PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Huawei HCIP-Security (H12-721/722/723) Practice Questions

Pass your Huawei Certified ICT Professional - Security (HCIP-Security): H12-721 CISN + H12-722 CSSN + H12-723 CTSS exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Huawei does not publish official pass rates Pass Rate
100+ Questions
100% Free

Loading practice questions...

Same family resources

Explore More Huawei Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Huawei HCIA-AI (H13-311 V3.5)

Practice Questions

Huawei HCIA-Big Data (H13-711)

Practice Questions

Huawei HCIA-Cloud Computing (H13-211 V3.0)

Practice Questions

Huawei HCIA-Cloud Service (H13-811)

Practice Questions

Huawei HCIA-Datacom (H12-811 V3.0)

Practice Questions

Huawei HCIA-IoT (H12-111)

Practice Questions
2026 Statistics

Key Facts: Huawei HCIP-Security (H12-721/722/723) Exam

3 exams

Required Track (CISN + CSSN + CTSS)

Huawei HCIP-Security

60 / exam

Questions per Exam

Huawei H12-721/722/723

90 min

Duration per Exam

Huawei

600 / 1000

Passing Score (per exam, scaled)

Huawei

$200 / exam

Exam Fee (USD, ~$600 total)

Huawei / Pearson VUE

3 years

Certification Validity

Huawei recertification cycle

Huawei HCIP-Security is a 3-exam track: H12-721 CISN (advanced firewall, NAT, multi-egress, advanced VPN, MPLS L3VPN), H12-722 CSSN (IPS, antivirus, DLP, URL/DNS filtering, app control), and H12-723 CTSS (FireHunter sandbox, HiSec Insight, AntiDDoS, encryption, AAA, automation). Each exam has 60 questions in 90 minutes with a 600/1000 scaled passing score and costs $200 USD at Pearson VUE, totaling ~$600 for the certification. The credential is valid for 3 years.

