考试篇(5.2) NSE4 题库 14. 高可用性 ❀ 飞塔 (Fortinet) 网络安全专家
2017-05-02 17:15
435 查看
【简介】Fortinet 飞塔网络安全专家 (4) 考试共 120 分钟,共 60 道英文选择题,答对 70% 计 42 道题为合格。
Two devices are in an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of diagnose sys session stat for the STUDENT device. Exhibit B shows the command
output of diagnose sys session stat for the REMOTE device. 〖两个设备在一个HA集群,设备主机名是“学生”和“远程”,图示A显示的是设备“学生”诊断系统会话的命令输出,图示B显示的是设备“远程”诊断系统会话的命令输出〗
Exhibit A:
Exhibit B:
Given the information provided in the exhibits, which of the following statements are correct? (Choose two)〖根据以上提供的信息,下列哪些描述是正确的? (选择两个)〗
A. STUDENT is likely to be the master device. 〖“学生”可能是主设备〗
B. Session-pickup is likely to be enabled. 〖Session-pickup可能被启用〗
C. The cluster mode is active-passive.〖集群模式是主备〗
D. There is not enough information to determine the cluster mode.〖没有足够的信息来确定集群模式〗
【分析】
SYN_SENT状态表示请求连接,当你要访问其它的计算机的服务时首先要发个同步信号给该端口,此时状态为SYN_SENT,如果连接成功了就变为ESTABLISHED,此时SYN_SENT状态非常短暂。
ESTABLISHED状态表示正在建立的连接。
FIN_WAIT状态表示等待对方的连接。
TIME_WAIT状态表示断开的连接。
根据图示A和图示B的比较,图示A的正在建立的连接ESTABLISHED和断开的连接TIME_WAIT明显比图示B大,所以A有可能是主设备,由于查询的是会话信息,而非HA信息,所以没有足够的信息来确定集群模式。
【答案】AD
Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled? 〖当抢占禁止时,下面哪些序列描述了FortiGate高可能性用于选择主设备的正确的顺序?〗
A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number.〖1端口监控,2单位优先,3运行时间,4序列号〗
B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number.〖1端口监控,2运行时间,3单位优先,4序列号〗
C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number.〖1单位优先,2运行时间,3端口监控,4序列号〗
D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number.〖1运行时间,2单位优先,3端口监控,4序列号〗
【分析】
选举顺序从步骤1至步骤4:
1.监控端口:有效监控端口数相等,考虑下一条件;
2.运行时间:运行时间相等,考虑下一条件,运时时间差在5分钟以内不考虑在内;
3.设备优先级:设备优先级相同,考虑下一条件;
4.设备序列号:如果以上条件都相同,则设备序更号是最大的将被选举为主设备。
【答案】B
In HA, the option Reserve Management Port for Cluster Member is selected as shown in the exhibit below. 〖如下图所示,在高可用性设置中,集群成员选中保留管理端口〗
Which statements are correct regarding this setting? (Choose two)〖哪个关于这个设置的描述是正确的? (选择两个)〗
A. Interface settings on port7 will not be synchronized with other cluster members. 〖port7接口设置不会与其他集群成员同步〗
B. The IP address assigned to this interface must not overlap with the IP address subnet assigned to another interface.〖分配给该接口的IP地址不能与分配给其它接口IP地址子网重叠〗
C. When connecting to port7 you always connect to the master device.〖当你连接到port7总是连接到主设备〗
D. A gateway address may be configured for port7.〖可以配置port7网关地址〗
【分析】
管理口的IP地址主备机上可以是不同的。
【答案】AD
What are the requirements for a HA cluster to maintain TCP connections after device or link failover? (Choose two) 〖HA集群维护TCP连接或链路故障恢复有什么要求?(选择两个)〗
A. Enable session pick-up.〖启用会话交接〗
B. Enable override.〖启用覆盖〗
C. Connections must be UDP or ICMP.〖必须UDP或ICMP连接〗
D. Connections must not be handled by a proxy.〖连接不能由代理处理〗
【分析】
在正常HA状态下,如果开启Session pick-up(会话交接),从设备报告自己的状态并接收存储会话连接与状态表更新。一旦HA出现故障,集群中的从设备被选举为主设备,根据自己同步的会话连接与状态表,继续处理流量与会话。
