Professional Documents
Culture Documents
1. IP address
2. MAC address
3. Application
4. Service
How to configure the address of the tunnel interface when creating a new SSL VPN instance (select
correct answers):
1. The tunnel interface should not be overlap with the address pool
2. There is no need to assign an IP address for the tunnel interface
3. The tunnel interface and address pool should be in the same IP address segment
4. The tunnel interface should not be overlap with the interfaces exist in the device
Does the command take effect immediately after inputting under the CLI:
1. USB-Key
2. DSA-Signature
3. RSA-Signature
4. Pre-share Key
1. 8080
2. 8081
3. 443
4. 80
Firewall is the server of the SSL VPN. If the client failed to connect to SSL VPN server, what is the
possible reason?
1. Show isakmp sa
2. Show tunnel ipsec auto
3. Show ipsec sa
4. Show isakmp peer
As shown in the figure, the Hillstone firewall’s security policy rules, the LAN zone is Trust, the WAN
zone is Untrust. If we want to allow the internal users can acces internet, but don’t have acces to
web videos, what policy configuration is needed?
1. Create new policy, the application is web video, the action is deny. Position is after ID 2
2. Create new policy, the application is web video, the action is deny. Position is after ID 1
3. Create new policy, the application is web video, the action is deny. Position is before ID 1
4. Create new policy, service is HTTP, and the action is deny. Position is before ID 1
1. l2-untrust
2. trust
3. l2-dmz
4. l2-trust
1. permit
2. from tunnel
3. deny
4. tunnel
In a site to site IPSecVPN instance using two Hillstone NGFWs, which IKE phase 2 mode should be
chose?
1. Main mode
2. Aggressive mode
3. Transport mode
4. Tunnel mode
1. A real-time OS
2. Bases on NP architecture
3. Modular parallel security architecture
4. A 64-bit OS
1. .txt
2. .doc
3. .xls
4. .DAT
The SSLVPN host binding function is enabled at server side, the hardware id information collected
at client including
1. Mainboard SN, hard disk SN, CPU ID and network card MAC
2. BIOS SN, mainboard SN, CPU ID and network card MAC
3. BIOS SN, hard disk SN, CPU ID and network card MAC
4. Mainboard SN, hard disk SN, CPU ID and BIOS SN
What is the command to import a license file in the Hillstone firewall via CLI?
When configuring QoS pipe, which of the below QoS mode can be select to control the bandwidth:
1.Police
2. Monitor
3. Shape
4. Limit
Which dynamic route protocols does StoneOS support:
1.BGP
2. IS-IS
3. OSPF
4. RIP
2. The ingress interface of SIBR could be configured as trust-vr under the user-defined VR
page
3. The static route that configured VR as next hop has higher priority than gateway address
Are the function ARP learning and MAC learning enabled or disabled by default in the interface?
1. Operator
2. Administrator
3. Administrator (read-only)
4. Auditor
“show version” command is used to check the firewall system information, which including ()
1. Current StoneOS version
2. Device serial number
3. Running time
4. Device model
If the Hillstone firewall is required to record the NAT log, then which of the following operations is
correct?
1. Turn on the log function in the SNAT and DNAT rules
2. Turn on the log function in the SNAT and DNAT rules, while the NAT log need to be
turned on in the log management as well
3. All Hillstone firewall devices support NAT log storage ovr three months
4. Turn on the NAT log in log management
How many firmware images can be stored in StoneOS at the same time?
1. 3
2. 4
3. 2
4. 1
1. https://192.168.0.1
2. http://192.168.0.1
3. https://192.168.1.1
4. http://192.168.1.1
1. IEEE 802.1Q
2. RFC 802.1Q
3. RFC 802.1P
4. IEEE 802.1P
What kind of check is matched when the packet firstly passed through the Hillstone NGFW device?
1. Show this
2. Show interface
3. Show ip route
4. Show version
1. show configuration
2. show run
3. display configure
4. show this
After the official platform license expired, what will happen in Hillstone NGFW?
1. Device cannot be configured
2. Impact on network business operation, network disconnected
3. Unable to upgrade to the latest software vesion
4. IPS, AV, etc. function cannot be used normally
What are the correct descriptions of the threat protection rule on Hillstone firewall?
1. If protection rule set on zone and policy at same time, firsty it will match zone and
then match policy
2. If protection rule set on zone and policy at same time, firstly it will match policy and
then match zone
3. Protection rules support to be used in multiple zone or policies
4. If protection rule set on zone and policy at same time, only the policy one will be
matched
Hillstone firewall is used for auditing purpose only such as statistics, traffic monitor, it does not
forward or limit on business traffic. Which deployment mode is used
1. Routing mode
2. Mix mode
3. Transparent mode
4. Tap mode
In the StoneOS, which of the descriptions about the security zone is correct?
1. The security zone is the collection of interfaces or networks, which is not the
characteristics of the router
2. The default predefined security zone has special meaning, such as the internal
network server must be bound in the DMZ zone.
