-injection.
B. The cleaning device supports rich and flexible attack prevention technologies, but cannot defend
against CC attacks and ICMP Flood attacks.
C. There are two methods of traffic diversion: static traffic diversion and dynamic traffic diversion.
D. The cleaning center completes functions such as diversion and cleaning of abnormal traffic, and
reinjection of cleaned traffic.
Answer: B
63. By configuring the smart () function, the firewall can intelligently modify the resolution address in
the response message, so that the user can obtain the most appropriate resolution address, that is,
 17 / 24
https://www.dumpsinfo.com/
the address that belongs to the same ISF network as the user.
Answer: DNS
64. As shown in the figure, IPSec tunnels are established between the headquarters and branches.
To achieve IPSec traffic load sharing, at least how many IPSec tunnels need to be established?
A. 1
B. 2
C. 4
D. 3
Answer: C
65. When assigning interfaces to a virtual system, the management port cannot be assigned to the
virtual system.
A. True
B. False
Answer: A
66. For terminals that access the network through wired methods, MAC bypass authentication
requires one more 802.1X authentication step than ordinary MAC authentication. When 802.1X
authentication fails, MAC authentication will be tried again.
A. True
B. False
Answer: A
67. When configuring the SSLVPN port forwarding function, the security policy only needs to allow
traffic between Untrust and Trust.
A. True
B. False
Answer: B
68. You can view the configuration information and interface status of Eth-Trunk through display eth-
trunk, where STATC indicates static LACP mode and _____ indicates manual load balancing mode.
 18 / 24
https://www.dumpsinfo.com/
Answer: NORMAL
69. Which of the following descriptions of the AH and ESP protocols is correct?
A. All support data source verification
B. All support encryption
C. All support NAT traversal
D. Verify IP headers
Answer: A
70. In which of the following access authentication methods, the terminal must obtain an IP address
before authentication?
A. 802.1×Authentication
B. Portal
C. MAC authentication
D. MAC bypass authentication
Answer: B
71.Which of the following items are the differences between transmission mode and tunnel mode?
(Multiple choice)
A. Tunnel mode has an extra IP header and tunnel mode takes up more bandwidth than transport
mode.
B. Tunnel mode hides the original IP header information and has better security
C. The transmission mode can realize the integrity check of the entire message (except the variable
IP header parameters)
D. Tunnel mode can encrypt data packets
Answer: ABD
72. Which of the following is not an intranet resource that SSL VPN can provide to mobile office
users?
A. File resources
B. UDP resources
C. Web resources
D. IP resources
Answer: B
73. As shown in the figure, BFD and static routing are associated witheach other. Which of the
following configurations is correct?
 19 / 24
https://www.dumpsinfo.com/
A)
B)
C)
 20 / 24
https://www.dumpsinfo.com/
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
74.802.1x authentication user logout methods include client active logout, access device controlled
user logout, and server controlled user logout. When the server is used to control user offline, the
RADIUS service can force the user to go offline through () messages.
Answer: DM
75. Deploying multiple links at the enterprise exit can improve the reliability of the user network.
A. True
B. False
Answer: A
76. The signature filter of IPS is a set of conditions for a series of signatures. Any signature that
meets one of the filter conditions can match the signature filter.
A. True?
B. False
 21 / 24
https://www.dumpsinfo.com/
Answer: B
77.SYN scanning technology generally does not leave scanning traces on the target host, and does
not require root privileges of the target host.
A. True
B. False
Answer: B
78. Which of the following attacks does the application layer source authentication function of Anti-
DDoS prevent? (Multiple choice)
A. HTTP
B. ACK
C. HTTPS
D. DNS
Answer: ACD
79. If the 802.1X client uses MD5 encryption, the authentication method of the device-side user can
be configured as EAP or CHAP; if the 802.1X client uses PEAP authentication, the device-side user
authentication method can be configured as ()
Answer: EAP-PEAP
80. As shown in the figure, the firewall dual-machine hot backup load is deployed uniformly. For the
Trust: area, two VRPP backup groups need to be deployed. One group has firewall A as the master,
and the other group also has firewall B as the master.
A. True
B. False
Answer: B
81.SYN scanning requires the establishment of a complete TCP connection, and the SYN scan will
be recorded in the system log.
A. True
B. False
Answer: B
82. Which of the following descriptions of the characteristics of SSL VPN is incorrect?
A. SSL VPN supports few authentication types and is difficult to integrate with the original identity
authentication system.
B. SSL VPN can support various IP applications
C. SSL VPN can parse intranet resources to the application layer and publish applications in a
granular manner
D. Since the SSL VPN login method uses a browser, the automatic installation and configuration of
the client is realized, so that users can quickly log in with their devices anytime and anywhere, and it
also relieves the pressure of network administrators in maintaining the client.
Answer: A
 22 / 24
https://www.dumpsinfo.com/
83. A customer's current network uses Huawei wireless controller to deploy 802.1X authentication,
and the authentication server is iMaster NCE-Campus. During the process of debugging the wireless
network, engineers found that the terminal kept failing to authenticate. What are the possible reasons
for this problem? (Multiple choice)
A. The network between the terminal and the authentication server is unreachable
B. The authorization key configured on the wireless controller is inconsistent with the authentication
server configuration.
C. The service VLAN is not configured on the wireless controller.
D. The authentication template configured on the wireless controller is not bound to the access
template.
Answer: AD
84. WAF devices can effectively and accurately resist CC attacks. Which of the following descriptions
of CC attacks is incorrect?
A. CC attack is a type of DDoS attack
B. The attack cost of CC attacks is relatively high, and launching an attack requires a large amount of
bandwidth resources.
C. CC attacks can use proxy servers to launch attacks, making it difficult to trace the source of the
attack.
D. CC attacks are mainly used to attack web servers, causing server resources to be exhausted and
even shut down.
Answer: B
85. Which of the following descriptions about firewall bandwidth policies is correct?
A. In the same group of parent-child policies, the same bandwidth channel can be referenced
B. By default, there is a default bandwidth policy on the firewall. The configured conditions are all
(any) and the action is flow limiting.
C. If bandwidth management is used together with the source NAT function, the address before
translation should be specified when configuring the address/matching conditions of the bandwidth
policy.
D. For maximum bandwidth and connection limit, the child policy can be larger than the parent policy
Answer: C
86.Which of the following commands can display the IPSec SA negotiation results and IPSec policy
configuration information?
A. display ike sa
B. display ipsec statistics
C. display ipsec sa
D. display ike peer
Answer: C
87. In the Portal authentication scenario, in order to ensure that the terminal can open the Portal page
normally (using iMastar NCE-Campus as the Pertal server), iMaster NCcE-Canmus should be
reachable over the network with the authentication terminal.
A. True
B. False
Answer: A
 23 / 24
https://www.dumpsinfo.com/
Powered by TCPDF (www.tcpdf.org)
 24 / 24
https://www.dumpsinfo.com/
http://www.tcpdf.org