What filtering conditions are available for policy on Hillstone firewall?

1. IP address
2. MAC address
3. Application
4. Service

How to configure the address of the tunnel interface when creating a new SSL VPN instance (select
correct answers):

1. The tunnel interface should not be overlap with the address pool
2. There is no need to assign an IP address for the tunnel interface
3. The tunnel interface and address pool should be in the same IP address segment
4. The tunnel interface should not be overlap with the interfaces exist in the device

Does the command take effect immediately after inputting under the CLI:

1. NO, need to type “save” first

2. NO, need to type “apply” first
3. NO, need to reboot
4. Yes
Authentication methods supported by IKE IPSecVPN phase 1 are:

1. USB-Key
2. DSA-Signature
3. RSA-Signature
4. Pre-share Key

What is the default HTTP management port number?

1. 8080
2. 8081
3. 443
4. 80

What is the function of “sticky” of the SNAT configuration:

1. Make sure every packet with the same source IP address will be translated to the same IP
address
2. Make sure every packet with the same destination IP address will be translated to the
same IP address
3. StoneOS will poll the SNAT address pool to translate packets
4. As one-to-one IP translate

What are the supported translation mode for SNAT?

1. Static address translation

2. Dynamic address translation
3. Port mapping
 4. Dynamic port Translation
One policy rule wan bound with the schedule as below, so what time period that policy will take
effect?

1. Effective from 2021-05-01 0:00 to 2021-07-31 0:00

2. Effective 12:00-18:00 everyday
3. Effective 12:00-18:00 everyday from 2021-05-01 to 2021-07-30
4. Effective 12:00-18:00 everyday from 2021-05-01 to 2021-07-31

Firewall is the server of the SSL VPN. If the client failed to connect to SSL VPN server, what is the
possible reason?

1. TCP 1701 port is not available

2. UDP 500 port is not available
3. UDP 4500 port is not available
4. TCP 4433 port is not available

Correct statement about formal platform license is:

1. A device with a 1 year platform license could not work continually without a new platform
license after the old license expired
2. A device with a 1 year platform license could running continually after the license experid,
and could upgrade to new Stone OS version
3. A device with a 1 year platform license could running continually after the license experid,
but could not upgrade to new Stone OS version
4. The time of the formal platform license is the device’s power on hours
Which command is used to check IPSec VPN phase 2 negotiation status on firewall device?

1. Show isakmp sa
2. Show tunnel ipsec auto
3. Show ipsec sa
4. Show isakmp peer

As shown in the figure, the Hillstone firewall’s security policy rules, the LAN zone is Trust, the WAN
zone is Untrust. If we want to allow the internal users can acces internet, but don’t have acces to
web videos, what policy configuration is needed?
 1. Create new policy, the application is web video, the action is deny. Position is after ID 2
2. Create new policy, the application is web video, the action is deny. Position is after ID 1
3. Create new policy, the application is web video, the action is deny. Position is before ID 1
4. Create new policy, service is HTTP, and the action is deny. Position is before ID 1

Which pre-defined zone can be used to bind Vswitchif?

1. l2-untrust
2. trust

3. l2-dmz

4. l2-trust

What is the default policy action in StoneOS?

1. permit
2. from tunnel
3. deny
4. tunnel
In a site to site IPSecVPN instance using two Hillstone NGFWs, which IKE phase 2 mode should be
chose?

1. Main mode
2. Aggressive mode
3. Transport mode
4. Tunnel mode

Correct statements about StoneOS are:

1. A real-time OS
2. Bases on NP architecture
3. Modular parallel security architecture
4. A 64-bit OS

Hillstone Firewall supports policy import, ehat is the supported format?

1. .txt
2. .doc
 3. .xls
4. .DAT

The SSLVPN host binding function is enabled at server side, the hardware id information collected
at client including
1. Mainboard SN, hard disk SN, CPU ID and network card MAC
2. BIOS SN, mainboard SN, CPU ID and network card MAC
3. BIOS SN, hard disk SN, CPU ID and network card MAC
4. Mainboard SN, hard disk SN, CPU ID and BIOS SN

What is the command to import a license file in the Hillstone firewall via CLI?