如果希望某台设备一直作为主设备工作,除了给该设备设置较高的优先级以外,也可以启用HA Override(抢占),这样,如果主设备重启,从设备会成为主设备,原主设备重启恢复后,将重新通过选举,仍工作在主设备模式下。如果在从设备选举为主设备时间内更改配置,那么在原主设备恢复后,这段时间的配置将被原配置同步,导致丢失。
【答案】AD
Two FortiGate devices fail to form an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of show system ha for the STUDENT device. Exhibit B shows the
command output of show system ha for the REMOTE device.〖两台FortiGate设备未能形成一个HA集群,设备主机名是“学生”和“远程”,图示A显示的是设备“学生”诊断系统会话的命令输出,图示B显示的是设备“远程”诊断系统会话的命令输出〗
Exhibit A:
Exhibit A:
Which one of the following is the most likely reason that the cluster fails to form? 〖下面哪个选项是集群未能形成最可能的原因?〗
A. Password 〖密码〗
B. HA mode 〖HA模式〗
C. Hearbeat〖心跳〗
D. Override 〖抢占〗
【分析】
STUDENT 的模式设置为 set mode a-p
REMOTE 的模式设置为 set mode a-a
【答案】B
Which of the following statements are correct about the HA command diagnose sys ha reset-uptime? (Choose two)〖下列哪些关于HA命令diagnose sys ha reset-uptime的描述是正确的?(选择两个)〗
A. The device this command is executed on is likely to switch from master to slave status if override is disabled. 〖如果抢占是禁用的,执行这个命令的设备很可能从主设备转换到从设备〗
B. The device this command is executed on is likely to switch from master to slave status if override is enabled. 〖如果抢占是启用的,执行这个命令的设备很可能从主设备转换到从设备〗
C. This command has no impact on the HA algorithm〖这个命令对HA算法没有影响〗
D. This command resets the uptime variable used in the HA algorithm so it may cause a new master to become elected. 〖这个命令重置HA算法中使用的正常运行时间变量,所以它可能会导致一个新的主成为当选。〗
【分析】
diagnose sys ha reset-uptime 可以重置HA运行时间,以期系统通过预期的优先级设定重新将高优先级选举为主设备。
【答案】AD
An administrator has formed a high availability cluster involving two FortiGate units.〖管理员用两台FortiGate设备组成一个高可用性集群〗
[ Multiple upstream Layer 2 switches] -- [ FortiGate HA Cluster ] -- [ Multiple downstreamLayer 2 switches ]〖多个上游二层交换机-FortiGateHA集群-多个下游二层交换机〗
The administrator wishes to ensure that a single link failure will have minimal impact upon the overall throughput of traffic through this cluster.〖管理员希望确保单个链接失败流量通过集群的整体吞吐量会影响最小〗
Which of the following options describes the best step the administrator can take? The administrator should _____________________.〖下面哪个选项是描述管理员可以采取的最好的步骤? 管理员应该?〗
A. Increase the number of FortiGate units in the cluster and configure HA in active-active mode. 〖在主主模式配置下,集群中增加FortiGate设备的数量〗
B. Enable monitoring of all active interfaces.〖启用所有活动接口的监控〗
C. Set up a full-mesh design which uses redundant interfaces.〖使用冗余接口建立一个全网状设计〗
D. Configure the HA ping server feature to allow for HA failover in the event that a path is disrupted. 〖配置HA ping服务特性,在路径被中断时允许故障转移〗
【分析】
在所有网络设备中使用聚合和冗余接口来增加其网络的健壮性。
【答案】C
In a high availability cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a slave unit?〖一个高可用性集群运行主主模式,下列哪项正确地描述了http会话的SYN包转换到从设备的路线?〗
A. Request: internal host; slave FortiGate; master FortiGate; Internet; web server. 〖请求:内网主机,从FortiGate防火墙,主FortiGate防火墙,因特网,Web服务器〗
B. Request: internal host; slave FortiGate; Internet; web server.〖请求:内网主机,从FortiGate防火墙,因特网,Web服务器〗
