EMT Practice Test

1. Question Content...


Question List

Question1: Accessing the headquarters server through the IPSec VPN from the branch computer. The IPSec tunnel can be established normally, but the service is unreachable. What are the possible reasons?

Question2: The ip-link sends a probe packet to the specified IP address. By default, after 3 probe failures, the link to this IP address is considered faulty.

Question3: What are the following VPN protocols that do not provide encryption?

Question4: The SSL VPN authentication login is unsuccessful and the message "Bad username or password" is displayed.
Which one is wrong?

Question5: Which of the following statements is true for virtual service technology?

Question6: The branch firewall of an enterprise is configured with NAT. As shown in the figure, USG_B is the NAT gateway. The USG_B is used to establish an IPSec VPN with the headquarters. Which parts of the USG_B need to be configured?

Question7: The enterprise network is as shown in the figure. On the USG_A and USG_B, hot standby is configured, and USG_A is the master device. The administrator wants to configure SSL VPN on the firewall so that branch employees can access the headquarters through SSL VPN. Which virtual gateway address should the SSL VPN be?

Question8: Connecting the internal network interface address from the firewall By pinging the internal network address of the peer, the IPSec tunnel can be successfully triggered. The internal PC cannot trigger the tunnel establishment. What are the possible reasons?

Question9: The following figure shows the data packet of the pre-shared key mode main mode exchange process in the first phase of IKE V1. What is captured below?

Question10: SSL works at the application layer and encrypts specific applications. Which layer does IPSec work on and provides transparent encryption protection for this layer and above?

Question11: When an attack occurs, the result of packet capture on the attacked host (1.1.1.1) is as shown in the figure.
What kind of attack is this attack?

Question12: On the USG, you need to delete sslconfig.cfg in the hda1:/ directory. Which of the following commands can complete the operation?

Question13: SSL VPN authentication is successful. Using the file sharing function, you can view directories and files, but you cannot upload, delete, and rename files. What are the possible reasons?

Question14: Virtual firewall virtualizes multiple logical firewalls on a physical firewall device and implements multiple instances?

Question15: In IPSec VPN, which one is incorrect about the difference between the barbaric mode and the main mode?

Question16: The firewall device defends against the SYN Flood attack by using the technology of source legality verification. The device receives the SYN packet and sends the SYN-ACK probe packet to the source IP address host in the SYN packet. If the host exists, it will Which message is sent?

Question17: Regarding the virtual gateway type exclusive and shared type, what are the following statements correct?

Question18: The dual-system hot standby networking environment is as shown in the following figure: VRRP group 1 and
2 are added to the VGMP management group, USG_A is the master device, and USG_B is the standby device.
When the USG_A has a fault Status, such as power failure, the USG_B status is switched from Slave to Master. After the USG_A is faulty, its status is switched back to Master and the USG_B status is still Master.
What is the reason for this now?

Question19: Based on the following information analysis on the firewall, which of the following options are correct?

Question20: The SSL VPN authentication is successful, but the Web-link resources cannot be accessed. What is the correct one?

Question21: Virtual firewall technology can achieve overlapping IP addresses.

Question22: After the NAT server is configured (no-reverse parameter is added), the firewall automatically generates static Server-Map entries. The first packet matches the Server-Map entry and does not match the session table.

Question23: What are the correct statements about the IP address scanning attack and prevention principles?

Question24: As shown in the figure, the firewall is dual-system hot standby. In this networking environment, all service interfaces of the firewall work in routing mode, and OSPF is configured on the upper and lower routers.
Assume that the convergence time of OSPF is 30s after the fault is rectified. What is the best configuration for HRP preemption management?

Question25: 112. The ESP only verifies the IP payload and can perform NAT traversal, but the ESP encrypts the Layer 4 port information and causes the PAT function to be unusable. This problem can be solved by using the IPSec transparent NAT function, which encapsulates the ESP packet in the UDP header and comes with the necessary port information to make the PAT work normally.

