HPE6-A84無料試験問題と解答PDF最新問題2024年08月
最新HPE6-A84試験問題集で最近更新された60問題
質問 # 20
Several AOS-CX switches are responding to SNMPv2 GET requests for the public community. The customer only permits SNMPv3. You have asked a network admin to fix this problem. The admin says, "I tried to remove the community, but the CLI output an error." What should you recommend to remediate the vulnerability and meet the customer's requirements?
- A. Setting the snmp-server settings to "snmpv3-only"
- B. Enabling control plane policing to automatically drop SNMP GET requests
- C. Adding an SNMP community with a long random name
- D. Enabling SNMPv3, which implicitly disables SNMPv1/v2
正解:A
解説:
Explanation
This is because SNMPv3 is a secure version of SNMP that provides authentication, encryption, and access control for network management. SNMPv3-only is a configuration option on AOS-CX switches that disables SNMPv1 and SNMPv2c, which are insecure versions of SNMP that use plain text community strings for authentication. By setting the snmp-server settings to "snmpv3-only", the switch will only respond to SNMPv3 requests and reject any SNMPv1 or SNMPv2c requests, thus remedying the vulnerability and meeting the customer's requirements.
A: Enabling control plane policing to automatically drop SNMP GET requests. This is not a valid recommendation because control plane policing is a feature that protects the switch from denial-of-service (DoS) attacks by limiting the rate of traffic sent to the CPU. Control plane policing does not disable SNMPv1 or SNMPv2c, but rather applies a rate limit to all SNMP requests, regardless of the version. Moreover, control plane policing might also drop legitimate SNMP requests if they exceed the rate limit, which could affect the network management.
C: Adding an SNMP community with a long random name. This is not a valid recommendation because an SNMP community is a shared secret that acts as a password for accessing network devices using SNMPv1 or SNMPv2c. Adding an SNMP community with a long random name does not disable SNMPv1 or SNMPv2c, but rather creates another community string that can be used for authentication. Moreover, adding an SNMP community with a long random name does not improve the security of SNMPv1 or SNMPv2c, as the community string is still transmitted in plain text and can be intercepted by an attacker.
D: Enabling SNMPv3, which implicitly disables SNMPv1/v2. This is not a valid recommendation because enabling SNMPv3 does not implicitly disable SNMPv1 or SNMPv2c on AOS-CX switches. Enabling SNMPv3 only adds support for the secure version of SNMP, but does not remove support for the insecure versions. Therefore, enabling SNMPv3 alone does not remedy the vulnerability or meet the customer's requirements.
質問 # 21
A customer's admins have added RF Protect licenses and enabled WIDS for a customer's AOS 8-based solution. The customer wants to use the built-in capabilities of APs without deploying dedicated air monitors (AMs). Admins tested rogue AP detection by connecting an unauthorized wireless AP to a switch. The rogue AP was not detected even after several hours.
What is one point about which you should ask?
- A. Whether admins enabled wireless containment
- B. Whether the customer is using non-standard Wi-Fi channels in the deployment
- C. Whether APs' switch ports support all the VLANs that are accessible at the edge
- D. Whether admins set at least one radio on each AP to air monitor mode
正解:D
解説:
Explanation
RF Protect is a feature that enables wireless intrusion detection and prevention system (WIDS/WIPS) capabilities on AOS 8-based solutions. WIDS/WIPS allows detecting and mitigating rogue APs, unauthorized clients, and other wireless threats. RF Protect requires RF Protect licenses to be installed and WIDS to be enabled on the Mobility Master (MM).
To use the built-in capabilities of APs for WIDS/WIPS, without deploying dedicated air monitors (AMs), admins need to set at least one radio on each AP to air monitor mode. Air monitor mode allows the AP to scan the wireless spectrum and report any wireless activity or anomalies to the MM. Air monitor mode does not affect the other radio on the AP, which can still serve clients in access mode. By setting at least one radio on each AP to air monitor mode, admins can achieve full coverage and visibility of the wireless environment and detect rogue APs.
If admins do not set any radio on the APs to air monitor mode, the APs will not scan the wireless spectrum or report any wireless activity or anomalies to the MM. This means that the APs will not be able to detect rogue APs, even if they are connected to the same network. Therefore, admins should check whether they have set at least one radio on each AP to air monitor mode.