1. Exec license license-string

2. Exec license install license-string
3. Import license license-string
4. License install license-string
Hillstone firewall is connected to two ISP links, ISP1 is the PPPoE line, ISP2 is dedicated line, witch
is now required to forward video application traffic via the PPPoE line. Which of the following
policy based route can meet this requirement?

1. PBR SourceAddress DestinationAddress Service Application Nexthop PBR 1

192.168.10.0/24 Any ANY Web Video 210.1.1.100
2. PBR SourceAddress DestinationAddress Service Application Nexthop PBR bound to
ethernet0/1 1 192.168.10.0/24 Any ANY Web Video ethernet0/4
3. PBR SourceAddress DestinationAddress Service Application Nexthop PBR bound to
ethernet0/3 1 192.168.10.0/24 Any ANY Web Video 210.1.1.100
4. PBR SourceAddress DestinationAddress Service Application Nexthop PBR bound to
ethernet0/1 1 192.168.10.0/24 Any ANY Web Video ethernet0/3

When configuring QoS pipe, which of the below QoS mode can be select to control the bandwidth:

1.Police
2. Monitor
3. Shape
 4. Limit
Which dynamic route protocols does StoneOS support:

1.BGP
2. IS-IS
3. OSPF
4. RIP

Which of the below VR statement is correct

1.The dynamic route protocol carries VR ID when transferring package

2. The ingress interface of SIBR could be configured as trust-vr under the user-defined VR
page

3. The static route that configured VR as next hop has higher priority than gateway address

4. Addresses from different VR could overlap

Are the function ARP learning and MAC learning enabled or disabled by default in the interface?

1.ARP learning is disabled; MAC learning is disabled

2. ARP learning is enabled; MAC learning is disabled
3. ARP learning is disabled; MAC learning is enabled
4. ARP learning es learning; MAC learning is enabled

What are the default pre-defined Admin Roles in Hillstone Firewall?

1. Operator
2. Administrator
3. Administrator (read-only)
4. Auditor

“show version” command is used to check the firewall system information, which including ()
1. Current StoneOS version
2. Device serial number
3. Running time
4. Device model

If the Hillstone firewall is required to record the NAT log, then which of the following operations is
correct?
1. Turn on the log function in the SNAT and DNAT rules
2. Turn on the log function in the SNAT and DNAT rules, while the NAT log need to be
turned on in the log management as well
3. All Hillstone firewall devices support NAT log storage ovr three months
4. Turn on the NAT log in log management

How many firmware images can be stored in StoneOS at the same time?
 1. 3
2. 4
3. 2
4. 1

The default management method to access the firewall device is ()?

1. https://192.168.0.1
2. http://192.168.0.1
3. https://192.168.1.1
4. http://192.168.1.1

Which standard is used to define VLAN

1. IEEE 802.1Q
2. RFC 802.1Q
3. RFC 802.1P
4. IEEE 802.1P
What kind of check is matched when the packet firstly passed through the Hillstone NGFW device?

1. Whether there is a session

2. SNAT rule
3. Security policy
4. Destination router
Which command is used to check IP address of all interfaces on the Hillstone firewall?

1. Show this
2. Show interface
3. Show ip route
4. Show version

How to view current configuration in CLI:

1. show configuration
2. show run
3. display configure
4. show this

After the official platform license expired, what will happen in Hillstone NGFW?
1. Device cannot be configured
2. Impact on network business operation, network disconnected
3. Unable to upgrade to the latest software vesion
4. IPS, AV, etc. function cannot be used normally

What are the correct descriptions of the threat protection rule on Hillstone firewall?

1. If protection rule set on zone and policy at same time, firsty it will match zone and
then match policy
 2. If protection rule set on zone and policy at same time, firstly it will match policy and
then match zone
3. Protection rules support to be used in multiple zone or policies
4. If protection rule set on zone and policy at same time, only the policy one will be
matched
Hillstone firewall is used for auditing purpose only such as statistics, traffic monitor, it does not
forward or limit on business traffic. Which deployment mode is used

1. Routing mode
2. Mix mode
3. Transparent mode
4. Tap mode
In the StoneOS, which of the descriptions about the security zone is correct?

