Authentication methods supported by IKE IPSecVPN phase 1 are:

1. Pre-share Key
2. - USB-Key
3. l'J DSA-Signature
4. l'J RSA-Signature
The name of first saved configuration file in Hillstone firewall is ( )?

1. Backup 1
2. config-BackupO
3. Backup
4. O Backup O
Correct statements about StoneOS are

1. Based on NP architecture
2. m Modular parallel security architecture
3. m A real-time OS
4. A 64-bit OS
 Zone: trust
IP:
192.168.1.1/24

-.
HTTP Server:
192.168.1.10/24
• •
.____o] PC
192.168.1.20/24

1. ' "Requirement: Intranet users want to access mapped server resources.

source zone: untrust
source address: 192.168.1.20
destination zone: trust
destination address: 200.0.0.1O
Action: permit"
2. m "Requirement: Externa! users want to access mapped server resources.
source zone: untrust
source address: Any
destination zone: trust
destination address: 200.0.0.1O
Action: permit"
3. "Requirement: Externa! users want to access mapped server resources.
source zone: untrust
source address: Any
destination zone: trust
destination address: 192.168.1.1O
Action: permit"
4. m "Requirement: Intranet users want to access mapped server resources.
source zone: trust
source address: 192.168.1.20
destination zone: trust
destination address: 200.0.0.1O
Action: permit"
info

Device Awith a public static IP address established an IPSec VPN with Device B with a public dynan

1. l"J The peer type of IPSec configuration in device B is dynamic option with a peer-id
2. l"J The phase 1 mode must be configured as aggressive
3. Device B is the initiator, and device A is the responder
4. Hillstone can not support Dynamic IPSec VPN

< previous (5) (6) confirm (7) next >

The filtering condition of a policy includes

1. Security zone
2. L'J Application
3. L'J Address
4. L'J Service
Please choose the correct explanation for DNAT setting in NGFW?

1. Interna! network users access DNAT rules, the source address of the policy is the private IP address, the destination address is the real IP of the server
2. DNAT technology is to translate the source address of the user request message.
3. Externa! network users access DNAT rules, the source zone of the policy is the zone of WAN interface, the destination zone is the zone of servers
4. O Externa! network users access DNAT rules, the source address of the policy is the public IP, the destination address is the real IP of the server
The default management method to access the firewall device is ( )?

1. O https://192.168.1.1
2. http:/1192.168.1.1
3. https://192.168.0.1
4. http:/1192.168.0.1
Which of the below VR statement is correct

1. The ingress interface of SIBR could be configured as trust-vr under the user-defined VR page
2. The dynamic route protocol carries VR ID when transferring package
3. O Addresses from different VR could overlap
4. The static route that configured VR as next hop has higher priority than gateway address
In a site to site IPSecVPN instance using two Hillstone NGFWs, which IKE phase 2 mode should be chose?

1. O tunnel mode
2. transport mode
3. main mode
4. aggressive mode
Correct statement about trial platform license is:

1. When a trial platform license expired, the device will work continually without any effect
2. When a trial platform license expired, the device will auto power off
3. O When a trial platform license expired, a reminder of the expiration will appear. And admin could not change the setting of the device after the expiration
4. When a trial platform license expired, the device will work continually and can be configured, also can be upgraded to new Stone OS
"show interface" command is used to check the interface information of Hillstone FW, which including ( )

1. mConfigurations under the interface

2. m MAC address of the interface
3. mIP address of ali interfaces on your device.
4. - Real-time speed rate of the interface
Which pre-defined zone can be used to bind Vswitchif?

1. 12-trust
2. 12-untrust
3. 12-dmz
4. O trust
"show version" command is used to check the firewall system information, which including ( )

1. m Running time
2. PJ Current StoneOS version
3. m Device model
4. m Device serial number
With only one public IP address, which NAT mode should be used when we trying to publish a Mail server and a Web server as different LAN servers at the same time:

1. IP-based SNAT
2. O Port-based DNAT
3. Port-based SNAT
4. IP-based DNAT
How many configuration files can be stored at Hillstone NGFW?