質問 # 22
A customer's admins have added RF Protect licenses and enabled WIDS for a customer's AOS 8-based solution. The customer wants to use the built-in capabilities of APs without deploying dedicated air monitors (AMs). Admins tested rogue AP detection by connecting an unauthorized wireless AP to a switch. The rogue AP was not detected even after several hours.
What is one point about which you should ask?
- A. Whether admins enabled wireless containment
- B. Whether the customer is using non-standard Wi-Fi channels in the deployment
- C. Whether APs' switch ports support all the VLANs that are accessible at the edge
- D. Whether admins set at least one radio on each AP to air monitor mode
正解:D
質問 # 23
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
* Permitted access to DNS services from 10.8.9.7 and no other server
* Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
* Denied access to other 10.0.0.0/8 subnets
* Permitted access to the Internet
* Denied access to the WLAN for a period of time if they send any SSH traffic
* Denied access to the WLAN for a period of time if they send any Telnet traffic
* Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The line below shows the effective configuration for the role.
There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example,
"medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 6 is "ipv4 any any any permit'.)
- A. In the "medical-mobile* policy, change the subnet mask in rule 5 to 255.255.252.0.
- B. In the "medical-mobile" policy, move rule 5 under rule 6.
- C. In the "medical-mobile" policy, change the action for rules 2 and 3 to reject.
- D. Apply the "apprf-medical-mobile-sjcT policy explicitly to the 'medical-mobile' user-role under the
'medical-mobile" policy.
正解:A
解説:
Explanation
The scenario requires that the clients in the "medical-mobile" role are denied access to the 10.1.12.0/22 subnet, which is a range of IP addresses from 10.1.12.0 to 10.1.15.255. However, the current configuration in rule 5 has a subnet mask of 255.255.240.0, which means that it matches any IP address from 10.1.0.0 to
10.1.15.255. This is too broad and would deny access to other subnets in the 10.1.0.0/16 range that should be permitted according to the scenario. Therefore, the subnet mask in rule 5 should be changed to 255.255.252.0, which would match only the IP addresses from 10.1.12.0 to 10.1.15.255 and deny access to them as required by the scenario.1
質問 # 24
A customer wants CPPM to authenticate non-802.1X-capable devices. An admin has created the service shown in the exhibits below:
What is one recommendation to improve security?
- A. Creating and using a custom MAC-Auth authentication method
- B. Enabling caching of posture and roles
- C. Using Active Directory as the authentication source
- D. Adding an enforcement policy rule that denies access to endpoints with the Conflict flaq
正解:A
質問 # 25
A customer has an AOS 10 architecture, which includes Aruba APs. Admins have recently enabled WIDS at the high level. They also enabled alerts and email notifications for several events, as shown in the exhibit.
Admins are complaining that they are getting so many emails that they have to ignore them, so they are going to turn off all notifications.
What is one step you could recommend trying first?
- A. Send the email notifications directly to a specific folder, and only check the folder once a week.
- B. Disable email notifications for Roque AP, but leave the Infrastructure Attack Detected and Client Attack Detected notifications on.
- C. Disable just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert.
- D. Change the WIDS level to custom, and enable only the checks most likely to indicate real threats.
正解:D
質問 # 26
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
The developer explains that they plan to define the rule with logic like this:
monitor > value
However, the developer asks you what value to include.
What should you recommend?
- A. Defining a parameter and referring to it (self ^ramsfname]) for the value
- B. Using 10 (per hour) as a good starting point for the value
- C. Checking one of the access switches' RADIUS statistics and adding 10 to the number listed for rejects
- D. Defining a baseline and referring to it for the value
正解:A
解説:
Explanation
This is because a parameter is a variable that can be defined and modified by the user or the script, and can be used to customize the behavior and output of the NAE script. A parameter can be referred to by using the syntax self ^ramsfname], where ramsfname is the name of the parameter.
By defining a parameter for the value, the developer can make the NAE script more flexible and adaptable to different scenarios and switches. The parameter can be set to a default value, such as 10, but it can also be changed by the user or the script based on the network conditions and requirements. For example, the parameter can be adjusted dynamically based on the average or standard deviation of the number of rejects per hour, or based on the feedback from the user or other admins. This way, the NAE script can trigger an alert only when the number of rejects is truly unusual and not just arbitrary.