1. The security zone is the collection of interfaces or networks, which is not the
characteristics of the router
2. The default predefined security zone has special meaning, such as the internal
network server must be bound in the DMZ zone.
3. Default predefined security zone can be deleted
4. The network can be physically isolated by the security zone

One layer 3 interface of Hillstone NGFW is set as the gateway for all intranet PC’s and the NGFW
device is bound with all IP and MAC address in the intranet. If we want to block the internet acces
of the PC that changed the IP address, which command we should execute at that interface?

1. No arp-learning
2. No mac-learning
3. No arp-inspection
4. No shutdown

In a multi-link scenario, which routing function can be used to router traffic of different
service/application into different path?

1. Source route
2. Source interface route
3. Policy-base route
4. ISP route

Please choose the correct explanation for DNAT setting in NGFW?

1. DNAT technology is to translate the source address of the user request message
2. Internal network users access DNAT rules, the source address of the policy is the
private IP address, the destination address is the real IP of the server
3. External network users access DNAT rules, the source zone of the policy is the zone of
WAN interface, the destination zone is the zone of servers
4. External network users access DNAT rules, the source address of the policy is the
public IP, the destination address is the real IP of the server
Which management method is enable by default management interface e0/0 or MGT0 on
Hillstone firewall?

1. https
2. telnet
3. http
4. snmp

What is the default admin account (username/password) of Hillstone NGFW?

1. Hillstone/hillstone
2. Admin/admin
3. Hillstone/admin
4. Admin/hillstone

Which kind of deployment mode is supported by Hillstone firewall?

1. Tap mode
2. Transparent mode
3. Routing mode
4. Mix mode
What are the correct descriptions for system architecture of StoneOS?

1. By default, all layter 2 zones are bound to virtual switch Vswitch1

2. One interface can be bound to multiple zones
3. One zone can bind multiple interfaces
4. By default, all layter 3 zones are bound to virtual router mgt-vr

How many configuration files can be stored at Hillstone NGFW?

1. 10
2. 9
3. 20
4. 8

The passive web authentication method is configured on the firewall, and the policy setting is
shown as below: Which users can access the Internet?

1. User2
2. User3
3. All
 4. User1
Which of the following descriptions is correct about Hillstone firewall logs?

1. The logs of attack defense, AV, IPS etc. can be viewed in the network behavior record
log.
2. For devices that do not have internal hard drive, the configuration log and session log
will be cleared after the device reboot.
3. For devices that do not have internal hard drives, if you need to record logs for long
time, it is recommended to back up the logs to the log server
4. Session log can record log information related to the session, such as the protocol of
the session, source/destination IP address, source/destination port, etc.

What types of interface are supported by StoneOS:

1. Aggregate interface
2. Redundant interface
3. Vswitch interface
4. Loopback interface

Hillstone firewalls are configured to establish IPSec VPN, which two negotiation modes are
supported in phase 1?
1. Main mode
2. Transport mode
3. Aggressive mode
4. Tunnel mode

If Hillstone firewall deployed in tapping mode, which zone the interface need to be bound with?
1. Untrust
2. Dmz
3. Tap
4. Trust
What configuration need to be done on firewall for online signature update?

1. Configure DNS server

2. Make sure the DNS server can reolve the domain name normally
3. “Device can access update server
update1.hillstonenet.com/update2.hillstonenet.com”
4. Upgrade the software version of the firewall
Hillstone firewall is used as SSL VPN server, used for remote access by offsite personnel. Which of
the following descriptions about the SSL VPN is correct?
1. The tunnel interface address can be configured at will, and can overlap with the
intranet service port segment
2. SSL VPN address pool is in the same network segment as the accessed server address
3. Support local users and third-party users, such as AD users, etc.
 4. SSL VPN uses the UDP 4433port for connection between client and firewall
Which protocol can be used to trigger the WebAuth:

1. RPC
2. HTTP
3. ICMP
4. DNS

What is the default HTTPS management port number?