Question26: In dual-system hot backup, the backup channel must be the primary interface on the interface board. Which type is not supported?

Question27: What are the three elements of an abnormal flow cleaning solution?

Question28: 87. The SSL VPN scenario under dual-system hot standby is shown in the following figure. The administrator has enabled the SSL network extension function. The following is about the configuration of the SSL VPN function.

Question29: A user wants to limit the maximum bandwidth of the 192.168.1.0/24 network segment to 500M, and limit all IP addresses in the network segment to maintain a bandwidth of 1M. How should I configure a current limiting policy for this requirement?

Question30: After the link-group is configured on the device, use the display link-group 1 command to obtain the following information. What information can I get?

Question31: When an IPSec VPN is set up on both ends of the firewall, the security ACL rules of both ends are mirrored.

Question32: The malformed packet attack technology uses some legitimate packets to perform reconnaissance or data detection on the network. These packets are legal application types, but they are rarely used in normal networks.

Question33: In the application scenario of the virtual firewall technology, the more common service is to provide rental services to the outside. If the virtual firewall VFW1 is leased to enterprise A and the virtual firewall VFW2 is leased to enterprise B, what is the following statement incorrect?

Question34: The management control information and service information of the out-of-band management interface are sent on the same channel.

Question35: In the IPSec VPN, the digital certificate is used for identity authentication. If the IKE main mode is used for negotiation, the certificate verification is completed in message 5 and message 6.

Question36: The first packet discarding technology of Huawei Anti-DDoS devices can defend against attack packets that continuously change the source IP address or source port number. The following is incorrect about the first packet discarding technology?

Question37: The following figure shows the L2TP over IPSec application scenario. The client uses the pre-shared-key command to perform IPSec authentication. How should the IPSec security policy be configured on the LNS?

Question38: The constraints of the policy in the traffic limiting policy include quintuple, time period, user identity, and application protocol.

Question39: Avoid DHCP server spoofing attacks. DHCP snooping is usually enabled. What is the correct statement?

Question40: Two USG firewalls failed to establish an IPSec VPN tunnel through the NAT traversal mode. Run the display ike sa command to view the session without any UDP 500 session. What are the possible reasons?

Question41: In the first phase of IKE V1, the pre-shared key master mode exchange process, in which message is the SA payload sent?

Question42: Which of the following is the correct description of the SMURF attack?

Question43: Which of the following encryption methods does IPSec VPN use to encrypt communication traffic?

Question44: The hot standby and IPSec functions are combined. Which of the following statements is correct?

Question45: To ensure the normal forwarding of large traffic, a network administrator of a company uses two firewalls to implement hot standby. As shown in the following figure, when the configuration is complete, it is found that when A of the two firewalls fails, the data stream being transmitted before the fault has been seriously lost, but the newly transmitted data stream can work normally after the fault. What could be the cause of this phenomenon?

Question46: About load balancing, the following configuration is available: [USG] slb enable [USG]slb [USG-slb] rserver
1 rip 10.1.1.3 weight 32 [USG-slb] rserver 2 rip 10.1.1.4 weight 16 [USG-slb] rserver 3 rip 10.1.1.5 weight 32
[USG-slb] group test [USG-slb-group-test]metric srchash [USG-slb-group-test] add rserver 1
[USG-slb-group-test] add rserver 2 [ USG-slb-group-test] add rserver 3 Which of the following statements is correct?

Question47: The topology diagram of the BFD-bound static route is as follows: The administrator has configured the following on firewall A: [USG9000_A] bfd [USG9000_A-bfd] quit [USG9000_A] bfd aa bind peer-ip 1.1.1.2
[USG9000_A- Bfd session-aa] discriminator local 10 [USG9000_A-bfd session-aa] discriminator remote 20
[USG9000_A-bfd session-aa] commit [USG9000_A-bfd session-aa] quit What are the correct statements about this segment?