Sample Huawei HCIP-Security (H12-721/722/723) Practice Questions

Try these sample questions to test your Huawei HCIP-Security (H12-721/722/723) exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1On a Huawei USG firewall, which sequence correctly describes the matching order of an advanced security policy that uses 5-tuple plus user, application, URL, and time conditions?
A.Source/destination zone, source/destination address, user, service, application, URL category, time-range, action
B.Action, time-range, user, source/destination zone, application, URL category, source/destination address, service
C.User, source/destination address, action, source/destination zone, service, application, URL category, time-range
D.Service, source/destination zone, source/destination address, action, user, time-range, application, URL category
Explanation: USG security policy matching first uses zones (inter-zone direction), then 5-tuple (source/dest IP, service), then identity dimensions (user/user-group), then content dimensions (application from SA database, URL category, file/content profiles), then time-range, and finally an action (permit/deny) with optional content profiles. Action is the result, not a match condition, and time-range is evaluated as a condition before the action is taken.
2An administrator wants a Huawei USG to translate IPv6 hosts in the trust zone so they can reach an IPv4-only server in the untrust zone. Which feature is required?
A.NAT-PT (Network Address Translation - Protocol Translation)
B.Source NAT with PAT
C.Twice-NAT
D.NAT Server (static destination NAT)
Explanation: NAT-PT translates between IPv4 and IPv6 address families and is the Huawei feature used to let IPv6-only clients reach IPv4-only servers (or vice-versa). Source NAT, twice-NAT, and NAT Server all operate within the same address family (IPv4 to IPv4 or IPv6 to IPv6) and cannot bridge protocols.
3Which statement BEST describes the function of the root system (root vsys) on a Huawei USG that has multiple virtual systems configured?
A.It is the management system that owns physical interfaces and resource classes assigned to virtual systems
B.It is automatically deleted as soon as the first non-root vsys is created
C.It can only forward traffic between non-root virtual systems and never to physical interfaces
D.It shares its session table directly with every other virtual system for high availability
Explanation: On Huawei USG firewalls the root system (root-vsys) is the default virtual system that owns physical interfaces, the global routing instance, and the resource class definitions. Administrators bind interfaces and assign resource quotas to non-root vsys from the root system. Each vsys has its own independent session table; sessions are not shared.
4A Huawei USG with two ISP uplinks must steer HTTP traffic destined to ISP1 prefixes out of interface GE1/0/1 and HTTPS traffic destined to ISP2 prefixes out of GE1/0/2. Which feature combination is BEST suited?
A.Static routing only
B.Policy-based routing (PBR) plus ISP route (ISP address library)
C.Source NAT plus equal-cost multi-path
D.DNS transparent proxy plus default route
Explanation: ISP route uses Huawei's pre-loaded ISP address libraries to match destinations belonging to a particular ISP and forward them through the corresponding link. PBR matches additional conditions (such as application HTTP/HTTPS or source) to override the routing table. Combining the two gives ISP-aware, application-aware multi-egress steering.
5Which Huawei USG link load-balancing algorithm distributes new sessions in proportion to a link's configured weight?
A.Source-IP hash
B.Round robin
C.Weighted round robin
D.Least sessions
Explanation: Weighted round robin (WRR) distributes new sessions across multiple egress links in proportion to each link's configured weight. Plain round robin ignores weight, source-IP hash is for session stickiness, and least-sessions distributes based on current session count rather than capacity weight.
6What is the purpose of DNS transparent proxy on a Huawei multi-egress USG?
A.To intercept client DNS queries and rewrite them to use the DNS server of the egress link that will be used
B.To block all DNS queries that resolve to URL categories on a blacklist
C.To encrypt all DNS queries between the client and the firewall
D.To replace the firewall's own DNS resolver with the upstream ISP's
Explanation: DNS transparent proxy intercepts client DNS queries and rewrites the destination DNS server so that resolution happens via the same ISP that will carry the resulting traffic. This avoids the asymmetric path problem where ISP-A returns a CDN node optimized for ISP-A but the user actually exits via ISP-B. It is an integral part of multi-egress optimization.
7An administrator must guarantee at least 2 Mbps and cap each user in the marketing user-group at 5 Mbps of egress bandwidth. Which Huawei USG bandwidth feature applies?
A.Per-IP bandwidth inside a bandwidth policy with guaranteed and maximum bandwidth values
B.QoS policing only with CIR set to 2 Mbps
C.Queue scheduling using strict priority queues
D.Application-layer rate limiting via SA database only
Explanation: Bandwidth policies on the USG support per-IP bandwidth limits (each IP gets its own guaranteed minimum and maximum) inside a policy that matches users, applications, time, etc. Setting guaranteed bandwidth = 2 Mbps and maximum bandwidth = 5 Mbps achieves the requirement. Pure policing or scheduling alone does not enforce per-user minimums.
8Which Huawei queue-scheduling mode forwards packets in queues strictly in order of priority and never services a lower-priority queue while a higher one has packets?
A.Weighted Fair Queuing (WFQ)
B.Strict Priority (PQ)
C.Class-Based Weighted Fair Queuing (CBWFQ)
D.Low Latency Queuing (LLQ) without priority class
Explanation: Strict Priority Queuing (PQ) always services the highest-priority non-empty queue first and only serves lower queues when all higher queues are empty. WFQ and CBWFQ share bandwidth proportionally between queues, and LLQ without a priority class behaves like CBWFQ.
9Which IPsec feature lets a peer detect that the other end has gone silent and tear down the SA proactively, rather than waiting for the SA lifetime to expire?
A.Perfect Forward Secrecy (PFS)
B.Dead Peer Detection (DPD)
C.Anti-replay window
D.NAT Traversal (NAT-T)
Explanation: Dead Peer Detection sends keep-alive R-U-THERE messages over an established IKE SA. If a peer fails to acknowledge after the configured retry/interval, the local peer assumes the remote is dead and tears down both IKE and IPsec SAs, allowing immediate failover. PFS, anti-replay, and NAT-T address completely different functions (key independence, replay protection, NAT transparency).
10When IPsec NAT Traversal (NAT-T) is enabled, which UDP port does it use to encapsulate ESP packets?
A.UDP 500
B.UDP 4500
C.UDP 1701
D.UDP 50
Explanation: Once NAT is detected during IKE phase 1 (using NAT-D payloads), both peers move IKE and ESP traffic to UDP 4500. UDP 500 is plain IKE without NAT-T, UDP 1701 is L2TP, and ESP itself is IP protocol 50, not a UDP port — protocol 50 is precisely what cannot traverse NAT, which is why UDP 4500 encapsulation is needed.

