EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following statements about hot standby is correct?

Question2: Which of the following attacks utilizes the mechanism that a host will respond after receiving UDP packets with destination ports 7 (ECHO) and 19 (Chargen)?

Question3: Which statement is false about client-side troubleshooting when using Agile Controller to protect endpoints?

Question4: What are the URL matching methods in the URL filtering function of the USG?

Question5: What aspects need to be checked for IPS (Intrusion Prevention) failures?

Question6: The USG and the Router establish a Site-to-Site IPsec VPN. Based on the following information, which of the following options may be correct?
<USG> display ike sa
current ike sa number: 0
<USG> display ipsec statistics
the security packet statistics:
......
negotiate about packet statistics:
IP packet ok: 0, err: 0, drop: 0
IP rcv other cpu to ike: 0, drop:
0
IKE packet inbound ok: 0, err: 0
IKE packet outbound ok: 0, err: 0
SoftExpr: 0, HardExpr: 0,
DPDOper: 0, SwapSa: 0
ModpCnt: 0, SaeSucc: 0,
SoftwareSucc: 0

Question7: A server on the network has been responding very slowly recently. By looking at its running status, it is found that its CPU and memory usage ratio is high, but there is little or no data transmission in these TCP session connections.
For the following judgments about this problem phenomenon, please choose the best one:

Question8: Which of the following are the IKE encryption algorithms supported by the USG firewall?

Question9: Which of the following descriptions about SACG certification is correct?

Question10: Configuration database mirroring fails in Agile Controller, which of the following descriptions are correct?

Question11: In a new campus network of an enterprise, there is a requirement for ordinary PC users and dumb terminal users to connect to the Internet at the same time under an access switch.
Which authentication method is recommended to be deployed on this switch?

Question12: A PC receives a fragmented package as shown in the figure below. According to the following package information, which of the following options is correct?

Question13: In the Anti-DDoS abnormal traffic cleaning solution, the correct recommendations for planning and deployment are:

Question14: Regarding the authentication mode of 802.1X, which of the following descriptions are correct?

Question15: Due to the network upgrade of the new USG_A and USG_B software versions, how to upgrade without affecting services:
USG_A is Active device, USG B is Standby device
① Log in to USG_B through Telnet or SSH. The operations are as follows:
[USG-B] hrp enable
② Log in to USG_A through Telnet or SSH. The operations are as follows:
HRP_M [USG_A] undo hrp enable
③ Execute the undo hrp enable command on USG_B, then upgrade the software version of USG_B, and restart the USG_B device.
④ Upgrade the software version of USG_A and restart the USG_A device.
⑤ Test whether the USG_B service is normal.

Question16: In the L2TP Over IPsec scenario, the central node uses the IPsec template, how to configure the IPsec Security ACL on the LNS at this time?

Question17: When using the SSL VPN network extension function, the virtual IP address pool can be set to the same network segment as the IP address of the internal network interface of the device.
If the virtual IP address pool and the IP address of the intranet interface are not in the same network segment, manually configure the route to the address pool on the device, the outgoing interface is the intranet interface, and the next hop is the next hop of the intranet interface.

Question18: The correct order of URL filtering processing flow is:
① The NGFW matches the URL information with the blacklist.
② The NGFW matches the URL information with the whitelist.
③ NGFW matches URL information with custom categories.
④ Start remote server classification query.
⑤ NGFW matches URL information with predefined categories in the local cache.

Question19: A network deploys the AntiDdos cleaning equipment at the network nodes in a bypass mode, and conducts bidirectional drainage and cleaning for the traffic drawn to the cleaning equipment.
The following networking is correct:

Question20: The ISO27000 series includes several security standards, which of these standards are relevant to information security technology risk management:

Question21: In the abnormal traffic cleaning scheme, re-injection refers to sending the cleaned normal traffic back to the original link, and then forwarding it to the protection object.
In order to configure simple, and there are multiple back-injection interfaces, what specific back-injection technology implementations are required?

Question22: A company has the following requirements:
The intranet users in the Trust area are on the 192.168.1.0/24 network segment and can access the Internet. There are a total of 50 hosts (192.168.1.1-192.168.1.50) with a total curtain of 500M.
The following plans are reasonable:

Question23: Comparing the two technologies of mail content filtering and RBL filtering, the correct statement is:

Question24: When using the UTM function, the link state detection function can be disabled to prevent packet loss due to failure of the firewall state detection when network packets are inconsistent with the round-trip paths.