1. O 10
2. 20
3. 9
4. 8
What are the correct descriptions of the threat protection rule on Hillstone firewall?

1. l"J lf protection rule set on zone and policy at same time, firstly it will match policy and then match zone.
2. - lf protection rule set on zone and policy at same time, only the policy one will be matched.
3. l"J Protection rules support to be used in multiple zones or policies.
4. lf protection rule set on zone and policy at same time, firstly it will match zone and then match policy.
Hillstone firewall is used as SSL VPN server, used for remate access by offsite personnel. Which of the following descriptions about the SSL VPN is correct?

1. SSL VPN uses the UDP 4433 port for connection between client and firewall.
2. The tunnel interface address can be configured at will, and can overlap with the Intranet service port segment.
3. O Support local users and third-party users, such as AD users, etc,.
4. SSL VPN address pool is in the same network segment as the accessed server address
lf the Hillstone firewall is required to record the NAT log, then which of the following operations is correct?

1. Turn on the log function in the SNAT and DNAT rules

2. O Turn on the log function in the SNAT and DNAT rules, while the NAT log need to be turned on in the log management as well.
3. AII Hillstone firewall devices support NAT log storage over three months.
4. Turn on the NAT log in log management.
Which standard is used to define VLAN

1. RFC 802.1P
2. O IEEE 802.10
3. RFC 802.1 Q
4. IEEE 802.1P
Which algorithm is used to verify the lntegrity?

1. 3DES
2. O SHA
3. RAS
4. DES
The IPS signature database of Hillstone firewall cannot be updated online, what could be the possible reason?

1. m IPS license expired

2. ''Device is unable to access the update server:
update1 .hillstonenet.com update2.hillstonenet.com"
3. - Device not configured with available DNS servers
4. Platform license expired
The IPS signature database of Hillstone firewall cannot be updated online, what could be the possible reason?

1. m IPS license expired

2. m "Device is unable to access the update server:
update1 .hillstonenet.com update2.hillstonenet.com"
3. - Device not configured with available DNS servers
4. m Platform license expired
Please choose the correct description for IPS working mode

1. � In log only mode, StoneOS not only generates protocol anomaly alarms and attacking behavior logs, but also blocks attackers or resets connections
2. L'J StoneOS supports two IPS working modes: log only mode and IPS mode
3. - In IPS mode, StoneOS only generates protocol anomaly alarms and attacking behavior logs, but will not block attackers or resets connections
4. L'J By default, StoneOS works in IPS mode
How many levels of traffic control can be supported by stoneOS QoS function

1. Level 1
2. Level 1,2,3
3. Level 1,2,3,4
4. O Level 1 and 2
A brand new hardware NGFW appliance has a ( ) days trial license installed by default.

1. O 15
2. 45
3. 60
4. 30
Which command is used to view the security policy in Hillstone firewall?

1. O show policy
2. show dnat
3. show snat
4. show policy rule
lf Hillstone firewall deployed in tapping mode, which zone the interface need to be bound with?

1. untrust
2. O tap
3. trust
4. � dmz
After the the official platform license expired, what will happen in Hillstone NGFW?

1. Device cannot be configured

2. IPS, AV, etc. function cannot be used normally
3. o Unable to upgrade to the latest software version
4. lmpact on network business operation, network disconnected
What is the default admin account (username/password) of Hillstone NGFW?

1. admin/hillstone
2. admin/admin
3. hillstone/admin
4. O hillstone/hillstone
Hillstone firewalls are configured to establish IPSec VPN, which two negotiation modes are supported in phase 1?

1. m Main mode
2. Transport mode
3. Tunnel mode
4. m Aggressive mode
The SSLVPN host binding function is enabled at server side, the hardware id information collected at client including

1. O mainboard SN, hard disk SN, CPU ID and 810S SN

2. 810S SN, mainboard SN, CPU ID and network card MAC
3. mainboard SN, hard disk SN, CPU ID and network card MAC
4. 810S SN, hard disk SN, CPU ID and network card MAC
How to view current configuration in CLI:

1. o show configuration
2. show this
3. show run
4. display configure
What is the default baud rate of Hillstone firewall?

1. 115200
2. 9200
3. 8600
4. O 9600
What is the command to import a license file in the Hillstone firewall via CLI?

1. exec license install license-string

2. O import license license-string
3. license install license-string
4. exec license license-string
Which command is used if we want to save the Firewall configuration in CLI?