About the Huawei HCIP-Security (H12-721/722/723) Exam

Huawei HCIP-Security is the professional-level certification in Huawei's three-tier security track (HCIA -> HCIP -> HCIE). It is a 3-exam track: H12-721 (CISN — Constructing Infrastructure of Security Network) covers advanced firewall (USG advanced policy with 5-tuple plus user, application, URL and time; advanced NAT including NAT-PT for IPv6; virtual systems vsys; multi-egress with PBR, source-based routing, link load balancing, ISP route, DNS transparent proxy; bandwidth/QoS), advanced VPN (IPsec with DPD, PKI, NAT-T, multi-area; SSL VPN web/network/port modes with two-factor; GRE over IPsec; L2TP/IPsec; DSVPN), MPLS L3VPN, firewall HA, troubleshooting. H12-722 (CSSN — Constructing Service Security Network) covers IPS deep (signature update, exception rule, signature group, action profile), advanced antivirus (heuristics, sandbox detonation, file reputation), DLP (data dictionary, regex, file fingerprinting), URL/DNS filtering (custom URL category, DNS sinkholing), application identification with custom apps and app groups, and content security profiles. H12-723 (CTSS — Constructing Terminal Security System) covers Huawei FireHunter sandbox, HiSec Insight / CIS (advanced threat detection, behavioral analytics, threat intelligence, kill-chain), AntiDDoS8000 (dilution, traction, scrubbing, BGP FlowSpec), CloudFabric vFW and microsegmentation, encryption (SM2/SM3/SM4, TLS 1.3, MACsec, ESP-NULL with HMAC), advanced AAA (Local, RADIUS, HWTACACS, Portal, 802.1X, Agile Controller integration), iMaster NCE-Campus / SecoManager security automation, security audit (eLog, syslog, sFlow, baseline) and deep troubleshooting (info-center, debugging, packet trace, packet capture).

Questions

60 scored questions

Time Limit

90 minutes per exam

Passing Score

600 / 1000 (per exam, scaled)

Exam Fee

$200 per exam (~$600 total for the 3-exam track) (Huawei / Pearson VUE)

Huawei HCIP-Security (H12-721/722/723) Exam Content Outline

~20%

Advanced Firewall (CISN)

USG advanced security policy combining 5-tuple with user, application, URL category, content profile and time-range; advanced NAT (NAT-PT, NAT64, twice-NAT, NAT Server); virtual systems (vsys) with resource classes; multi-egress design (PBR, source-based routing, link load balancing with weighted round robin, ISP route address libraries, DNS transparent proxy); bandwidth policies with per-IP guaranteed and maximum bandwidth, queue scheduling and QoS

~20%

Advanced VPN (CISN)

IPsec advanced (DPD, PKI digital certificates, NAT-T over UDP 4500, PFS, multi-area IPsec, ESP-NULL with HMAC); SSL VPN web/file/port-forwarding/network-extension modes with host posture and two-factor (OTP/SMS); GRE over IPsec for multicast and routing protocols; L2TP over IPsec remote access; DSVPN (Huawei's DMVPN equivalent); pre-shared key vs PKI scaling; troubleshooting IKE Phase 1/Phase 2 with display ike sa and debugging ike

~10%

MPLS L3VPN & Cloud-Edge Security

MP-BGP VPNv4 between PEs, VRFs, route distinguisher (RD) vs route target (RT), per-customer label segregation; CloudFabric security with iMaster NCE-Fabric service chains, USG6000V/USG6000E vFW insertion, microsegmentation for east-west tenant isolation

~15%

IPS & Application Control (CSSN)

IPS deep (signature database update via license subscription, signature groups, exception rules to whitelist scanners, action profiles binding block/alert/reset/capture, fail-close vs fail-open modes, packet capture for forensic evidence); SA database identification with custom applications and application groups; identity- and context-aware policy combining user, app, time, location, device

~15%

Advanced Antivirus, DLP & URL/DNS Filtering (CSSN)

Heuristic AV engine, file reputation lookup against cloud, sandbox detonation; DLP with data dictionaries (keyword + regex), file fingerprinting for partial document leak detection; URL custom categories with deny actions placed before predefined categories; DNS sinkholing of malicious domains; SSL/TLS decryption with enterprise CA and exclusion of pinned/regulated categories

~10%

Advanced Threat Detection & FireHunter (CTSS)

Huawei FireHunter sandbox integration with USG (file submission, verdict return, blocking); HiSec Insight (formerly CIS) for behavioral analytics, threat-intelligence integration, kill-chain visualization, retrospective threat hunting; closed-loop response that quarantines compromised endpoints via NCE-Campus / SecoManager

~5%

AntiDDoS (CTSS)

Huawei AntiDDoS8000 inline vs traction (BGP diversion) deployment, dilution, scrubbing center cleaning of diverted traffic with re-injection, BGP FlowSpec for upstream provider drops, SYN-flood source authentication / SYN cookie, behavioral baselines and protocol-aware filters

~5%

Encryption, AAA & Authentication (CTSS)

Chinese national algorithms SM2 (signature/KE), SM3 (hash) and SM4 (128-bit symmetric block cipher) for IPsec/TLS/PKI compliance; TLS 1.3 (no RSA KE, no SHA-1, 1-RTT); MACsec (802.1AE) hop-by-hop L2 confidentiality and integrity; ESP-NULL with HMAC-SHA-256 for integrity-only IPsec; Local/RADIUS/HWTACACS, Portal authentication over UDP 50100/50200, 802.1X EAP-TLS mutual cert validation, Agile Controller integration