1. 80
2. 8080
3. 4433
4. 443

Which command is used to perform a factory reset?

1. Unset all
2. Reboot
3. Clear
4. Reset all

Device a with a public static IP address established an IPSec VPN with Device B with a public
dynamic IP address. Choose the correct operation below:

1. Device B is the initiator, and device a is the responder

2. The peer type of IPSec configuration in device B is dynamic option with a peer-id
3. The phase 1 mode must be configured as aggressive
4. Hillstone can not support Dynamic IPSec VPN

What is the binding priority of policy-based route in Hillstone firewall?

1. Zone>interface>virtual router
2. Zone>virtual router>interface
3. Virtual router>interface>zone
4. Interface>zone>virtual router
A brand-new hardware NGFW appliance has a () days trial license installed by default.

1. 15
2. 45
3. 60
4. 30

Which of the following descriptions is correct for Hillstone QoS?

1. Shape action will drop the packets which exceeds the bandwidth limitation to avoid
bandwidth congestion
2. QoS rule can support to configure the backward action only without the forward
action
 3. Monitor mode is only performing the monitor and statistics on matched traffic
4. The forward is upload, backward is download

The types of StoneOS statistics include:

1. Application-based statistics
2. Bandwidth statistics
3. Threats-based statistics
4. User-based statistics

If the WAN interface of the Hillstone firewall set with dynamic IP address, that is used to establish
an IPSec VPN tunnel. Which mode is used in Phase 1?

1. Aggressive mode
2. Manual mode
3. Tunnel mode
4. Main mode
Configured DNAT on the Hillstone NGFW, web server 192.168.1.10 provides HTTP service for
internet and intranet users. Server and internal hosts are in trust zone, the internet zone is
untrust, if we want the internet users and intranet users to access the web server via
http://200.0.0.10:8090, what is the correct DNAT rule configuration?
1. Dnat from any to 200.0.0.10 service HTTP trans-to 192.168.1.10 port 8090
2. Dnat from any to 200.0.0.10 service TCP8090 trans-to 192.168.1.10 port 80
3. Dnat from any to 200.0.0.10 service TCP8090 trans-to 192.168.1.10
4. Dnat from any to 200.0.0.10 service HTTP trans-to 192.168.1.10

Hillstone firewall is the gateway device connected to internet, and used to set IPSec VPN tunnel
with peer device. Which of the following descriptions is correct?
1. There is only one SA message after IPSec SA negotiation successed
2. Isakmp SA can directly protect IP data
3. If one side address is not fixed, such as PPPoE it will be unable to negotiate IPSec VPN
tunnel
4. When configuring IPSec VPN, mus make sure that the exit address of oth devices can
be reached

What conditions will cause the failure of a IKE IPSecVPN phase 1 negotiation:

1. Mismatch of ISAKMP proposal

2. Mismatch of IPSec proporsal
3. Mismatch of pre-share key
4. Mismatch of proxy ID

Only need to synchronize two SCVPN users (user1,user2) from AD (hcsa.com) to firewall, which of
the following configurations is correct?
 1. Base-dn: ou=HCSA,dc=hcsa,dc=com
2. Login-dn: ou=SCVPN,cn=HCSA,dc=hcsa,dc=com
3. Login-dn: ou=SCVPN,ou=HCSA,dc=hcsa,dc=com
4. base-dn: ou=SCVPN,ou=HCSA,dc=hcsa,dc=com

which VPN solution is commonly used by mobile users?

1. GRE VPN
2. SSL VPN
3. IPSEC VPN
4. MPLS VPN

Correct statement about trial platform license is:

1. when a trial platform license expired, the device will work continually and can be
configured, also can be upgrade to new Stone OS
2. when a trial platform license expired, the device will work continually without any
effect
3. when a trial platform license expired, the device will auto power off
4. when a trial platform license expired, a reminder of the expiration will appear. And
admin could not change the setting of the device after the expiration