Summer Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: s2p65

Easiest Solution 2 Pass Your Certification Exams

H12-721 Huawei Certified ICT Professional - Constructing Infrastructure of Security Network Free Practice Exam Questions (2025 Updated)

Prepare effectively for your Huawei H12-721 Huawei Certified ICT Professional - Constructing Infrastructure of Security Network certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2025, ensuring you have the most current resources to build confidence and succeed on your first attempt.

Huawei H12-721 Premium Access     Download Demo    
Page: 2 / 4
Total 217 questions

In the firewall DDoS attack defense technology, the Anti-DDoS device adopts seven layers of defense technology, and the description based on session defense is correct?

A.

Based on the application, the validity of the source address of the packet is authenticated. These applications support the protocol interaction. The cleaning device prevents the attack traffic from the virtual source or tool by sending source detection packets.

B.

Session-based defense against concurrent connections, new connections, or connection-depleted connections that exceed the threshold

C.

mainly relies on fingerprint learning and packet capture analysis to obtain traffic characteristics, and to prevent bots or attack traffic initiated by agents to distinguish normal users from access behavior.

D.

Filters scanned messages and special control messages by detecting sessions

SSL works at the application layer and encrypts specific applications. Which layer does IPSec work on and provides transparent encryption protection for this layer and above?

A.

data link layer

B.

network layer

C.

transport layer

D.

representation layer

When an IPSec VPN is set up on both ends of the firewall, the security ACL rules of both ends are mirrored.

A.

TRUE

B.

FALSE

What are the correct statements about the IP address scanning attack and prevention principles?

A.

IP address scanning attack is an attacker that uses an ICMP packet (such as ping and tracert) to detect the target address.

B.

IP address scanning attack is an attack method used by an attacker to detect a target address by using TCP/UDP packets.

C.

IP address scanning attack defense detects the rate of address scanning behavior of a host. If the rate exceeds the threshold, it is blacklisted.

D.

If the USG starts the blacklist function and is associated with IP address scanning attack prevention, when the scanning rate of a certain source exceeds the set threshold, the excess threshold will be discarded, and the packets sent by this source will be less than the subsequent time. Threshold, can also be forwarded

The firewall device defends against the SYN Flood attack by using the technology of source legality verification. The device receives the SYN packet and sends the SYN-ACK probe packet to the source IP address host in the SYN packet. If the host exists, it will Which message is sent?

A.

RST message

B.

FIN message

C.

ACK message

D.

SYN message

The following are traffic-type attacks.

A.

IP Flood attack

B.

HTTP Flood attack

C.

IP address scanning attack

D.

ICMP redirect packet attack

The PC A in the Trust zone is 192.168.3.1. You cannot access the Internet server in the Untrust zone. The configuration between the Trust zone and the Untrust zone is as follows. What are the most likely causes of the following faults?

A.

security policy application direction configuration error, should be outbound

B.

Since the firewall default packet-filter is deny is executed first, the subsequent policies are not executed.

C.

policy source 192.168.3.0 0.0.0.255 configuration error, need to be modified to policy source 192.168.3.0 0.0.255.255

D.

policy destination any configuration error, a clear destination IP address must be established

Which of the following statements is true for virtual service technology?

A.

For multiple real servers, the real servers need to be in the same network segment and in the same security zone.

B.

For multiple real servers, the real servers may not be in the same network segment, but they must be in the same security zone.

C.

For multiple real servers, the real server may not be in the same security zone, but must be in the same network segment

D.

For multiple real servers, the network segment and security zone where the real server is located does not affect the load balancing function.

The server health check mechanism is enabled on the USG firewall of an enterprise to detect the running status of the back-end real server (the three servers are Server A, Server B, and Server C). When the USG fails to receive the response from Server B multiple times. When the message is received, Server B will be disabled and the traffic will be distributed to other servers according to the configured policy.

A.

TRUE

B.

FALSE

The dual-system hot backup load balancing service interface works at Layer 3, and the upstream and downstream routers are connected to each other. The two USG devices are active and standby. Therefore, both the hrp track master and the hrp track slave must be configured on the morning service interface.

A.

TRUE

B.