A: Checking one of the access switches' RADIUS statistics and adding 10 to the number listed for rejects. This is not a good recommendation because it does not account for the variability and diversity of the network environment and switches. The number of rejects listed for one switch might not be representative or relevant for another switch, as different switches might have different traffic patterns, client types, RADIUS configurations, etc. Moreover, adding 10 to the number of rejects is an arbitrary and fixed value that might not reflect the actual threshold for triggering an alert.
B: Defining a baseline and referring to it for the value. This is not a bad recommendation, but it is not as good as defining a parameter. A baseline is a reference point that represents the normal or expected state of a network metric or performance indicator. A baseline can be used to compare and contrast the current network situation and detect any anomalies or deviations. However, a baseline might not be easy or accurate to define, as it might require historical data, statistical analysis, or expert judgment. Moreover, a baseline might not be stable or constant, as it might change over time due to network growth, evolution, or optimization.
C: Using 10 (per hour) as a good starting point for the value. This is not a good recommendation because it is an arbitrary and fixed value that might not reflect the actual threshold for triggering an alert. Using 10 (per hour) as the value might result in false positives or false negatives, depending on the network conditions and switches. For example, if the normal number of rejects per hour is 5, then using 10 as the value might trigger an alert too frequently and unnecessarily. On the other hand, if the normal number of rejects per hour is 15, then using 10 as the value might miss some important alerts and risks.
質問 # 27
You are reviewing an endpoint entry in ClearPass Policy Manager (CPPM) Endpoints Repository.
What is a good sign that someone has been trying to gain unauthorized access to the network?
- A. The entry shows an Unknown status.
- B. The entry shows multiple DHCP options under the fingerprints.
- C. The entry shows a profile conflict of having a new profile of Computer for a profiled Printer.
- D. The entry lacks a hostname or includes a hostname with long seemingly random characters.
正解:C
質問 # 28
How does Aruba Central handle security for site-to-site connections between AOS 10 gateways?
- A. It automatically establishes simple-to-manage and highly secure TLSv1.3 tunnels between gateways.
- B. It automatically establishes IPsec tunnels for all site-to-site (all HUBs and Branches) connections using keys securely distributed by Central.
- C. It automatically steers traffic away from Internet-based connections to more secure MPLS connections to reduce encryption overhead.
- D. It uses an Aruba proprietary integrity and encryption technologies to secure site-to-site connections, making them resistant to zero day attacks.
正解:B
解説:
Explanation
Aruba Central supports site-to-site VPNs between AOS 10 gateways, which are Aruba devices that provide routing, firewall, and VPN functions. Aruba Central can automatically provision and manage the site-to-site VPNs using the VPN Manager feature. The VPN Manager allows you to create VPN groups that consist of one or more hubs and branches, and define the VPN settings for each group1 Aruba Central uses IPsec as the protocol to secure the site-to-site connections between the AOS 10 gateways.
IPsec is a standard protocol that provides encryption, authentication, and integrity for IP packets. Aruba Central automatically establishes IPsec tunnels for all site-to-site connections using keys that are securely distributed by Central. The keys are generated by Central and pushed to the gateways using a secure channel. The keys are rotated periodically to enhance security2
質問 # 29
You are working with a developer to design a custom NAE script for a customer. You are helping the developer find the correct REST API resource to monitor.
Refer to the exhibit below.
What should you do before proceeding?
- A. Enable the switch to listen to REST API calls on the default VRF.
- B. Go to the v1 API documentation interface instead of the v10.10 interface.
- C. Use your Aruba passport account and collect a token to use when trying out API calls.
- D. Make sure that your browser is set up to store authentication tokens and cookies.
正解:C
質問 # 30
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22 Denied access to other 10.0.0.0/8 subnets Permitted access to the Internet Denied access to the WLAN for a period of time if they send any SSH traffic Denied access to the WLAN for a period of time if they send any Telnet traffic Denied access to all high-risk websites External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The line below shows the effective configuration for the role.
There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example,
"medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 6 is "ipv4 any any any permit'.)
- A. In the "medical-mobile* policy, change the subnet mask in rule 5 to 255.255.252.0.
- B. In the "medical-mobile" policy, move rule 5 under rule 6.
- C. In the "medical-mobile" policy, change the action for rules 2 and 3 to reject.
