[Fan Benefits] Next Generation Firewall AF Certification

1. [AF] Convinced that the overall protection of the firewall from "before", "during" and "after the event", which of the following functions does not belong to the protection during the event ()

1. Business asset identification and protection
2. DOS/DdoS attack protection
3. Exploit Attack Protection
4. WAF attack protection

1. [AF]Which of the following is not the core value of Sangcon NGFW ()

1. Can provide comprehensive risk visualization, simplify operation and maintenance, and quickly locate risks
2. Provide protection for the entire lifecycle chain of enterprise business, including overall protection before, during and after the event
3. Provide comprehensive protection capabilities for enterprise intranets, and comprehensive protection for network, end, and east-west traffic
4. Provide protection against unknown threats and respond to changing external threats

1. [AF] Which of the following statements about the packet filtering firewalls of current mainstream vendors is incorrect? ()

1. Mainly work in the network layer and transport layer
2. Can support routing forwarding function
3. Support automatic learning to generate interception actions
4. Generally, it has the advantages of fast processing speed and low price

1. [AF] Regarding the difference between NGFW (Next Generation Firewall) and UTM (Unified Threat Management), the statement is inaccurate ()

1. UTM works at the L2-L4 layer, and NGFW works at the L2-L7 layer
2. UTM performs serial analysis processing on passing data packets, while NGFW performs parallel analysis processing
3. UTM generally does not have a WAF function, and NGFW generally has a WAF function
4. Compared with UTM, the processing performance of NGFW is stronger

1. [AF] WEB application protection wall, mainly for in-depth protection of WEB sites, which of the following functions is not the key protection direction of the current mainstream WEB firewall ()

1. Corresponding protection against weblogic vulnerabilities
2. There are corresponding protection capabilities for webshell uploads
3. Corresponding protection against mining viruses
4. Corresponding protection against CC attacks

1. [AF] Regarding the core value statement of Sangfor Next Generation Firewall, it does not contain ()

1. Provide healthy online management
2. Provide security and comprehensive visibility
3. Ability to provide comprehensive business security protection
4. Provides protection against unknown threats

1. [AF] The firewall is divided according to the structure, the following does not belong to this category ()

1. Single Host Firewall
2. Router Integrated Firewall
3. distributed firewall
4. Cabinet Firewall

1. [AF] In order to build an all-round three-dimensional security protection system for the cloud, network, and terminals, Sangfor Next Generation Firewall can be linked with other products to form an overall protection. The following behaviors that do not belong to this system are ( )

1. Link cloud map to realize rapid update and supplement of security threat intelligence
2. Link cloud map to realize accurate analysis and judgment of unknown threats
3. Linking with SSL to realize safe and controllable terminal access
4. Linkage with EDR to realize closed-loop security and rapid disposal of terminals

1. [AF] Compared with other types of firewalls, the statement about the advantages and functions of the next-generation firewall is wrong ()

1. Compared with UTM, it can provide stronger performance
2. Compared with packet filtering firewall, it provides application layer firewall
3. Compared with IDS, it provides the ability to deal with interception
4. Compared with WAF, it provides the ability of two-way proxy

1. [AF] For the new application connection, set the security rules in advance, allow the connection that meets the rules to pass through and record the relevant information of the connection in the memory to generate a rule table. Subsequent database packages for this link can pass as long as they meet the rule table . This firewall technology is called ( )

1. packet filtering technology
2. Status Detection Technology
3. Proxy service technology
4. Intrusion Detection Technology

1. [AF] From the perspective of the current mainstream traditional firewalls, which of the following cannot be used as a controllable item of the application control policy (ACL) ()

1. IP
2. port
3. routing
4. area

1. [AF] In individual scenarios, AF bypass deployment is required. Under bypass deployment, the following statement is wrong ()

1. The advantage of bypass deployment is that no matter whether it is online or equipment failure, it will not affect the user's existing network
2. Bypass deployment can realize the protection of all security functions of the current equipment
3. The bypass deployment does not support the interception of the UDP protocol
4. Bypass deployment generally requires a separate management port for device operations

1. [AF] In the environment of a single-input-single-out network bridge, why does AF recommend using virtual network like interface deployment ()

1. The virtual network cable interface is an ordinary switch port
2. The virtual network cable interface does not need to configure an IP address
3. The virtual network cable interface does not support routing and forwarding,
4. When the virtual network cable interface forwards data frames, there is no need to check the MAC table, and it is directly forwarded from the paired interface of the virtual network cable

1. [AF] Among the high-availability technologies of firewalls, which of the following are very rare ()

1. cluster
2. Active and standby
3. Multi machine
4. cold standby

1. [AF] Among the following statements about AF interface and area, the wrong one is ()

1. Multiple interfaces can be added under one routing port of AF, and the IP address of the routing interface cannot be on the same network segment as the IP address of the sub-interface
2. An area of ​​AF can contain multiple interfaces, and an interface can also belong to multiple areas
3. The virtual network cable area of ​​AF can only contain virtual network cable interfaces, and cannot contain transparent interfaces and Layer 3 interfaces
4. In the case of single-input-single-out transparent deployment, you can manage the ingress and egress of the device by configuring the VLAN interface IP