C. Request: internal host; master FortiGate; Internet; web server.〖请求:内网主机,主FortiGate防火墙,因特网,Web服务器〗
D. Request: internal host; master FortiGate; slave FortiGate; Internet; web server. 〖请求:内网主机,主FortiGate防火墙,从FortiGate防火墙,因特网,Web服务器〗
【分析】
主主模式下,访问外网是先到主,再到从,再到外网。
【答案】D
The exhibit shows the Disconnect Cluster Member command in a FortiGate unit that is part of a HA cluster with two HA members. 〖下图展示了两个HA集群成员中一台FortiGate设备断开集群成员命令〗
What is the effect of the Disconnect Cluster Member command as given in the exhibit. (Choose two) 〖如图示断开集群成员的命令后有什么影响?(选择两个)〗
A. Port3 is configured with an IP address for management access.〖端口3配置为管理访问的IP地址〗
B. The firewall rules are purged on the disconnected unit.〖断开连接的设备上的防火墙规则将被清除〗
C. The HA mode changes to standalone.〖HA模式变更为独立的〗
D. The system hostname is set to the unit serial number. 〖系统主机名设置为序列号〗
【分析】
断开HA后,FortiGate设置变成独立模式,除指定的接口有指定的IP地址外,其余接口全部为0.0.0.0/0.0.0.0,防火墙配置仍然存在。
【答案】AC
[align=center]飞塔技术-老梅子 QQ:57389522
[/align]
Two devices are in an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of diagnose sys session stat for the STUDENT device. Exhibit B shows the command
output of diagnose sys session stat for the REMOTE device. 〖两个设备在一个HA集群,设备主机名是“学生”和“远程”,图示A显示的是设备“学生”诊断系统会话的命令输出,图示B显示的是设备“远程”诊断系统会话的命令输出〗
Exhibit A:
Exhibit B:
Given the information provided in the exhibits, which of the following statements are correct? (Choose two)〖根据以上提供的信息,下列哪些描述是正确的? (选择两个)〗
A. STUDENT is likely to be the master device. 〖“学生”可能是主设备〗
B. Session-pickup is likely to be enabled. 〖Session-pickup可能被启用〗
C. The cluster mode is active-passive.〖集群模式是主备〗
D. There is not enough information to determine the cluster mode.〖没有足够的信息来确定集群模式〗
【分析】
SYN_SENT状态表示请求连接,当你要访问其它的计算机的服务时首先要发个同步信号给该端口,此时状态为SYN_SENT,如果连接成功了就变为ESTABLISHED,此时SYN_SENT状态非常短暂。
ESTABLISHED状态表示正在建立的连接。
FIN_WAIT状态表示等待对方的连接。
TIME_WAIT状态表示断开的连接。
根据图示A和图示B的比较,图示A的正在建立的连接ESTABLISHED和断开的连接TIME_WAIT明显比图示B大,所以A有可能是主设备,由于查询的是会话信息,而非HA信息,所以没有足够的信息来确定集群模式。
【答案】AD
Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled? 〖当抢占禁止时,下面哪些序列描述了FortiGate高可能性用于选择主设备的正确的顺序?〗
A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number.〖1端口监控,2单位优先,3运行时间,4序列号〗
B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number.〖1端口监控,2运行时间,3单位优先,4序列号〗
C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number.〖1单位优先,2运行时间,3端口监控,4序列号〗
D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number.〖1运行时间,2单位优先,3端口监控,4序列号〗
【分析】
选举顺序从步骤1至步骤4:
1.监控端口:有效监控端口数相等,考虑下一条件;
2.运行时间:运行时间相等,考虑下一条件,运时时间差在5分钟以内不考虑在内;
3.设备优先级:设备优先级相同,考虑下一条件;
4.设备序列号:如果以上条件都相同,则设备序更号是最大的将被选举为主设备。
【答案】B
In HA, the option Reserve Management Port for Cluster Member is selected as shown in the exhibit below. 〖如下图所示,在高可用性设置中,集群成员选中保留管理端口〗
Which statements are correct regarding this setting? (Choose two)〖哪个关于这个设置的描述是正确的? (选择两个)〗
A. Interface settings on port7 will not be synchronized with other cluster members. 〖port7接口设置不会与其他集群成员同步〗