1. O save
2. write
3. reboot
4. unset all
Which command is used to check IPSec VPN phase 2 negotiation status on firewall device?

1. show isakmp sa
2. O show tunnel ipsec auto
3. show isakmp peer
4. show ipsec sa
In a multi link scenario, which routing function can be used to route traffic of different service/application into different path?

1. Policy-based route
2. ISP route
3. O Source interface route
4. Source route
The default position of the new added policy is ( )?

1. Positioned by the ID
2. On the top of the policy list
3. On the position where your mouse pointed
4. O On the bottom of the policy list
The default position of the new added policy is ( )?

1. Positioned by the ID
2. On the top of the policy list
3. On the position where your mouse pointed
4. O On the bottom of the policy list
End-user found the FW's IPS signature database, AV signature databse and URL-DB cannot be updated, what are the possible reasons?

1. m The related license is expired

2. The user has not assigned an update server far the device manually
3. m The device is not connected to the Internet
4. m No DNS server is configured in the device
What is the default HTTPS management port number?

1. 80
2. 4433
3. 8080
4. O 443
Which command is used to check destination route in the Hillstone firewall?

1. show route config

2. show route
3. O show ip route
4. display ip routing-table
Hillstone firewall is the gateway device connected to Internet, and used to set IPSec VPN tunnel with peer device. Which of the following descriptions is correct?

1. lf one side address is not fixed, such as PPPoE. lt will be unable to negotiate IPSec VPN tunnel
2. O There is only one SA message after IPSec SA negotiation successed
3. When configuring IPSec VPN, must make sure that the exit address of both devices can be reached.
4. lsakmp SA can directly protect IP data.
What is the correct description of the log storage in the Hillstone firewall device?

1. The session log can be viewed after enabling the session log button in log management.
2. AII Hillstone firewall products can support log storage over 3 months
3. The firewall can be used as a log server to receive logs from third-party devices.
4. o Support to send the log to the Syslog server, USB, Email.
What is the function of "sticky" of the SNAT configuration

1. As one-to-one I P translate
2. O Make sure every packet with the same destination IP address will be translated to the same IP address
3. StoneOS will poll the SNAT address pool to translate packets
4. Make sure every packet with the same source IP address will be translated to the same IP address
How to enter the configuration mode

1. O In the execution mode, use the command "configure"

2. In the execution mode, use the command "sys"
3. In the execution mode, use the command "configure terminal"
4. In the execution mode, use the command "enable"
What is the binding priority of policy-based route in Hillstone firewall?

1. O lnterface>Zone>Virtual Router
2. Zone>Virtual Router>lnterface
3. Zone>lnterface>Virtual Router
4. Virtual Router>lnterface>Zone
which are the three Elements of IPSec VPN ?()

1. Symmetry
2. m Authentication
3. m Confidentiality
4. m lntegrity
Does the command take effect immediately after inputting under the CLI:

1. O Yes
2. NO, need to type "apply"first
3. NO, need to reboot
4. NO, need to type "save"first
Firewall is the server of the SSL VPN. lf the client failed to connect to the SSL VPN server, what is the possible reason?

1. O TCP 4433 port is not available

2. TCP 1701 port is not available
3. UDP 500 port is not available
4. UDP 4500 port is not available
What types of interface are supported by StoneOS

1. m Redundant interface
2. m Loopback interface
3. m Aggregate interface
4. m VSwitch interface
Hillstone firewall is used for auditing purpose only such as statistics, traffic monitor, it does not forward or limit on business traffic, which deployment mode is used in this
case?

1. Routing mode
2. Mix mode
3. Transparent mode
4. O Tap mode
Hillstone Firewall supports policy import, what is the supported format?

1. .xls
2. O .DAT
3. .txt
4. .doc
One layer 3 interface of Hillstone NGFW is set as the gateway for ali Intranet PCs, and the NGFW device is bound with all lP and MAC address in the Intranet. lf we want to
block the Internet access of the PC that changed the IP address, which command we should execute at that interface?

1. no shutdown
2. O no arp-learning
3. no mac-learning
4. no arp-inspection
What are the default pre-defined Admin Roles in Hillstone Firewall?

1. m Administrator
2. m Auditor
3. m Operator
4. m Administrator (read-only)
What is the default HTTP management port number?