3. Default predefined security zone can be deleted
4. The network can be physically isolated by the security zone
One layer 3 interface of Hillstone NGFW is set as the gateway for all intranet PC’s and the NGFW
device is bound with all IP and MAC address in the intranet. If we want to block the internet acces
of the PC that changed the IP address, which command we should execute at that interface?
1. No arp-learning
2. No mac-learning
3. No arp-inspection
4. No shutdown
In a multi-link scenario, which routing function can be used to router traffic of different
service/application into different path?
1. Source route
2. Source interface route
3. Policy-base route
4. ISP route
1. https
2. telnet
3. http
4. snmp
1. Hillstone/hillstone
2. Admin/admin
3. Hillstone/admin
4. Admin/hillstone
1. Tap mode
2. Transparent mode
3. Routing mode
4. Mix mode
What are the correct descriptions for system architecture of StoneOS?
1. 10
2. 9
3. 20
4. 8
The passive web authentication method is configured on the firewall, and the policy setting is
shown as below: Which users can access the Internet?
1. User2
2. User3
3. All
4. User1
Which of the following descriptions is correct about Hillstone firewall logs?
1. The logs of attack defense, AV, IPS etc. can be viewed in the network behavior record
log.
2. For devices that do not have internal hard drive, the configuration log and session log
will be cleared after the device reboot.
3. For devices that do not have internal hard drives, if you need to record logs for long
time, it is recommended to back up the logs to the log server
4. Session log can record log information related to the session, such as the protocol of
the session, source/destination IP address, source/destination port, etc.
1. Aggregate interface
2. Redundant interface
3. Vswitch interface
4. Loopback interface
Hillstone firewalls are configured to establish IPSec VPN, which two negotiation modes are
supported in phase 1?
1. Main mode
2. Transport mode
3. Aggressive mode
4. Tunnel mode
If Hillstone firewall deployed in tapping mode, which zone the interface need to be bound with?
1. Untrust
2. Dmz
3. Tap
4. Trust
What configuration need to be done on firewall for online signature update?
1. RPC
2. HTTP
3. ICMP
4. DNS
1. 80
2. 8080
3. 4433
4. 443
Device a with a public static IP address established an IPSec VPN with Device B with a public
dynamic IP address. Choose the correct operation below:
1. Zone>interface>virtual router
2. Zone>virtual router>interface
3. Virtual router>interface>zone
4. Interface>zone>virtual router
A brand-new hardware NGFW appliance has a () days trial license installed by default.
1. 15
2. 45
3. 60
4. 30
1. Shape action will drop the packets which exceeds the bandwidth limitation to avoid
bandwidth congestion
2. QoS rule can support to configure the backward action only without the forward
action
3. Monitor mode is only performing the monitor and statistics on matched traffic
4. The forward is upload, backward is download
1. Application-based statistics
2. Bandwidth statistics
3. Threats-based statistics
4. User-based statistics
If the WAN interface of the Hillstone firewall set with dynamic IP address, that is used to establish
an IPSec VPN tunnel. Which mode is used in Phase 1?
1. Aggressive mode
2. Manual mode
3. Tunnel mode
4. Main mode
Configured DNAT on the Hillstone NGFW, web server 192.168.1.10 provides HTTP service for
internet and intranet users. Server and internal hosts are in trust zone, the internet zone is
untrust, if we want the internet users and intranet users to access the web server via
http://200.0.0.10:8090, what is the correct DNAT rule configuration?
1. Dnat from any to 200.0.0.10 service HTTP trans-to 192.168.1.10 port 8090
2. Dnat from any to 200.0.0.10 service TCP8090 trans-to 192.168.1.10 port 80
3. Dnat from any to 200.0.0.10 service TCP8090 trans-to 192.168.1.10
4. Dnat from any to 200.0.0.10 service HTTP trans-to 192.168.1.10
Hillstone firewall is the gateway device connected to internet, and used to set IPSec VPN tunnel
with peer device. Which of the following descriptions is correct?
1. There is only one SA message after IPSec SA negotiation successed
2. Isakmp SA can directly protect IP data
3. If one side address is not fixed, such as PPPoE it will be unable to negotiate IPSec VPN
tunnel
4. When configuring IPSec VPN, mus make sure that the exit address of oth devices can
be reached
What conditions will cause the failure of a IKE IPSecVPN phase 1 negotiation:
Only need to synchronize two SCVPN users (user1,user2) from AD (hcsa.com) to firewall, which of
the following configurations is correct?
1. Base-dn: ou=HCSA,dc=hcsa,dc=com
2. Login-dn: ou=SCVPN,cn=HCSA,dc=hcsa,dc=com
3. Login-dn: ou=SCVPN,ou=HCSA,dc=hcsa,dc=com
4. base-dn: ou=SCVPN,ou=HCSA,dc=hcsa,dc=com
1. GRE VPN
2. SSL VPN
3. IPSEC VPN
4. MPLS VPN
1. when a trial platform license expired, the device will work continually and can be
configured, also can be upgrade to new Stone OS
2. when a trial platform license expired, the device will work continually without any
effect
3. when a trial platform license expired, the device will auto power off
4. when a trial platform license expired, a reminder of the expiration will appear. And
admin could not change the setting of the device after the expiration