Question48: In the active/standby mode of the USG dual-system hot backup, the service interface works at Layer 3, and the upstream and downstream routers are connected. The administrator checks that the USG_A state has been switched to HRP_M[USG_A] and the USG_B state is also HRP_M[USG_B]. What are the most likely reasons?

Question49: What are the correct descriptions of IPSec and IKE below?

Question50: In the dual-system hot backup, when the slave does not receive the hello packet of the HRP sent in the HRP hello packet period, the slave device is considered to be faulty.

Question51: The figure shows the data flow direction of the Bypass interface in the Bypass working mode and the non-Bypass working mode. What are the following statements about the working flow of the electrical Bypass interface?

Question52: What are the following attacks that are malformed?

Question53: Both AH and ESP protocols of IPSec support NAT traversal

Question54: Load balancing implements the function of distributing user traffic accessing the same IP address to different servers. What are the main technologies used?

Question55: What is the correct description of IKE?

Question56: Which of the following statements about the blacklist is correct?

Question57: USG A and USG B are configured with a static BFD session. The following is true about the process of establishing and tearing down a BFD session.

Question58: What are the drainage schemes that can be used in the scenario of bypass deployment in Huawei's abnormal traffic cleaning solution?

Question59: As shown below, the domain abc address pool is the address pool where the L2TP VPN user is located. What is wrong with the following statement?

Question60: Which of the following statements is true about L2TP over IPSec VPN?

Question61: The default interval for sending VGMP hello packets is 1 second. That is, when the hello packet sent by the peer is not received within the range of three hello packets, the peer is considered to be faulty. Master status.

Question62: An administrator can view the IPSec status information and debugging information as follows. What is the most likely fault?

Question63: In the case of IPSec VPN NAT traversal, you must use IKE's aggressive mode.

Question64: 134. Which of the following is the connection status data to be backed up in the HRP function?

Question65: In the IDC room, a USG firewall can be used to divide into several virtual firewalls, and then the root firewall administrator generates a virtual firewall administrator to manage each virtual firewall.

Question66: In a dual-system hot standby network, the NAT configurations of the two USGs are consistent. When the address in the NAT address pool is on the same network segment as the virtual IP address of the VRRP backup group, the next two graphs show the ARP response of the NAT server and VRRP combination application (lack of a picture).

Question67: In the application scenario of IPSec traversal by NAT, the active initiator of the firewall must configure NAT traversal, and the firewall at the other end can be configured without NAT traversal.

Question68: Which of the following attacks is a SYN Flood attack?

Question69: What are the following attacks that are special message attacks?

Question70: Two USG firewalls establish an IPSec VPN through the Site to Site mode. When viewing the status of a USG A, the following is displayed: display ipsec statistics the security packet statistics: input/output security paskets: 40 input/output security bytes: 400/0 input /output dropped security packets: 0/0 By status information, what information can be obtained correctly?

Question71: When the ip-link link health check is performed, if it is unable to receive the message several times in the absence of the link, it will be considered as a link failure.

Question72: The interaction process of the firewall linkage NIP intrusion detection device is: 1. record the intrusion process, alarm log record; 2. NIP for attack detection; 3. reconfigure the firewall; 4 terminate the intrusion Which of the following correct interaction sequences is the same?

Question73: The server health check mechanism is enabled on the USG firewall of an enterprise to detect the running status of the back-end real server (the three servers are Server A, Server B, and Server C). When the USG fails to receive the response from Server B multiple times. When the message is received, Server B will be disabled and the traffic will be distributed to other servers according to the configured policy.

Question74: What is the correct statement about the Eth-trunk function?

Question75: A data flow has established a session in the firewall. If the packet filtering policy corresponding to the data is modified, how should the firewall execute?

Question76: The following scan snoop attacks are:

Question77: The principle of HTTPS Flood source authentication defense is that the Anti-DDoS device replaces the SSL server with the client to complete the TCP three-way handshake. If the TCP three-way handshake is complete, the HTTPS flood source authentication check is successful.