1. 8081
2. 443
3. 8080
4. O 80
The passive web authentication method is configured on the firewall, and the policy setting is shown as below:Which users can access the Internet?
soc. e .....,. d t1nation
10 Ion
l ddrc ss u or l n ddress

11 @trust foAoy usor2@1oc..,I @uotrust {:oAny �o s 0

� 10 @trust (:oAoy @untrust (:oAl1y -el o s
e> e
12 @trust ffi An'j user3@1ocal @unttust ffiAriy �Any 0
8 @trust wAnv _ UNKNOWN @untrust {:oAsly �Any o
9 @trust toAny userl@loc.al @untrust {:oAsly �Any 0

1. user2
2. m user1
3. AII
4. m user3
In the StoneOS, which of the descriptions about the security zone is correct?

1. Default predefined security zone can be deleted.

2. O The network can be physically isolated by the security zone.
3. The default predefined security zone has special meaning, such as the interna! network server must be bound in the DMZ zone.
4. The security zone is the collection of interfaces or networks, which is not the characteristics of the router.
What kind of check is matched when the packet firstly passed through the Hillstone NGFW device?

1. Whether there is a session

2. Security policy
3. Destination router
4. O SNAT rule
Which of the following descriptions is correct for Hillstone QoS?

1. o Shape action will drop the packets which exceeds the bandwidth limitation to avoid bandwidth congestion
2. QoS rule can support to configure the backward action only without the forward action
3. Monitor mode is only performing the monitor and statistics on matched traffic
4. The forward is upload, backward is download
How many firmware images can be stored in StoneOS at the same time?

1. 4
2. 3
3. O 2
4. 1
lf the WAN interface of the Hillstone firewall set with dynamic IP address, that is used to establish an IPSec VPN tunnel. Which mode is used in Phase 1?

1. Main mode
2. O Aggressive mode
3. Tunnel mode
4. Manual mode
What are the supported translation mode for SNAT?

1. m Static address translation

2. Port mapping
3. m Dynamic address translation
4. m Dynamic port translation
What configuration need to be done on firewall for online signature update?

1. m Configure DNS server

2. m Make sure the DNS server can resolve the domain name normally
3. Upgrade the software version of the firewall
4. m "Device can access update server
update1 .hillstonenet.com / update2.hillstonenet.com"
lf the Hillstone NGFW device cannot update the IPS signature database online, what will be the possible reason?

1. Did not configure the policy to access the update server

2. Did not manually configure the update server URL
3. O IPS license expired
4. Platform license expired
What conditions will cause the failure of a IKE IPSecVPN phase 1 negotiation:

1. m Mismatch of ISAKMP proposal

2. m Mismatch of pre-share key
3. Mismatch of proxy ID
4. Mismatch of IPSec proposal
Test Execution: HCSA-2022.06.14 =
info

As shown in the figure, the Hillstone firewall's security policy rules, the LAN zone is Trust, the WAN zone is Untrust. lf we want to allow the interna! users can access Internet,
but don't have the access to web videos, what policy configuration is needed()?

□ ID Name
Zone Address
Source
User Zone
Destination
Address
Service

49 any any any

[] untrust trust
48 trust any untrust any any
D I

1. O Create new policy, the application is web video, the action is deny. Position is befare ID 1
2. Create new policy, the application is web video, the action is deny. Position is after ID 2
3. Create new policy, service is HTTP, and the action is deny. Position is befare ID 1
4. Create new policy, the application is web video, the action is deny. Position is after ID 1
Test List
1 test 11 from 11 to 11 status 11 action 1
1HCSA-2022.06.14112022-06-13 08:25:00112022-07-31 23:25:001156.250 / 70.000 (80%) - PASSED 11 1

This is the main page of TCExam. From this page you can start or continue your tests

! AR I AZ. I BG I BR I CN I DE I EL IEN I ES I FA I FR I HI I HE I HU 110 I IT I JP I MR I MS I NL I PL I RO I RU I TR I VN !

TCExam ver. 12.1.023 - Copyright© 2004-2014 Nicola Asuni - Tecnick.com LTD
! W3C XHTML 1.0! 1 W3C CSS 2.0 ! ! W3C WAI-AAA!