HP Aruba Certified Network Security Expert Written Exam HPE6-A84 Dumps in PDF

Free HP HPE6-A84 Real Questions (page: 6)

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:
· Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
· Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
· VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.

What else should you make sure to do?

  1. Assign VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect.
  2. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.
  3. Assign sufficient VIA licenses to the gateways based on the number of wired clients that will connect.
  4. Change the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect.

Answer(s): B

Explanation:

The correct answer is B. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.
User-based tunneling (UBT) is a feature that allows the AOS-CX switches to tunnel the traffic from wired clients to a mobility gateway cluster, where they can be assigned a role and a VLAN based on their authentication and authorization. To enable UBT, the switches need to have a UBT zone configured with the IP addresses of the gateways, and a UBT client VLAN configured with the ubt- client-vlan command.
The UBT client VLAN is a special VLAN that is used to encapsulate the traffic from the tunneled clients before sending it to the gateways. The UBT client VLAN must be different from any other VLANs used on the switch or the network, and it must not be assigned to any ports or interfaces on the switch. The UBT client VLAN is only used internally by the switch for UBT, and it is not visible to the clients or the gateways.
In this scenario, the customer wants to tunnel the clients that pass user authentication to the gateway cluster, where they will be assigned to VLAN 20. Therefore, the switch must have a UBT client VLAN configured that is different from VLAN 20 or any other VLANs on the network. For example, the switch can use VLAN 4000 as the UBT client VLAN, as shown in one of the web search results. The switch must also have a UBT zone configured with the system IP addresses of the gateways as the primary and backup controllers, as explained in question. The other options are not correct or relevant for this issue:
Option A is not correct because assigning VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect would conflict with UBT. The access VLAN is the VLAN that is assigned to untagged traffic on a port, and it is used for local switching on the switch. If VLAN 20 is assigned as the access VLAN, then the traffic from the clients will not be tunneled to the gateways, but rather switched locally on VLAN 20. This would defeat the purpose of UBT and cause inconsistency in role and VLAN assignment.
Option C is not correct because VIA licenses are not required for UBT. VIA licenses are required for enabling VPN services on Aruba Mobility Controllers for remote access clients using Aruba Virtual Intranet Access (VIA) software . VIA licenses are not related to UBT or wired clients. Option D is not correct because changing the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect would not affect UBT. The port-access auth-mode mode determines how a port handles authentication requests from multiple clients connected to a single port . Client-mode is the default mode that allows only one client per port, while multi-client- mode allows multiple clients per port. The port-access auth-mode mode does not affect how UBT works or how traffic is tunneled from a port.



A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.
What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?

  1. Configuring a relatively high threshold for the gateway threat count alerts
  2. Making sure that the gateways have formed a cluster and operate in default gateway mode
  3. Setting the IDS or IPS policy to the least restrictive option, Lenient
  4. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors

Answer(s): D

Explanation:

The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.

Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection. The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it.
The other options are not correct or relevant for this issue:
Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails. Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it provides less security and more false negatives .



A company has Aruba gateways that are Implementing gateway IDS/IPS in IDS mode. The customer complains that admins are receiving too frequent of repeat email notifications for the same threat. The threat itself might be one that the admins should investigate, but the customer does not want the email notification to repeat as often.
Which setting should you adjust in Aruba Central?

  1. Report scheduling settings
  2. Alert duration and threshold settings
  3. The IDS policy setting (strict, medium, or lenient)
  4. The allowlist settings in the IDS policy

Answer(s): B

Explanation:

Alert duration and threshold settings are used to control how often and under what conditions email notifications are sent for gateway IDS/IPS events. By adjusting these settings, the customer can reduce the frequency of repeat email notifications for the same threat, while still being informed of any critical or new threats.

To adjust the alert duration and threshold settings in Aruba Central, the customer can follow these steps 1:
In the Aruba Central app, set the filter to Global, a group, or a device.
Under Analyze, click Alerts & Events.
Click the Config icon to open the Alert Severities & Notifications page. Select the Gateway IDS/IPS tab to view the alert categories and severities for gateway IDS/IPS events.
Click on an alert category to expand it and view the alert duration and threshold settings for each severity level.
Enter a value in minutes for the alert duration. This is the time period during which the alert is active and email notifications are sent.
Enter a value for the alert threshold. This is the number of times the alert must be triggered within the alert duration before an email notification is sent.
Click Save.
By increasing the alert duration and/or threshold values, the customer can reduce the number of email notifications for recurring threats, as they will only be sent when the threshold is reached within the duration. For example, if the customer sets the alert duration to 60 minutes and the alert threshold to 10 for a Critical severity level, then an email notification will only be sent if the same threat occurs 10 times or more within an hour.



Refer to the scenario.

A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.

Assume that the Azure AD deployment has the proper prerequisites established.

You are planning the CPPM authentication source that you will reference as the authentication source in 802.1X services.

How should you set up this authentication source?

