考题篇(5.4) 01 ❀ 企业防火墙 ❀ Fortinet 网络安全架构师 NSE７

本文链接：https://blog.csdn.net/meigang2012/article/details/111212529

Examine the IPsec configuration shown in the exhibit; then answer the question below. 〖查看下图中显示的IPsec配置；然后回答下面的问题。〗

　　An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands: 〖管理员想要通过使用以下命令启用IKE实时调试来监视VPN：〗

　　diagnose vpn ike log-filter src-addr4 10.0.10.1

　　diagnose debug application ike -1

　　diagnose debug enable

　　The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn’t there any output? 〖VPN目前已启动，隧道中没有任何流量，IPsec网关之间正在交换DPD数据包。但是，IKE实时调试不会显示任何输出。为什么没有输出呢?〗

　　A. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.〖IKE实时只显示阶段1和2的协商。一旦隧道连通，它就不再显示任何输出。〗

　　B. The log-filter setting is set incorrectly. The VPN’s traffic does not match this filter. 〖日志过滤器设置不正确。VPN的流量与这个过滤器不匹配。〗

　　C. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.〖IKE实时调试仅显示阶段1协商。对于之后的信息，管理员必须改为使用IPsec实时调试：diagnose debug application ipsec -1。〗

　　D. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.〖IKE实时调试只显示错误消息。如果它不提供任何输出，则表明隧道运行正常。〗

　　【分析】

　　IKE守护进程处理FortiGate上的所有Psec连接。熟悉可用的过滤器选项是很重要的。你可以使用这些选项来过滤IKE实时调试的输出，以便只显示与你相关的信息。

　　最常见的筛选器选项是dst-addr4，你可以使用它根据远程对等端IP地址筛选输出。此外，还支持多个地址。当远程对等IP地址未知时，按名称进行过滤很有帮助。

　　【本例使用src-addr4，IP地址却是远端IP地址】

　　【答案】Ｂ

Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.) 〖关于SIP会话助手和SIP应用层网关(ALG)，下列哪项陈述是正确的?(选择三个)〗