Palo Alto Networks

HP HPE6-A84 Exam (page: 1)
HP Aruba Certified Network Security Expert Written Exam
Updated on: 28-Jul-2025

Access free HPE6-A84 actual exam questions, answers, explanations and user discussions.

Viewing Page 1 of 13 Pages

HPE6-A84 PDF with 60 Questions

QUESTION: 1

You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.

Which integration can you suggest?

Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients
Importing clients' MAC addresses to configure known clients for MAC authentication more quickly
Establishing a double layer of authentication at both the campus edge and the data center DMZ
Importing the firewall's rules to program downloadable user roles for AOS-CX switches more quickly

Answer(s): A

Explanation:

This option allows CPPM to receive real-time information about the network activity and security posture of the clients from the firewall, and then apply appropriate enforcement actions based on the configured policies. For example, if a client is detected to be infected with malware or violating the network usage policy, CPPM can quarantine or disconnect the client from the network.

Reveal Solution Next Question

QUESTION: 2

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

· Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
· Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
· VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

You are setting up the UBT zone on an AOS-CX switch.

Which IP addresses should you define in the zone?

Primary controller = 10.20.4.21; backup controller = 10.20.4.22
[Primary controller = 198.51.100.14; backup controller = 10.20.4.21
Primary controller = 10 20 4 21: backup controller not defined
Primary controller = 10.20.20.254; backup controller, not defined

Answer(s): A

Explanation:

To configure user-based tunneling (UBT) on an AOS-CX switch, you need to specify the IP addresses of the mobility gateways that will receive the tunneled traffic from the switch. The primary controller is the preferred gateway for the switch to establish a tunnel, and the backup controller is the alternative gateway in case the primary controller fails or becomes unreachable. The IP addresses of the gateways should be their system IP addresses, which are used for inter-controller communication and cluster discovery.
In this scenario, the customer has a gateway cluster with two gateways, each with a system IP address on VLAN 4085. Therefore, the switch should use these system IP addresses as the primary and backup controllers for UBT. The IP addresses of the gateways on VLAN 20 and VLAN 4094 are not relevant for UBT, as they are used for user traffic and WAN connectivity, respectively. The VRRP IP address on VLAN 20 is also not applicable for UBT, as it is a virtual IP address that is not associated with any specific gateway.
Therefore, the best option is to use 10.20.4.21 as the primary controller and 10.20.4.22 as the backup controller for UBT on the switch. This will ensure high availability and cluster discovery for the tunneled traffic from the switch to the gateway cluster.

Reveal Solution Next Question

QUESTION: 3

Refer to the scenario.

A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
Denied access to other 10.0.0.0/8 subnets
Permitted access to the Internet
Denied access to the WLAN for a period of time if they send any SSH traffic
Denied access to the WLAN for a period of time if they send any Telnet traffic
Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

The exhibits below show the configuration for the role.

There are multiple issues with this configuration.
What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit".)

In the "medical-mobile" policy, move rules 2 and 3 between rules 7 and 8.
In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.
Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical- mobile" policy.
In the "medical-mobile" policy, change the source in rule 8 to "user."

Answer(s): B

Explanation:

The subnet mask in rule 3 of the "medical-mobile" policy is currently 255.255.252.0, which means that the rule denies access to the 10.1.12.0/22 subnet as well as the adjacent 10.1.16.0/22 subnet. This is not consistent with the scenario requirements, which state that only the 10.1.12.0/22 subnet should be denied access, while the rest of the 10.1.0.0/16 range should be permitted access. To fix this issue, the subnet mask in rule 3 should be changed to 255.255.248.0, which means that the rule only denies access to the 10.1.8.0/21 subnet, which includes the 10.1.12.0/22 subnet. This way, the rule matches the scenario requirements more precisely.

Reveal Solution Next Question

QUESTION: 4

A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).

The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:

aaa rfc-3576-server 10.47.47.8

But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:

How could you fix this issue?

Change the UDP port in the MCs' RFC 3576 server config to 3799.
Enable RadSec on the MCs' RFC 3676 server config.
Configure the MC to obtain the time from a valid NTP server.
Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.

Answer(s): A

Explanation:

Dynamic authorization is a feature that allows CPPM to send change of authorization (CoA) or disconnect messages to the MC to modify or terminate a user session based on certain conditions or events. Dynamic authorization uses the RFC 3576 protocol, which is an extension of the RADIUS protocol.
To enable dynamic authorization on the MC, you need to configure the IP address and UDP port of the CPPM server as the RFC 3576 server on the MC 3. The default UDP port for RFC 3576 is 3799, but it can be changed on the CPPM server . The MC and CPPM must use the same UDP port for dynamic authorization to work properly.
In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics . To fix this issue, you need to change the UDP port in the MCs' RFC 3576 server config to match the UDP port used by CPPM, which is 1700 in this case. Alternatively, you can change the UDP port in CPPM to match the default UDP port of 3799 on the MC. Either way, you need to ensure that both devices use the same UDP port for dynamic authorization 3 .

Reveal Solution Next Question

QUESTION: 5

Refer to the scenario.

A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

Permitted to receive IP addresses with DHCP

Permitted access to DNS services from 10.8.9.7 and no other server

Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22

Denied access to other 10.0.0.0/8 subnets

Permitted access to the Internet

Denied access to the WLAN for a period of time if they send any SSH traffic

Denied access to the WLAN for a period of time if they send any Telnet traffic

Denied access to all high-risk websites

External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

The exhibits below show the configuration for the role.