  1. As Kerberos type
  2. As Active Directory type
  3. As HTTP type, referencing the Intune extension
  4. AS HTTP type, referencing Azure AD's FODN

Answer(s): D

Explanation:

An authentication source is a configuration element in CPPM that defines how to connect to an external identity provider and retrieve user or device information . CPPM supports various types of authentication sources, such as Active Directory, LDAP, SQL, Kerberos, and HTTP . To authenticate wireless and wired clients to Azure AD, you need to set up an authentication source as HTTP type, referencing Azure AD's FQDN . This type of authentication source allows CPPM to use REST API calls to communicate with Azure AD and validate the user or device credentials . You also need to configure the OAuth 2.0 settings for the authentication source, such as the client ID, client secret, token URL, and resource URL .
To use information collected by Intune to make access control decisions, you need to set up another authentication source as HTTP type, referencing the Intune extension . This type of authentication source allows CPPM to use REST API calls to communicate with Intune and retrieve the device compliance status . You also need to configure the OAuth 2.0 settings for the authentication source, such as the client ID, client secret, token URL, and resource URL .



Refer to the scenario.

A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

Permitted to receive IP addresses with DHCP

Permitted access to DNS services from 10.8.9.7 and no other server

Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22

Denied access to other 10.0.0.0/8 subnets

Permitted access to the Internet

Denied access to the WLAN for a period of time if they send any SSH traffic

Denied access to the WLAN for a period of time if they send any Telnet traffic

Denied access to all high-risk websites

External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

The exhibits below show the configuration for the role.



There are multiple issues with the configuration.

What is one of the changes that you must make to the policies to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit'.)

  1. In the "medical-mobile" policy, change the source in rule 1 to "user."
  2. In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.
  3. In the "medical-mobile" policy, move rules 6 and 7 to the top of the list.
  4. Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical- mobile" policy.

Answer(s): C

Explanation:

Rules 6 and 7 in the "medical-mobile" policy are used to deny access to the WLAN for a period of time if the clients send any SSH or Telnet traffic, as required by the scenario. However, these rules are currently placed below rule 5, which permits access to the Internet for any traffic. This means that rule 5 will override rules 6 and 7, and the clients will not be denied access to the WLAN even if they send SSH or Telnet traffic.
To fix this issue, rules 6 and 7 should be moved to the top of the list, before rule. This way, rules 6 and 7 will take precedence over rule 5, and the clients will be denied access to the WLAN if they send SSH or Telnet traffic, as expected.



Share your comments for HP HPE6-A84 exam with other users:

A
Arun
9/20/2023 4:52:00 PM

nice and helpful questions

J
Joseph J
7/11/2023 2:53:00 PM

i found the questions helpful

M
Meg
10/12/2023 8:02:00 AM

q 105 . ans is d

N
Navaneeth S
7/14/2023 7:57:00 AM

i have interest to get a sybase iq dba certification

A
Aish
10/11/2023 5:27:00 AM

want to pass exm.

A
Anonymous
6/12/2023 7:23:00 AM

are the answers correct?

K
Kris
7/7/2023 9:43:00 AM

good morning, could you please upload this exam again, i need it to test my knowledge in sd-wan with version 7.0.

M
Meghraj mali
10/7/2023 1:47:00 PM

very nice question

N
Noel
11/1/2022 9:14:00 PM

i have learning disability and this exam dumps allowed me to focus on the actual questions and not worry about notes and the those other study materials.

J
Jas
10/25/2023 6:01:00 PM

165 should be apt

N
Neetu
6/22/2023 8:41:00 AM

please upload the dumps, real need of them

M
Mark
10/24/2023 1:34:00 AM

any recent feeedback?

G
Gopinadh
8/9/2023 4:05:00 AM

question number 2 is indicating you are giving proper questions. observe and change properly.

S
Santhi
1/1/2024 8:23:00 AM

passed today.40% questions were new.litwere case study,lots of new questions on afd,ratelimit,tm,lb,app gatway.got 2 set series of questions which are not present here.questions on azure cyclecloud, no.of vnet/vms required for implimentation,blueprints assignment/management group etc

R
Raviraj Magadum
1/12/2024 11:39:00 AM

practice test

S
sivaramakrishnan
7/27/2023 8:12:00 AM

want the dumps for emc content management server programming(cmsp)

A
Aderonke
10/23/2023 1:52:00 PM

brilliant and helpful

A
Az
9/16/2023 2:43:00 PM

q75. azure files is pass

K
ketty
11/9/2023 8:10:00 AM

very helpful

S
Sonail
5/2/2022 1:36:00 PM

thank you for these questions. it helped a lot.

S
Shariq
7/28/2023 8:00:00 AM

how do i get the h12-724 dumps

A
adi
10/30/2023 11:51:00 PM

nice data dumps

E
EDITH NCUBE
7/25/2023 7:28:00 AM

answers are correct

R
Raja
6/20/2023 4:38:00 AM

good explanation

B
BigMouthDog
1/22/2022 8:17:00 PM

hi team just want to know if there is any update version of the exam 350-401

F
francesco
10/30/2023 11:08:00 AM

helpful on 2017 scrum guide

A
Amitabha Roy
10/5/2023 3:16:00 AM

planning to attempt for the exam.

P
Prem Yadav
7/29/2023 6:20:00 AM

pleaseee upload

A
Ahmed Hashi
7/6/2023 5:40:00 PM

thanks ly so i have information cia

M
mansi
5/31/2023 7:58:00 AM

hello team, i need sap qm dumps for practice

J
Jamil aljamil
12/4/2023 4:47:00 AM

it’s good but not senatios based

C
Cath
10/10/2023 10:19:00 AM

q.119 - the correct answer is b - they are not captured in an update set as theyre data.

P
P
1/6/2024 11:22:00 AM

good matter

S
surya
7/30/2023 2:02:00 PM

please upload c_sacp_2308

AI Tutor 👋 I’m here to help!