B. The IP address assigned to this interface must not overlap with the IP address subnet assigned to another interface.〖分配给该接口的IP地址不能与分配给其它接口IP地址子网重叠〗
C. When connecting to port7 you always connect to the master device.〖当你连接到port7总是连接到主设备〗
D. A gateway address may be configured for port7.〖可以配置port7网关地址〗
【分析】
管理口的IP地址主备机上可以是不同的。
【答案】AD
What are the requirements for a HA cluster to maintain TCP connections after device or link failover? (Choose two) 〖HA集群维护TCP连接或链路故障恢复有什么要求?(选择两个)〗
A. Enable session pick-up.〖启用会话交接〗
B. Enable override.〖启用覆盖〗
C. Connections must be UDP or ICMP.〖必须UDP或ICMP连接〗
D. Connections must not be handled by a proxy.〖连接不能由代理处理〗
【分析】
在正常HA状态下,如果开启Session pick-up(会话交接),从设备报告自己的状态并接收存储会话连接与状态表更新。一旦HA出现故障,集群中的从设备被选举为主设备,根据自己同步的会话连接与状态表,继续处理流量与会话。
如果希望某台设备一直作为主设备工作,除了给该设备设置较高的优先级以外,也可以启用HA Override(抢占),这样,如果主设备重启,从设备会成为主设备,原主设备重启恢复后,将重新通过选举,仍工作在主设备模式下。如果在从设备选举为主设备时间内更改配置,那么在原主设备恢复后,这段时间的配置将被原配置同步,导致丢失。
【答案】AD
Two FortiGate devices fail to form an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of show system ha for the STUDENT device. Exhibit B shows the
command output of show system ha for the REMOTE device.〖两台FortiGate设备未能形成一个HA集群,设备主机名是“学生”和“远程”,图示A显示的是设备“学生”诊断系统会话的命令输出,图示B显示的是设备“远程”诊断系统会话的命令输出〗
Exhibit A:
Exhibit A:
Which one of the following is the most likely reason that the cluster fails to form? 〖下面哪个选项是集群未能形成最可能的原因?〗
A. Password 〖密码〗
B. HA mode 〖HA模式〗
C. Hearbeat〖心跳〗
D. Override 〖抢占〗
【分析】
STUDENT 的模式设置为 set mode a-p
REMOTE 的模式设置为 set mode a-a
【答案】B
Which of the following statements are correct about the HA command diagnose sys ha reset-uptime? (Choose two)〖下列哪些关于HA命令diagnose sys ha reset-uptime的描述是正确的?(选择两个)〗
A. The device this command is executed on is likely to switch from master to slave status if override is disabled. 〖如果抢占是禁用的,执行这个命令的设备很可能从主设备转换到从设备〗
B. The device this command is executed on is likely to switch from master to slave status if override is enabled. 〖如果抢占是启用的,执行这个命令的设备很可能从主设备转换到从设备〗
C. This command has no impact on the HA algorithm〖这个命令对HA算法没有影响〗
D. This command resets the uptime variable used in the HA algorithm so it may cause a new master to become elected. 〖这个命令重置HA算法中使用的正常运行时间变量,所以它可能会导致一个新的主成为当选。〗
【分析】
diagnose sys ha reset-uptime 可以重置HA运行时间,以期系统通过预期的优先级设定重新将高优先级选举为主设备。
【答案】AD
An administrator has formed a high availability cluster involving two FortiGate units.〖管理员用两台FortiGate设备组成一个高可用性集群〗
[ Multiple upstream Layer 2 switches] -- [ FortiGate HA Cluster ] -- [ Multiple downstreamLayer 2 switches ]〖多个上游二层交换机-FortiGateHA集群-多个下游二层交换机〗
The administrator wishes to ensure that a single link failure will have minimal impact upon the overall throughput of traffic through this cluster.〖管理员希望确保单个链接失败流量通过集群的整体吞吐量会影响最小〗
Which of the following options describes the best step the administrator can take? The administrator should _____________________.〖下面哪个选项是描述管理员可以采取的最好的步骤? 管理员应该?〗