Question25: The following configuration commands are executed on the normal running USG firewall on the live network, but the interaction of ARP packets is still not seen. Which of the following commands need to be supplemented?
<USG> system-view
[USG] info-center enable
[USG] info-center source arp channel console debug level debugging
[USG] info-center console channel console
<USG> debugging arp packet

Question26: Mobile employees access the headquarters through an L2TP over IPsec tunnel. The correct statement about planning and deployment is:

Question27: For the admission control of the existing wired network, the SACG authentication scheme is recommended. What are the advantages?

Question28: If you use a mobile terminal (Android or Apple system) to access intranet resources through a web proxy, which of the following methods should be recommended?

Question29: In the USG, the planning UTM statement is correct

Question30: There are multiple real servers in an enterprise network that provide FTP services to the outside world, and the load balancing function is configured to ensure the load balancing of traffic flowing through the USG.
The administrator hopes that by detecting the real server status, the load ratio of each server is the same as the weight ratio. The following suitable configurations are:

Question31: Which of the following is correct for the functional comparison of NIP5000 and NIP5000D:

Question32: An FTP server ( DMZ ) on the existing network of the enterprise provides FTP services to the outside ( Untrust ), and a USG firewall is deployed on the external network port.
The following information is obtained by capturing packets on the FTP server:
Sequence Number Source Address Destination Address Protocol Packet Summary
1 1.1.1.1 192.168.1.2 TCP 3318>21 [SYN] Seq=0 Len=0 MSS=1460
2 192.168.1.2 1.1.1.1 TCP 21>3318 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
3 1.1.1.1 192.168.1.2 TCP 3318>21[SYN] Seq=1 Ack=1 Win=65535 Len=0
......
13 1.1.1.1 192.168.1.2 FTP Request: PASV
14 192.168.1.2 1.1.1.1 FTP Response: 227 Entering Passive Mode (192, 168, 1, 2, 4, 162)
15 1.1.1.1 192.168.1.2 TCP 3319>1186 [SYN] Seq=0 Len=0 MSS=1460
16 192.168.1.2 1.1.1.1 TCP 1186>3319 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
17 1.1.1.1 192.168.1.2 TCP 3319>1186 [SYN] Seq=1 Ack=1 Win=65535 Len=0
.....
The following descriptions are correct:

Question33: Which of the following descriptions about IP-Link is incorrect?

Question34: Which of the following statements about hot standby is correct?

Question35: Which of the following tasks need to be completed before configuring an IPsec security policy?

Question36: In the TCP spoofing attack, in order to establish a fake TCP connection with the victim host, the attacker must obtain the key information in the TCP session through calculation or guessing:

Question37: The packet encapsulation of L2TP Over IPsec is:

Question38: Which fields in the packet need to be analyzed in the firewall's IP packet fragmentation and reassembly?

Question39: Which protocols can the NGFW perform virus scanning and corresponding processing on files transmitted by?

Question40: In the Remote Access VPN scenario, the remote PC uses the Secoway VPN Client and the firewall to establish a VPN. Which of the following statements is correct?

Question41: Regarding the Internet access area in the data, the correct planning and deployment suggestions are:

Question42: For a registered USB storage device, if the administrator restricts the device to be used by designated personnel, the device can only be used on designated terminals; if the administrator does not configure the authorization rules for the USB storage device, no one can use the device.

Question43: The correct description of the no-reverse parameter in the firewall NAT Server configuration command is:

Question44: The firewall is deployed between the mobile terminal of the wireless user and the WAP gateway, the mobile terminal is in the trust zone, and the WAP gateway is in the untrust zone, and the following configurations are made:
[USG] ad 3000
[USG-acl-adv-3000] rule permit ip destination 202.10.10.2 0
[USG-acl-adv-3000] quit
[USG] fir-all zone trust
[USG-zone-trust] destination-nat 3000 address 200.10.10.2
[USG-zone-trust] quit
The following descriptions are correct:

Question45: MAC authentication is applicable in which of the following situations?

Question46: When configuring the address set on the firewall, the configuration command is as follows:
[sysname] ip address-set abc type object
[sysname-object-address-set-abc] address 192.168.1.1 0
[sysname-object-address-set-abc] address 192.168.2.0 mask 24
The following descriptions are correct:

Question47: Next-generation firewalls perform content inspection at each UTM module (AV, IPS, URL filtering).

Question48: Which of the following packets can be unicast packets

Question49: The terminal uses Agent for 802.1x authentication, the IP address of SC and Radius server is 172.18.10.68, and it always prompts network communication failure during authentication;
Viewing the Radius authentication log shows that the Radius authentication is successful and the authorization is ACL3001. The switch configuration is as follows:
dot1x enable
dot1x authentication-method eap
radius-server template lzy
radius-server shared-key simple 123456
radius-server authentication 172.18.10.68 1812
radius-server accounting1 72.1 3.10.63 1813
radius-server authorization 172.18.10.68 shared-key simple 123456
aaa
authentication-scheme default
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 3
domain default
authentication-scheme auth
accounting-scheme acco
radius-server lzy
interface GigabitEthernet0/0/14
description connect 222
port hybrid pvid vlan 105
port hybrid untagged vlan 105
dot1x enable
acl number 3001
rule 1 permit ip destination 172.18.100.235 0
rule 2 permit ip destination 172.18.100.237 0
rule 10 deny ip
What could be the reason for the failure of network communication?

