You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.Which integration can you suggest?
Answer(s): A
This option allows CPPM to receive real-time information about the network activity and security posture of the clients from the firewall, and then apply appropriate enforcement actions based on the configured policies. For example, if a client is detected to be infected with malware or violating the network usage policy, CPPM can quarantine or disconnect the client from the network.
Refer to the scenario.A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).Switches are using local port-access policies.The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.The plan for the enforcement policy and profiles is shown below:The gateway cluster has two gateways with these IP addresses:· Gateway 1o VLAN 4085 (system IP) = 10.20.4.21o VLAN 20 (users) = 10.20.20.1o VLAN 4094 (WAN) = 198.51.100.14· Gateway 2o VLAN 4085 (system IP) = 10.20.4.22o VLAN 20 (users) = 10.20.20.2o VLAN 4094 (WAN) = 198.51.100.12· VRRP on VLAN 20 = 10.20.20.254The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.You are setting up the UBT zone on an AOS-CX switch.Which IP addresses should you define in the zone?
To configure user-based tunneling (UBT) on an AOS-CX switch, you need to specify the IP addresses of the mobility gateways that will receive the tunneled traffic from the switch. The primary controller is the preferred gateway for the switch to establish a tunnel, and the backup controller is the alternative gateway in case the primary controller fails or becomes unreachable. The IP addresses of the gateways should be their system IP addresses, which are used for inter-controller communication and cluster discovery.In this scenario, the customer has a gateway cluster with two gateways, each with a system IP address on VLAN 4085. Therefore, the switch should use these system IP addresses as the primary and backup controllers for UBT. The IP addresses of the gateways on VLAN 20 and VLAN 4094 are not relevant for UBT, as they are used for user traffic and WAN connectivity, respectively. The VRRP IP address on VLAN 20 is also not applicable for UBT, as it is a virtual IP address that is not associated with any specific gateway.Therefore, the best option is to use 10.20.4.21 as the primary controller and 10.20.4.22 as the backup controller for UBT on the switch. This will ensure high availability and cluster discovery for the tunneled traffic from the switch to the gateway cluster.
Refer to the scenario.A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):Permitted to receive IP addresses with DHCPPermitted access to DNS services from 10.8.9.7 and no other serverPermitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22Denied access to other 10.0.0.0/8 subnetsPermitted access to the InternetDenied access to the WLAN for a period of time if they send any SSH trafficDenied access to the WLAN for a period of time if they send any Telnet trafficDenied access to all high-risk websitesExternal devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.The exhibits below show the configuration for the role.There are multiple issues with this configuration.What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit".)
Answer(s): B
The subnet mask in rule 3 of the "medical-mobile" policy is currently 255.255.252.0, which means that the rule denies access to the 10.1.12.0/22 subnet as well as the adjacent 10.1.16.0/22 subnet. This is not consistent with the scenario requirements, which state that only the 10.1.12.0/22 subnet should be denied access, while the rest of the 10.1.0.0/16 range should be permitted access. To fix this issue, the subnet mask in rule 3 should be changed to 255.255.248.0, which means that the rule only denies access to the 10.1.8.0/21 subnet, which includes the 10.1.12.0/22 subnet. This way, the rule matches the scenario requirements more precisely.
A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:aaa rfc-3576-server 10.47.47.8But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:How could you fix this issue?
Dynamic authorization is a feature that allows CPPM to send change of authorization (CoA) or disconnect messages to the MC to modify or terminate a user session based on certain conditions or events. Dynamic authorization uses the RFC 3576 protocol, which is an extension of the RADIUS protocol.To enable dynamic authorization on the MC, you need to configure the IP address and UDP port of the CPPM server as the RFC 3576 server on the MC 3. The default UDP port for RFC 3576 is 3799, but it can be changed on the CPPM server . The MC and CPPM must use the same UDP port for dynamic authorization to work properly.In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics . To fix this issue, you need to change the UDP port in the MCs' RFC 3576 server config to match the UDP port used by CPPM, which is 1700 in this case. Alternatively, you can change the UDP port in CPPM to match the default UDP port of 3799 on the MC. Either way, you need to ensure that both devices use the same UDP port for dynamic authorization 3 .
Refer to the scenario.A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):Permitted to receive IP addresses with DHCPPermitted access to DNS services from 10.8.9.7 and no other serverPermitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22Denied access to other 10.0.0.0/8 subnetsPermitted access to the InternetDenied access to the WLAN for a period of time if they send any SSH trafficDenied access to the WLAN for a period of time if they send any Telnet trafficDenied access to all high-risk websitesExternal devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.The exhibits below show the configuration for the role.What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?
Answer(s): C
AppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories. These features are required to meet the scenario requirements of denying access to all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic. To enable AppRF and WebCC, you need to check the following settings:On the global level, you need to enable AppRF and WebCC under Configuration > Services > AppRF and Configuration > Services > WebCC, respectively. On the role level, you need to enable AppRF and WebCC under Configuration > Security > Access Control > Roles > medical-mobile > AppRF and Configuration > Security > Access Control > Roles > medical-mobile > WebCC, respectively.You also need to make sure that the MCs have valid licenses for AppRF and WebCC, which are included in the ArubaOS PEFNG license.
Share your comments for HP HPE6-A84 exam with other users:
please upload the ncp-mci 6.5 dumps, really need to practice this one. thanks guys
question 16: https://help.salesforce.com/s/articleview?id=sf.care_console_overview.htm&type=5
yes i m prepared exam
my experience was great with this site as i studied for the ms-900 from here and got 900/1000 on the test. my main focus was on the tutorials which were provided and practice questions. thanks!
great course
very good question
question: 93 which statement is true regarding the result? sales contain 6 columns and values contain 7 columns so c is not right answer.
highly recommend just passed my exam.
great practice! thanks
anyone who wrote this exam recently?
kindly share the dump
could you please upload cfe fraud prevention and deterrence questions? it will be very much helpful.
this is really very very helpful for mcd level 1
very helpful!
question #18s answer should be a, not d. this should be corrected. it should be minvalidityperiod
thanks for the exact solution
need to refer the questions and have to give the exam
i need it right now if it was possible please
i need it very much please share it in the fastest time.
correct answer is d for student.java program
q:37 c is correct
q6 exam topic: terramearth, c: correct answer: copy 1petabyte to encrypted usb device ???
explained answers
plan to take theaws certified developer - associate dva-c02 in the next few weeks
very helpfull
good questions
help to practice csa exam
nice tip and well documented
i need the exam
please upload
prepping for fsc exam
pd1 with great experience
@t it seems like azure service bus message quesues could be the best solution
helpful to check your understanding.