HCIP-Security-CISN V3.

0 mock exam

1.(Single-choice) After a BFD session is established, the two systems periodically send BFD
control packets to each other. If a system does not receive any packet from the peer within the
detection time, the BFD session is considered Down. Which is the BFD detection mode?
A.Synchronous mode
B.Detection mode
C.Asynchronous mode
D.Query mode

2.(Multi-choice)Which of the following are the backup items in the HRP function?
A.ServerMap table entry
B.routing table
C.dynamic blacklist
D.Session table entry

3.(Single-choice) When link health check is performed on IP-Link, by default, several consecutive
failure to receive a response packet indicates that there is a link fault?
A.One time
B.Two times
C.Three times
D.Four times

4.(Multi-choice) When the USG firewall performs hot-standby switching, which of the following
deployment modes does the service port send gratuitous ARP packets?
A.Routing mode + switch
B.Routing mode + router
C.Switching Mode + Switch
D.Switching Mode + router

5.(Ture or False) The default VGMP HELLO packet transmission interval is 1 second. When no
HELLO packet is sent from the peer within the range of three HELLO packets, the peer considers
the peer to be faulty and switches itself to the master state .

6.(Multi-choice) Which of the following is not a packet sent during IP-Link probing?
A.ARP Packet
B.IGMP Packet
C.ICMP Packet
D.Hello Packet

7.(Multi-choice) By default, which sessions will not be backed up by a USG6000 firewall In the
Dual-System hot backup mode?
A.IPSec tunnels and sequence numbers
B.Sessions to the firewall itself
第 1 页, 共 4 页
 HCIP-Security-CISN V3.0 mock exam

C.PAT-based port mapping table

D.Half-open TCP sessions that have not completed the three-way handshake

8.(Multi-choice) Which of the following VPN protocols do not provide the encryption function?
A.ESP
B.AH
C.L2TP
D.GRE

9.(Ture or False) IPSec tunnels can use GRE over IPSec to transmit multicast packets.

10.(Single-choice) SA is uniquely identified by a triple, which of the following does not belong
to a triple？
A.Security parameter index
B.Security Protocol Number
C.Sequence Number
D.Destination IP address

11.(Ture or False) IPSec's AH and ESP protocols support NAT traversal.

12.(Single-choice) When an IPSec VPN uses a digital certificate for identity authentication, which
of the following options is not used to check whether a digital certificate is valid?
A.Certificate signature
B.CRL certificate SN
C.Public key of the certificate
D.Validity period of the certificate

13.(Multi-choice) About the services supported by SSL VPN, which of the following statements
are correct?
A.The web proxy service implements page access without clients. An HTTP session is established
between the remote user and virtual gateway of the firewall. Then the virtual gateway of the
firewall establishes an HTTPS session with the web server.
B.The file sharing service provides the shared resources of different system servers as web pages
for users to access.
C.Port forwarding forwards the UDP packets with the specified destination IP address and port
to ensure that the client can access the specified resources on the intranet.
D.The remote client of the network extension service automatically installs the vNIC to obtain
the virtual IP address. In this way, the remote client can use various services and access any
intranet resource.

14.(Single-choice) Which of the following is the wrong way to use different authentication
methods for SSL VPN virtual gateways?
A.Local authentication means that the user name and password of the SSL VPN user are saved
第 2 页, 共 4 页
 HCIP-Security-CISN V3.0 mock exam

locally on the firewall and user authentication is completed on the firewall.

B.Server authentication means that the user name and password of the SSL VPN user are stored
on the remote server, and user authentication needs to be completed on the server.
C.Certificate Anonymous authentication means that the firewall verifies the user's identity only
by verifying the validity of the client's certificate and password.
D.Certificate Challenge Authentication refers to the authentication client certificate and local
authentication or server authentication together.

15.(Single-choice) Which following options for the SSL security protocol components and role
description is correct?
A.The SSL Recording Protocol is responsible for blocking, compressing, calculating the upper
layers of data and adding MACs.
B.The SSL Handshake Protocol is responsible for notifying the receivers that subsequent
messages will be protected and transmitted using the newly negotiated encryption algorithm
list and key.
C.SSL Password Change Protocol is responsible for allowing one party to report alarm
information to the other party. The message contains the severity and description of the alarm.
D.SSL Warning Protocol The client and server establish a session through the handshake
protocol.

16.(Ture or False)Parent and child policies cannot reference the same traffic profile.

17.(Multi-choice) Which of the following options can serve as the matching conditions of rules
in traffic policies?
A.Source security zone or inbound interface
B.Socket
C.URL category
D.DSCP priority

18.(Single-choice) The maximum bandwidth divided by the number of online IP addresses is

used as the maximum bandwidth of each IP address. Which of the following bandwidth
allocation modes does this describe?

A.Bandwidth multiplexing
B.Dynamic equal distribution
C.Traffic profiles in shared mode
D.Traffic profiles in exclusive mode

19.(Multi-choice) Which of the following options are characteristics of virtual systems?

A.Independent management
B.Independent entries
C.Independent resources
D.Traffic isolation
第 3 页, 共 4 页
 HCIP-Security-CISN V3.0 mock exam

20.(Multi-choice) Which of the following options are used in quota allocation?

A.SSL VPN virtual gateways
B.Security zones
C.Interfaces
D.VLANs
 

Answers：1.C  2.ACD  3.C  4.AB  5.T  6.BD  7.BD  8.BCD  9.T  10.C  11.F  12.C  13.BD  14.C  15.A 
16.T  17.ACD  18.B  19. ABCD   20.AB

第 4 页, 共 4 页