Palo Alto Networks

HP HPE6-A84 Exam (page: 1)
HP Aruba Certified Network Security Expert Written Exam
Updated on: 26-Oct-2025

Access free HPE6-A84 actual exam questions, answers, explanations and user discussions.

Viewing Page 1 of 13 Pages

HPE6-A84 PDF with 60 Questions

QUESTION: 1

You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.

Which integration can you suggest?

Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients
Importing clients' MAC addresses to configure known clients for MAC authentication more quickly
Establishing a double layer of authentication at both the campus edge and the data center DMZ
Importing the firewall's rules to program downloadable user roles for AOS-CX switches more quickly

Answer(s): A

Explanation:

This option allows CPPM to receive real-time information about the network activity and security posture of the clients from the firewall, and then apply appropriate enforcement actions based on the configured policies. For example, if a client is detected to be infected with malware or violating the network usage policy, CPPM can quarantine or disconnect the client from the network.

Reveal Solution Next Question

QUESTION: 2

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

· Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
· Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
· VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

You are setting up the UBT zone on an AOS-CX switch.

Which IP addresses should you define in the zone?

Primary controller = 10.20.4.21; backup controller = 10.20.4.22
[Primary controller = 198.51.100.14; backup controller = 10.20.4.21
Primary controller = 10 20 4 21: backup controller not defined
Primary controller = 10.20.20.254; backup controller, not defined

Answer(s): A

Explanation:

To configure user-based tunneling (UBT) on an AOS-CX switch, you need to specify the IP addresses of the mobility gateways that will receive the tunneled traffic from the switch. The primary controller is the preferred gateway for the switch to establish a tunnel, and the backup controller is the alternative gateway in case the primary controller fails or becomes unreachable. The IP addresses of the gateways should be their system IP addresses, which are used for inter-controller communication and cluster discovery.
In this scenario, the customer has a gateway cluster with two gateways, each with a system IP address on VLAN 4085. Therefore, the switch should use these system IP addresses as the primary and backup controllers for UBT. The IP addresses of the gateways on VLAN 20 and VLAN 4094 are not relevant for UBT, as they are used for user traffic and WAN connectivity, respectively. The VRRP IP address on VLAN 20 is also not applicable for UBT, as it is a virtual IP address that is not associated with any specific gateway.
Therefore, the best option is to use 10.20.4.21 as the primary controller and 10.20.4.22 as the backup controller for UBT on the switch. This will ensure high availability and cluster discovery for the tunneled traffic from the switch to the gateway cluster.

Reveal Solution Next Question

QUESTION: 3

Refer to the scenario.

A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
Denied access to other 10.0.0.0/8 subnets
Permitted access to the Internet
Denied access to the WLAN for a period of time if they send any SSH traffic
Denied access to the WLAN for a period of time if they send any Telnet traffic
Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

The exhibits below show the configuration for the role.

There are multiple issues with this configuration.
What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit".)

In the "medical-mobile" policy, move rules 2 and 3 between rules 7 and 8.
In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.
Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical- mobile" policy.
In the "medical-mobile" policy, change the source in rule 8 to "user."

Answer(s): B

Explanation:

The subnet mask in rule 3 of the "medical-mobile" policy is currently 255.255.252.0, which means that the rule denies access to the 10.1.12.0/22 subnet as well as the adjacent 10.1.16.0/22 subnet. This is not consistent with the scenario requirements, which state that only the 10.1.12.0/22 subnet should be denied access, while the rest of the 10.1.0.0/16 range should be permitted access. To fix this issue, the subnet mask in rule 3 should be changed to 255.255.248.0, which means that the rule only denies access to the 10.1.8.0/21 subnet, which includes the 10.1.12.0/22 subnet. This way, the rule matches the scenario requirements more precisely.

Reveal Solution Next Question

QUESTION: 4

A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).

The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:

aaa rfc-3576-server 10.47.47.8

But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:

How could you fix this issue?

Change the UDP port in the MCs' RFC 3576 server config to 3799.
Enable RadSec on the MCs' RFC 3676 server config.
Configure the MC to obtain the time from a valid NTP server.
Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.

Answer(s): A

Explanation:

Dynamic authorization is a feature that allows CPPM to send change of authorization (CoA) or disconnect messages to the MC to modify or terminate a user session based on certain conditions or events. Dynamic authorization uses the RFC 3576 protocol, which is an extension of the RADIUS protocol.
To enable dynamic authorization on the MC, you need to configure the IP address and UDP port of the CPPM server as the RFC 3576 server on the MC 3. The default UDP port for RFC 3576 is 3799, but it can be changed on the CPPM server . The MC and CPPM must use the same UDP port for dynamic authorization to work properly.
In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics . To fix this issue, you need to change the UDP port in the MCs' RFC 3576 server config to match the UDP port used by CPPM, which is 1700 in this case. Alternatively, you can change the UDP port in CPPM to match the default UDP port of 3799 on the MC. Either way, you need to ensure that both devices use the same UDP port for dynamic authorization 3 .

Reveal Solution Next Question

QUESTION: 5

Refer to the scenario.