What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?

That denylisting is enabled globally on the MCs' firewalls
That stateful handling of traffic is enabled globally on the MCs' firewalls and on the medical- mobile role.
That AppRF and WebCC are enabled globally and on the medical-mobile role
That the MCs are assigned RF Protect licenses

Answer(s): C

Explanation:

AppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories. These features are required to meet the scenario requirements of denying access to all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic. To enable AppRF and WebCC, you need to check the following settings:
On the global level, you need to enable AppRF and WebCC under Configuration > Services > AppRF and Configuration > Services > WebCC, respectively. On the role level, you need to enable AppRF and WebCC under Configuration > Security > Access Control > Roles > medical-mobile > AppRF and Configuration > Security > Access Control > Roles > medical-mobile > WebCC, respectively.
You also need to make sure that the MCs have valid licenses for AppRF and WebCC, which are included in the ArubaOS PEFNG license.

Reveal Solution Next Question

Viewing Page 1 of 13 Pages

Share your comments for HP HPE6-A84 exam with other users:

Comments:

Name:

LeAnne Hair 8/24/2023 12:47:00 PM

#229 in incorrect - all the customers require an annual review

UNITED STATES

Abdul SK 9/28/2023 11:42:00 PM

kindy upload

Anonymous

Aderonke 10/23/2023 12:53:00 PM

fantastic assessment on psm 1

UNITED KINGDOM

SAJI 7/20/2023 2:51:00 AM

56 question correct answer a,b

Anonymous

Raj Kumar 10/23/2023 8:52:00 PM

thank you for providing the q bank

CANADA

piyush keshari 7/7/2023 9:46:00 PM

true quesstions

Anonymous

B.A.J 11/6/2023 7:01:00 AM

i can´t believe ms asks things like this, seems to be only marketing material.

Anonymous

Guss 5/23/2023 12:28:00 PM

hi, could you please add the last update of ns0-527

Anonymous

Rond65 8/22/2023 4:39:00 PM

question #3 refers to vnet4 and vnet5. however, there is no vnet5 listed in the case study (testlet 2).

UNITED STATES

Cheers 12/13/2023 9:55:00 AM

sometimes it may be good some times it may be

GERMANY

Sumita Bose 7/21/2023 1:01:00 AM

qs 4 answer seems wrong- please check

AUSTRALIA

Amit 9/7/2023 12:53:00 AM

very detailed explanation !

HONG KONG

FisherGirl 5/16/2022 10:36:00 PM

the interactive nature of the test engine application makes the preparation process less boring.

NETHERLANDS

Chiranthaka 9/20/2023 11:15:00 AM

very useful.

Anonymous

SK 7/15/2023 3:51:00 AM

complete question dump should be made available for practice.

Anonymous

Gamerrr420 5/25/2022 9:38:00 PM

i just passed my first exam. i got 2 exam dumps as part of the 50% sale. my second exam is under work. once i write that exam i report my result. but so far i am confident.

AUSTRALIA

Kudu hgeur 9/21/2023 5:58:00 PM

nice create dewey stefen

CZECH REPUBLIC

Anorag 9/6/2023 9:24:00 AM

i just wrote this exam and it is still valid. the questions are exactly the same but there are about 4 or 5 questions that are answered incorrectly. so watch out for those. best of luck with your exam.

CANADA

Nathan 1/10/2023 3:54:00 PM

passed my exam today. this is a good start to 2023.

UNITED STATES

1 10/28/2023 7:32:00 AM

great sharing

Anonymous

Anand 1/20/2024 10:36:00 AM

very helpful

UNITED STATES

Kumar 6/23/2023 1:07:00 PM

thanks.. very helpful

FRANCE

User random 11/15/2023 3:01:00 AM

i registered for 1z0-1047-23 but dumps qre available for 1z0-1047-22. help me with this...

UNITED STATES

kk 1/17/2024 3:00:00 PM

very helpful

UNITED STATES

Raj 7/24/2023 10:20:00 AM

please upload oracle 1z0-1110-22 exam pdf

INDIA

Blessious Phiri 8/13/2023 11:58:00 AM

becoming interesting on the logical part of the cdbs and pdbs

Anonymous

LOL what a joke 9/10/2023 9:09:00 AM

some of the answers are incorrect, i would be wary of using this until an admin goes back and reviews all the answers

UNITED STATES

Muhammad Rawish Siddiqui 12/9/2023 7:40:00 AM

question # 267: federated operating model is also correct.

SAUDI ARABIA

Mayar 9/22/2023 4:58:00 AM

its helpful alot.

Anonymous

Sandeep 7/25/2022 11:58:00 PM

the questiosn from this braindumps are same as in the real exam. my passing mark was 84%.

INDIA

Eman Sawalha 6/10/2023 6:09:00 AM

it is an exam that measures your understanding of cloud computing resources provided by aws. these resources are aligned under 6 categories: storage, compute, database, infrastructure, pricing and network. with all of the services and typees of services under each category

GREECE

Mars 11/16/2023 1:53:00 AM

good and very useful

TAIWAN PROVINCE OF CHINA

ronaldo7 10/24/2023 5:34:00 AM

i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!

UNITED STATES

Palash Ghosh 9/11/2023 8:30:00 AM

easy questions

Anonymous