~5%

Security Automation, Audit, Compliance & Troubleshooting (CTSS)

iMaster NCE-Campus and SecoManager intent-based security policy orchestration; eLog Enterprise Log Center, syslog and sFlow exports, security baseline assessment against documented secure-config standards; troubleshooting with info-center, display security-policy rule, display ike sa, debugging ike all, packet-trace through policy/NAT/route stages, packet capture; operation log for compliance audit

How to Pass the Huawei HCIP-Security (H12-721/722/723) Exam

What You Need to Know

  • Passing score: 600 / 1000 (per exam, scaled)
  • Exam length: 60 questions
  • Time limit: 90 minutes per exam
  • Exam fee: $200 per exam (~$600 total for the 3-exam track)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Huawei HCIP-Security (H12-721/722/723) Study Tips from Top Performers

1Take the exams in order (CISN -> CSSN -> CTSS) so VPN and policy fundamentals are solid before content security and analytics
2Memorize the USG advanced policy match order: zone -> 5-tuple -> user -> application -> URL category -> time-range -> action with content profile
3Know NAT-PT (IPv6<->IPv4 protocol translation) vs NAT-T (IPsec NAT traversal on UDP 4500) — they are unrelated but easy to confuse
4IPsec PFS forces a fresh DH exchange per Phase 2 SA so past SAs stay safe even if the current master key is later compromised
5DSVPN is Huawei's DMVPN equivalent — spokes register to the hub, then build on-demand spoke-to-spoke IPsec tunnels
6Tune noisy IPS signatures with exception rules (per source IP) instead of disabling the whole signature globally
7File fingerprinting catches partial leaks of registered documents even after edits; regex catches structured data like SSN/credit-card
8DNS sinkholing fed by threat-intel feeds defeats fast-flux botnets that rotate C2 domains every few minutes
9AntiDDoS terms: traction = BGP diversion to scrubbing center, dilution = active probing/marking, scrubbing = filtering and re-injection
10SM2/SM3/SM4 are the GM/T (Chinese national) crypto algorithms; SM4 is a 128-bit block / 128-bit key symmetric cipher used in IPsec/TLS

Frequently Asked Questions

What is Huawei HCIP-Security?

HCIP-Security is the professional-level certification in Huawei's three-tier security track (HCIA -> HCIP -> HCIE). It is a 3-exam track: H12-721 CISN (Constructing Infrastructure of Security Network — advanced firewall, NAT, multi-egress, advanced VPN, MPLS L3VPN), H12-722 CSSN (Constructing Service Security Network — IPS, antivirus, DLP, URL/DNS filtering, app control) and H12-723 CTSS (Constructing Terminal Security System — FireHunter sandbox, HiSec Insight, AntiDDoS, encryption, AAA, automation). All three are required for the credential.

How many questions are on each HCIP-Security exam?

Each of the three HCIP-Security exams (H12-721, H12-722, H12-723) has 60 questions delivered in 90 minutes. Item types include single-answer multiple choice, multiple-answer multiple choice, true/false, drag-and-drop and short-answer covering the per-exam syllabus published by Huawei.

What is the passing score for HCIP-Security?

Each HCIP-Security exam (H12-721 CISN, H12-722 CSSN, H12-723 CTSS) is scored on a 0-1000 scaled scale and the passing score is 600/1000 per exam. Huawei does not publish a percentage pass rate. All three exams must be passed within the certification window to obtain HCIP-Security.

How much does Huawei HCIP-Security cost in total?

Each HCIP-Security exam costs $200 USD at Pearson VUE, so the full 3-exam track (H12-721 + H12-722 + H12-723) totals approximately $600 USD before local taxes. Exams can be taken at a Pearson VUE test center or via OnVUE online proctoring in supported regions, in any order.

How long is the HCIP-Security certification valid?

The HCIP-Security certification is valid for 3 years from the issue date. To recertify, candidates can retake the same exams, pass a higher-level exam in the security track (HCIE-Security), or follow Huawei's continuing-credential paths in effect at renewal time. Lapsed credentials require retaking all three exams.

How long should I study for HCIP-Security?

Plan for 200-300 hours of focused study across the three exams, typically 4-6 months part-time. Lab extensively on USG6000 / USG6500 (or eNSP) for advanced firewall, IPsec, SSL VPN, IPS, AV, URL/DLP. Build a basic HiSec Insight / FireHunter test environment if available. Aim for 80%+ on per-exam mocks before scheduling each test.