FALSE

The load balancing function is configured on the USG firewall for three FTP servers. The IP addresses and weights of the three physical servers are 10.1.13/24 (weight 16); 10.1.1.4/24 (weight 32); 10.1.1.5 /24 (weight 16), and the virtual server address is 202.152.26.123/24. A PC with the host address of 202.152.26.3/24 initiates access to the FTP server. Run the display firewall session table command on the firewall to check the configuration. Which of the following conditions indicates that the load balancing function is successfully implemented?

A.

display firewall session table Current total sessions: 1 ftp VPN: public-->public 202.152.26.3:3327-->10.1.1.4:21

B.

display firewall session table Current total sessions:3 ftp VPN: public 202.152.26.3:3327--> 202.152.26.123:21[10.1.1.3:21] ftp VPN:public-->public 202.152.26.3:3327 -->202.152.26.123:21[10.1.1.4:21] ftp VPN: public-->public 202.152.26.3:3327-->202.152.26.123:21[10.1.1.5:21]

C.

display firewall session table Current total sessions: 1 ftp VPN: 202.152.26.3:3327-->202.152.26.123:21

D.

display firewall session table Current total sessions: 3 ftp VPN: ftp VPN: public 202.152.26.3:3327--> 202.152.26.123:21[10.1.1.3:21] ftp VPN: public-->public 202.152. 26.3:3327-->10.1.1.4:21 ftp VPN:public-->public 202.152.26.3:3327-->10.1.1.4:21 ftp VPN:public-->public 202.152.26.3:3327-->10.1. 1.5:21

When using the SSL VPN client to start the network extension, the prompt "Connection gateway failed", what are the possible reasons for the failure?

A.

If the proxy server is used, the proxy server settings of the network extension client are incorrect.

B.

The route between the B PC and the virtual gateway is unreachable.

C.

TCP connection between the network extension client and the virtual gateway is blocked by the firewall

D.

username and password are incorrectly configured

For IP-MAC address binding, packets with matching IP and MAC address will enter the next processing flow of the firewall. Packets that do not match IP and MAC address will be discarded.

A.

TRUE

B.

FALSE

When configuring the USG hot standby, (assuming the backup group number is 1), the configuration command of the virtual address is correct?

A.

vrrp vrid 1 vitual-ip ip address master

B.

vrrp vitual-ip ip address vrid 1 master

C.

vrrp vitual-ip ip address master vrid 1

D.

vrrp master vitual-ip address vrid 1

Which of the following does the virtual firewall technical feature not include?

A.

provides multi-instance, multi-instance, multi-instance, multi-instance, and multi-instance VPN. The application is flexible and can meet multiple networking requirements.

B.

Each virtual firewall can independently support four security zones: Trust, Untrust, DMZ, and Local. The interfaces are flexibly divided and allocated.

C.

technically guarantees that each virtual system and a separate firewall are identical in implementation, and very secure, and can be directly accessed between virtual systems.

D.

Provide independent administrator privileges for each virtual system

If the IPSec policy is configured in the policy template and sub-policy mode, the firewall applies the policy template first and then applies the sub-policy.

A.

TRUE

B.

FALSE

The following figure shows the L2TP over IPSec application scenario. The client uses the pre-shared-key command to perform IPSec authentication. How should the IPSec security policy be configured on the LNS?

A.

uses IKE master mode for negotiation

B.

Negotiate in IKE aggressive mode

C.

IPSec security policy

D.

Configuring an IPSec Policy Template

The ACK flood attack is defended by the load check. The principle is that the cleaning device checks the payload of the ACK packet. If the payloads are all consistent (if the payload content is all 1), the packet is discarded.

A.

TRUE

B.

FALSE

The administrator can create vfw1 and vfw2 on the root firewall to provide secure multi-instance services for enterprise A and enterprise B, and configure secure forwarding policies between security zones of vfw1 and vfw2.

A.

TRUE

B.

FALSE

DDoS is an abnormal packet that an attacker sends a small amount of non-traffic traffic to the attack target (usually a server, such as DNS or WEB) through the network, so that the attacked server resolves the packet when the system crashes or the system is busy.

A.

TRUE

B.

FALSE

Huawei H12-721 Premium Access     Download Demo    
Page: 2 / 4
Total 217 questions
Copyright © 2014-2025 Solution2Pass. All Rights Reserved