Question50: As shown in the figure, the routing example between the virtual firewall vpn1 and the root firewall needs to be configured.
Which of the following is correct:

Question51: In the dual-system hot-standby network, the service interface works at Layer 3, the upstream and downstream are connected to the router, the firewall and the upstream and downstream run an OSPF process, which provides the dual-system hot-standby burden sharing network, and the firewall provides the NAT function. The following Incorrect planning deployment advice:

Question52: In the Agile Controller solution, the USG is used for hardware SACG access authentication.
According to the following information:
<USG6700> display right-manager role-id rule
Advanced ACL 3099, 5 rules, not binding with vpn-instance
Acl's step is 1
rule 1000 permit ip (1200 times matched)
rule 1001 permit ip destination 172.13.11.2210 (501 times matched)
rule 1002 permit ip destination 172.10.11.223 0 (77 times matched)
rule 1003 permit ip destination 172.19.0.0 0.0.255.255 (0 times matched)
rule 1004 deny ip (507759 times matched)

Question53: The IPsec status information of a network is as follows, [USG A] display ike sa
current ike sa number: 2
-------------------------------------------------- -------------------------------------
conn-id peer flag phase vpn
-------------------------------------------------- --------------------------------------
40006 <unnamed> NONE v1:2 public
40004 1.1.1.2 RD|ST v1:2 public
2012-08-08 15:05:15 USG %%01IKE/4/WARNING (I): phase2: proposal or pfs dh-group up mismatch, please check ipsec proposal and pfs dh-group configuration.
*0.1921499990 USG IKE/7/DEBUG: got NOTIFY of type NO_PROPOSAL_CHOSEN
Which of the following options is a possible cause of failure?

Question54: The Trust zone of the USG firewall of a certain network is connected to the terminal host, and the Untrust zone is connected to the security controller. If the security controller can issue rules to the USG, which of the following security policies must be configured?

Question55: If the hardware security access control gateway adopts the next generation firewall, in "Policy > Admission Control > SAC Configuration > Hardware SACG", select the "Controlled Domain" tab, and add the controlled domain ERP (172.10.11.1/32 ) and DB_Oracle ( 172.10.12.32/32 ), then query the firewall configuration through the CLI to obtain the following information:
display acl all
............
Advanced ACL 3100, 1 rule, not binding with vpn-instance
Acl's step is 1
rule 1 deny ip (0 times matched)
Advanced ACL 3101, 1 rule, not binding with vpn-instance
Acl's step is 1
rule 1 permit ip (0 times matched)
Advanced ACL 3102, 1 rule, not binding with vpn-instance
Acl's step is 1
rule 1 deny ip destination 172.13.11.10 (0 times matched)
Advanced ACL 3103, 1 rule, not binding with vpn-instance
Ad's step is 1
rule 1 permit ip destination 172.13.11.10 (0 times matched)
Advanced ACL 3354,
Which of the following statements is correct about the above ACL configuration?

Question56: The customer has a USG6000, and the remote PC wants to access the intranet through l2tp over ipsec, but the dial-up through the vpn client software is unsuccessful.
1 View ike sa during dialing:
<USG6000>dis ike sa
20:54:36 2013/06/19
current ike sa number: 2
-------------------------------------------------- -----------------------------
conn-id peer flag phase vpn
-------------------------------------------------- ------------------------------
40051 <unnamed> NONE v1:2 public
40050 2.2.2.2:12485 NONE v1:1 public
2 debugging ipsec error:
2013-06-19 20:54:21 USG2100 %%01IKE/4/WARNING (I): phase2: security acl mismatch.
*0.46319980 USG IKE/7/DEBUG: Get IPsec policy: get IPsec policy failed
*0.46319930 USG IKE/7/DEBUG: validate_prop: no IPsec policy found
*0.46319980 USG IKE/7/DEBUG: dropped message from 2.2.2.2 due to notification type
INVALID ID INFORMATION
Which statement about this problem is correct?