A. Increase the number of FortiGate units in the cluster and configure HA in active-active mode. 〖在主主模式配置下,集群中增加FortiGate设备的数量〗
B. Enable monitoring of all active interfaces.〖启用所有活动接口的监控〗
C. Set up a full-mesh design which uses redundant interfaces.〖使用冗余接口建立一个全网状设计〗
D. Configure the HA ping server feature to allow for HA failover in the event that a path is disrupted. 〖配置HA ping服务特性,在路径被中断时允许故障转移〗
【分析】
在所有网络设备中使用聚合和冗余接口来增加其网络的健壮性。
【答案】C
In a high availability cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a slave unit?〖一个高可用性集群运行主主模式,下列哪项正确地描述了http会话的SYN包转换到从设备的路线?〗
A. Request: internal host; slave FortiGate; master FortiGate; Internet; web server. 〖请求:内网主机,从FortiGate防火墙,主FortiGate防火墙,因特网,Web服务器〗
B. Request: internal host; slave FortiGate; Internet; web server.〖请求:内网主机,从FortiGate防火墙,因特网,Web服务器〗
C. Request: internal host; master FortiGate; Internet; web server.〖请求:内网主机,主FortiGate防火墙,因特网,Web服务器〗
D. Request: internal host; master FortiGate; slave FortiGate; Internet; web server. 〖请求:内网主机,主FortiGate防火墙,从FortiGate防火墙,因特网,Web服务器〗
【分析】
主主模式下,访问外网是先到主,再到从,再到外网。
【答案】D
The exhibit shows the Disconnect Cluster Member command in a FortiGate unit that is part of a HA cluster with two HA members. 〖下图展示了两个HA集群成员中一台FortiGate设备断开集群成员命令〗
What is the effect of the Disconnect Cluster Member command as given in the exhibit. (Choose two) 〖如图示断开集群成员的命令后有什么影响?(选择两个)〗
A. Port3 is configured with an IP address for management access.〖端口3配置为管理访问的IP地址〗
B. The firewall rules are purged on the disconnected unit.〖断开连接的设备上的防火墙规则将被清除〗
C. The HA mode changes to standalone.〖HA模式变更为独立的〗
D. The system hostname is set to the unit serial number. 〖系统主机名设置为序列号〗
【分析】
断开HA后,FortiGate设置变成独立模式,除指定的接口有指定的IP地址外,其余接口全部为0.0.0.0/0.0.0.0,防火墙配置仍然存在。
【答案】AC
[align=center]飞塔技术-老梅子 QQ:57389522
[/align]
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 考试篇(5.2) NSE4 题库 20. 诊断 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 21. IPv6 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 12. 虚拟域 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 13. 透明模式 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 17. 单点登录 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 16. 入侵防御 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 18. 认证 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 19. 数据防泄漏 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 07. 反病毒 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 10. 应用控制 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 08. 显式代理 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 22. 硬件加速 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 02. 日志与监控 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 03. 策略 ❀ 飞塔 (Fortinet) 网络安全专家
- 考试篇(5.2) NSE4 题库 09. Web 过滤 ❀ 飞塔 (Fortinet) 网络安全专家
- 教程篇(5.4) NSE4 14. 透明模式 ❀ 飞塔 (Fortinet) 网络安全专家