A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

Permitted to receive IP addresses with DHCP

Permitted access to DNS services from 10.8.9.7 and no other server

Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22

Denied access to other 10.0.0.0/8 subnets

Permitted access to the Internet

Denied access to the WLAN for a period of time if they send any SSH traffic

Denied access to the WLAN for a period of time if they send any Telnet traffic

Denied access to all high-risk websites

External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

The exhibits below show the configuration for the role.

What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?

That denylisting is enabled globally on the MCs' firewalls
That stateful handling of traffic is enabled globally on the MCs' firewalls and on the medical- mobile role.
That AppRF and WebCC are enabled globally and on the medical-mobile role
That the MCs are assigned RF Protect licenses

Answer(s): C

Explanation:

AppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories. These features are required to meet the scenario requirements of denying access to all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic. To enable AppRF and WebCC, you need to check the following settings:
On the global level, you need to enable AppRF and WebCC under Configuration > Services > AppRF and Configuration > Services > WebCC, respectively. On the role level, you need to enable AppRF and WebCC under Configuration > Security > Access Control > Roles > medical-mobile > AppRF and Configuration > Security > Access Control > Roles > medical-mobile > WebCC, respectively.
You also need to make sure that the MCs have valid licenses for AppRF and WebCC, which are included in the ArubaOS PEFNG license.

Reveal Solution Next Question

Viewing Page 1 of 13 Pages

Share your comments for HP HPE6-A84 exam with other users:

Comments:

Name:

lipsa 11/8/2023 12:54:00 PM

thanks for question

Anonymous

Eli 6/18/2023 11:27:00 PM

the software is provided for free so this is a big change. all other sites are charging for that. also that fucking examtopic site that says free is not free at all. you are hit with a pay-wall.

EUROPEAN UNION

open2exam 10/29/2023 1:14:00 PM

i need exam questions nca 6.5 any help please ?

Anonymous

Gerald 9/11/2023 12:22:00 PM

just took the comptia cybersecurity analyst (cysa+) - wished id seeing this before my exam

UNITED STATES

ryo 9/10/2023 2:27:00 PM

very helpful

MEXICO

Jamshed 6/20/2023 4:32:00 AM

i need this exam

PAKISTAN

Roberto Capra 6/14/2023 12:04:00 PM

nice questions... are these questions the same of the exam?

Anonymous

Synt 5/23/2023 9:33:00 PM

need to view

UNITED STATES

Vey 5/27/2023 12:06:00 AM

highly appreciate for your sharing.

CAMBODIA

Tshepang 8/18/2023 4:41:00 AM

kindly share this dump. thank you

Anonymous

Jay 9/26/2023 8:00:00 AM

link plz for download

UNITED STATES

Leo 10/30/2023 1:11:00 PM

data quality oecd

Anonymous

Blessious Phiri 8/13/2023 9:35:00 AM

rman is one good recovery technology

Anonymous

DiligentSam 9/30/2023 10:26:00 AM

need it thx

Anonymous

Vani 8/10/2023 8:11:00 PM

good questions

NEW ZEALAND

Fares 9/11/2023 5:00:00 AM

good one nice revision

Anonymous

Lingaraj 10/26/2023 1:27:00 AM

i love this thank you i need

Anonymous

Muhammad Rawish Siddiqui 12/5/2023 12:38:00 PM

question # 142: data governance is not one of the deliverables in the document and content management context diagram.

SAUDI ARABIA

al 6/7/2023 10:25:00 AM

most answers not correct here

Anonymous

Bano 1/19/2024 2:29:00 AM

what % of questions do we get in the real exam?

UNITED STATES

Oliviajames 10/25/2023 5:31:00 AM

i just want to tell you. i took my microsoft az-104 exam and passed it. your program was awesome. i especially liked your detailed questions and answers and practice tests that made me well-prepared for the exam. thanks to this website!!!

UNITED STATES

Divya 8/27/2023 12:31:00 PM

all the best

UNITED STATES

KY 1/1/2024 11:01:00 PM

very usefull document

Anonymous

Arun 9/20/2023 4:52:00 PM

nice and helpful questions

INDIA

Joseph J 7/11/2023 2:53:00 PM

i found the questions helpful

UNITED STATES

Meg 10/12/2023 8:02:00 AM

q 105 . ans is d

INDIA

Navaneeth S 7/14/2023 7:57:00 AM

i have interest to get a sybase iq dba certification

UNITED STATES

Aish 10/11/2023 5:27:00 AM

want to pass exm.

INDIA

Anonymous 6/12/2023 7:23:00 AM

are the answers correct?

INDIA

Kris 7/7/2023 9:43:00 AM

good morning, could you please upload this exam again, i need it to test my knowledge in sd-wan with version 7.0.

Anonymous

Meghraj mali 10/7/2023 1:47:00 PM

very nice question

CANADA

Noel 11/1/2022 9:14:00 PM

i have learning disability and this exam dumps allowed me to focus on the actual questions and not worry about notes and the those other study materials.

SOUTH AFRICA

Jas 10/25/2023 6:01:00 PM

165 should be apt

UNITED STATES

Neetu 6/22/2023 8:41:00 AM

please upload the dumps, real need of them

Anonymous