Question57: The log information output of the USG firewall is as follows:
%2014-07-31 11:15:45 USG6600 %%01BLACKLIS/4/BIkListAddOk(I):
A blacklist entry was changed.
(SyslogId=100, IpVemion=IPv4, SrcIp=172.18.9.2, DstIp=any, SrcPort=any, DstPort=any, Protocol=any, Use=any, VfwId=0, Vfw=public, List_Type=blacklist, Reason=Login incorrect password, Action=Add, DstPort=any, Timeout=10 min)
%2014-07-31 11:15:44 USG6600 %%01HTTPD/4/FAIL (I): User admin (IP: 172.18.9.2 ID: 27) login failed
%2014-07-31 11:15:44 USG6600 %%01AAA/4/LOCK (I): The user was locked out. (User Name =admin, Lock Time=10, Lock Reason=password incorrect for 3 times)
The following descriptions are correct:

Question58: Regarding the trigger mechanism of 802.1X authentication, which of the following descriptions are correct?

Question59: A company is engaged in e-commerce through the Internet, and the enterprise network trading platform supports online settlement of credit cards. In order to meet the payment card industry data security standard PCI-DSS, the enterprise needs to deploy Huawei's firewall, VPN, log design and other security products.
At present, the project has completed the project design and product procurement. What necessary work needs to be done before it is officially launched for commercial use?

Question60: What functions does content filtering include in the Huawei USG firewall?

Question61: The difference between IKEv1 and IKEv2, which of the following descriptions are correct?

Question62: What are the methods for firewalls to diagnose forwarding faults?

Question63: View the session table information on the firewall as follows:
[USG] display firewall session table verbose
icmp VPN: public --> public
Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:15
Interface: GigabitEthernet0/0/4 Nexthop: 2.2.2.2 MAC: 00-00-00-00-00-00
<-- packets: 0 bytes: 0 --> packets: 5 bytes: 420
192.168.1.2:44012[1.1.1.3:6103] --> 2.2.2.2:2048
The following descriptions are correct:

Question64: Which statement is true about certificate OCSP and CRL technology?

Question65: In the abnormal traffic cleaning solution, automatic drainage means that the detection device reports abnormal traffic to the management center, and the management center automatically generates drainage tasks and automatically sends drainage tasks to the cleaning device.
Which specific drainage technology is generally required to achieve automatic drainage?

Question66: NIP5000 devices support setting some interfaces to IDS mode.

Question67: The following configuration, when the physical state of interface G0/0/1 goes down, what will happen to the switch switch?
PC ----------------- (G0/0/1) FW (G0/0/2) ---------------- Switch
#
interface GigabitEthernet0/0/1
link-group 1
interface GigabitEthernet0/0/2
link-group 1
#

Question68: When the network traffic is heavy, if you do not want the downstream network to be congested or directly discard a large number of packets due to the excessive data traffic sent by the upstream, you can limit and cache the traffic on the outbound interface of the upstream device, so that such packets can be compared with each other. Send out at an even speed.
This technique can be:

Question69: In Huawei NGFW, the network with inconsistent packet return paths is as follows, using the IPS function, which of the following statements is correct?

Question70: IPsec tunnel communication is used between the headquarters and branch offices, in order to ensure the security of data transmission on the Internet. The administrator uses the dual-system hot backup function to improve the reliability of the communication between the headquarters and the branch offices, so as to avoid the failure of one USG in the headquarters and the failure of the branch offices to access the headquarters.
According to the following network diagram, which of the following statements is correct?

Question71: By viewing the configuration information of a USG firewall running normally on the live network, the following information is obtained:
#
ip service-set http 8080 type object
service 0 protocol tcp destination-port 8080
#
security-policy
rule name untrust_to_dmz1
source-zone untrust
destination-zone dmz
service ftp
destination-address 192.168.5.3
32
action permit
rule name un trust_to_dmz2
source-zone untrust
destination-zone dmz
service service-set http_8080
destination-address 192.168.5.2
32
action permit
#
Which of the following statements is incorrect:

Question72: The networking of a network is as follows: PC----ADSL router-----USG-----LAN
The key configurations of the USG are as follows:
l2tp enable
interface Virtual-Template1
ppp authentication-mode pap
ip address 4.1.1.1 255.255.255.0
remote address pool 1
l2tp-group 1
mandatory-Icp
allow 12tp virtual-template 1
#
user-ma page user pc1
password admin@123
aaa
domain default
ip pool 1 4.1.1.1 4.1.1.99
Assuming that other configurations are complete and correct, what is the problem with this configuration in actual work?

Question73: The centralized networking scheme of three servers, as shown in the figure, the administrator found that only one of the three Agile Controllers in the resource pool was alive.
In this case, which of the following statements is correct?

Question74: In the scenario of dual-system hot backup of firewalls, IPsec VPN does not support real-time backup of tunnels.

Question75: Which of the following functions are functions of SSL VPN?