1. [AF] AF's multi-line load does not support which method ()

1. polling
2. Use the front line first
3. weighted minimum flow
4. random hash

1. [AF]vlan interface is a logical interface, the following statement about VLAN interface is wrong ()

1. The VLAN interface is a routing interface and can be configured with an IP address.
2. VLAN interface can support link detection function
3. VLAN interfaces can only be divided into Layer 3 areas
4. VLAN interface supports ADSL

1. [AF] Customers buy AF mainly for NAT on the Internet, and at the same time as a DHCP server on the intranet, what deployment mode can hide the needs of customers? ()

1. routing pattern
2. transparent mode
3. bypass mode
4. virtual cable mode

1. [AF] The interface of the routing attribute has a connection fault detection function. Regarding the link detection function, the error is ()

1. Link detection results are supported as a condition for dual-device switching
2. The link detection result is supported as the valid condition for whether the interface is enabled
3. The link detection result is supported as the condition for whether the static route takes effect
4. The result of link detection can be used as the condition of policy routing

1. [AF] Deploying two machines is wrong ()

1. Link detection and preemption can be enabled at the same time
2. When testing the master/standby switchover, the monitor ports of the two devices cannot be pulled out at the same time.
3. If you want to manage two devices at the same time, you need to add an HA label after the management interface IP
4. During the dual-machine operation, it is necessary to ensure that all service network ports are in normal state (up)

1. [AF] The current interface of AF, according to the level of work, the areas that cannot be divided are ()

1. 3rd floor area
2. mirror area
3. second floor area
4. virtual network area

1. [AF] The statement about AF dual-machine is incorrect ()

1. The dual-machine cannot use the ETH0 port as the service port
2. In the case of insufficient interfaces in the dual-machine, ETH0 can be used as the heartbeat port
3. If the standby machine has not joined the network port for network monitoring, the outgoing packets will also be suppressed
4. Dual-device AF in transparent mode does not support STP, and there may be an official blog storm problem

1. [AF] Regarding the configuration of related functions in the case of AF physical interface configuration routing mode, the statement is wrong ()

1. The MTU of an interface cannot be directly adjusted on the interface
2. The configured startle gateway will not generate a default route with 8 zeros
3. The selected WAN attributes will affect the use of flow control and flow review functions
4. The set line bandwidth has nothing to do with the flow control function

1. [AF] Which of the following statements about the AF interface is correct ()

1. If the interface is set as a routing interface, and it is an ADSL dial-up, you need to select the option to add a route, and this option is selected by default
2. Eth0 is a fixed management port, the interface IP is 10.251.251.251/24 and cannot be deleted, modified or added
3. In the active/standby mode of aggregated interfaces, the interface with the highest priority will be taken as the active interface, and the rest will be the standby interfaces
4. Multiple sub-interfaces can be added under a routing interface, and the IP address of the routing interface and the IP address of the sub-interface can be in the same network segment

1. [AF] AF's multi-line load does not support which method ()

1. polling
2. Use the front line first
3. weighted minimum flow
4. random hash

1. [AF] Which statement about AF dual-machine deployment is correct? ()

1. After the AF dual-machine is established, the MANAGE port of the standby machine cannot be logged in to the WEN console through the direct connection of the PC
2. AF can only be configured with one HA IP address
3. Unable to log in to the WEN console of the device in standby state
4. AF dual-machine deployment, as long as configuration synchronization is enabled, all non-HA interface IPs will be synchronized

1. [AF]Port aggregation can improve logical link bandwidth and realize link redundancy at the same time. The following statement about AF port aggregation is wrong ()

1. Port aggregation currently supports up to 4
2. Port aggregation currently does not support bypass mirroring ports
3. Port aggregation currently does not support virtual network cable ports
4. Port aggregation supports both static and LACP

1. The new AF device purchased by the customer is deployed at the exit, and the intranet server is configured with a private network address. If you want to access the intranet server through the public network address on the intranet, which of the following methods can be implemented ()

1. destination address translation
2. bidirectional address translation
3. source address translation
4. All of the above can be achieved

1. [AF] The customer purchased an AF to be deployed at the egress of the Internet, and decided to adopt transparent deployment without changing the user's network structure. Under this deployment, which of the following operations of AF is unnecessary ()

1. AF itself needs to access the Internet, so a default route needs to be configured
2. Need to adjust the application control strategy, the default AF is to intercept all data communication
3. To configure the private network address publishing service on the intranet server, DNAT needs to be configured on the AF
4. If AF needs to be managed by terminals in different network segments, it is necessary to configure return packet routing

30. [AF] Among the following functions, which one is not supported during AF bypass deployment ()

1. botnet
2. DNS proxy
3. WEB application protection
4. Real-time Vulnerability Analysis