- D. Apply the "apprf-medical-mobile-sjcT policy explicitly to the 'medical-mobile' user-role under the
'medical-mobile" policy.
正解:A
質問 # 31
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
EAP-TLS to authenticate users on mobile clients registered in Intune
TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role Assign other mobile-onboarded clients to the "mobile-other" firewall role Assign medical staff on domain computers to the "medical-domain" firewall role All reception staff on domain computers to the "reception-domain" firewall role All domain computers with no valid user logged in to the "computer-only" firewall role Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.
# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
Publisher = 10.47.47.5
Subscriber 1 = 10.47.47.6
Subscriber 2 = 10.47.47.7
Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
cp.acnsxtest.com = 10.47.47.5
cps1.acnsxtest.com = 10.47.47.6
cps2.acnsxtest.com = 10.47.47.7
radius.acnsxtest.com = 10.47.47.8
onboard.acnsxtest.com = 10.47.47.8
The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.
You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices.
You will need to add several hostnames to the captive portal allowlist manually.
What is one of those hostnames?
- A. The ClearPass Onboard hostname referenced in an Onboard provisioninG profile
- B. The hostname used by ClearPass Policy ManaGer's RADIUS services
- C. The ClearPass Onboard hostname referenced in Intune SCEP profiles
- D. The hostname used by the on-prem domain controllers
正解:A
質問 # 32
What is a common characteristic of a beacon between a compromised device and a command and control server?
- A. Periodic transmission of small, identically sized packets
- B. Use of IPv6 addressing instead of IPv4 addressing
- C. Use of less common protocols such as SNAP
- D. Lack of encryption
正解:A
解説:
Explanation
A beacon is a type of network traffic that is sent from a compromised device to a command and control (C2) server, which is a remote system that controls the malicious activities of the device . A beacon is used to establish and maintain communication between the device and the C2 server, as well as to receive instructions or exfiltrate data .
A common characteristic of a beacon is that it is periodic, meaning that it is sent at regular intervals, such as every few minutes or hours . This helps the C2 server to monitor the status and availability of the device, as well as to avoid detection by network security tools .
Another common characteristic of a beacon is that it is small and identically sized, meaning that it contains minimal or fixed amount of data, such as a simple acknowledgment or a random string . This helps the device to conserve bandwidth and resources, as well as to avoid detection by network security tools .
質問 # 33
A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).
The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:
aaa rfc-3576-server 10.47.47.8
But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:
How could you fix this issue?
- A. Configure the MC to obtain the time from a valid NTP server.
- B. Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.
- C. Enable RadSec on the MCs' RFC 3676 server config.
- D. Change the UDP port in the MCs' RFC 3576 server config to 3799.
正解:D
解説:
Explanation
Dynamic authorization is a feature that allows CPPM to send change of authorization (CoA) or disconnect messages to the MC to modify or terminate a user session based on certain conditions or events 1. Dynamic authorization uses the RFC 3576 protocol, which is an extension of the RADIUS protocol 2.
To enable dynamic authorization on the MC, you need to configure the IP address and UDP port of the CPPM server as the RFC 3576 server on the MC 3. The default UDP port for RFC 3576 is 3799, but it can be changed on the CPPM server . The MC and CPPM must use the same UDP port for dynamic authorization to work properly 3.
In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics .
To fix this issue, you need to change the UDP port in the MCs' RFC 3576 server config to match the UDP port used by CPPM, which is 1700 in this case. Alternatively, you can change the UDP port in CPPM to match the default UDP port of 3799 on the MC. Either way, you need to ensure that both devices use the same UDP port for dynamic authorization 3 .
質問 # 34
Refer to the exhibit.
Which IP address should you record as a possibly compromised client?
- A. 10.1.26.151
- B. 10.1.26.1
- C. 10.1J.100
- D. 10.254.1.21
正解:A
解説:
Explanation
The exhibit shows a screenshot of a Malwarebytes alert that indicates that a website was blocked due to compromise. The alert contains the following information:
The type of protection: Web Protection
The website that was blocked: 10.254.1.21
The port that was used: 80
The process that initiated the connection: C:\Program Files
(x86)\Google\Chrome\Application\chrome.exe
The IP address of the device that initiated the connection: 10.1.26.151 The IP address of the device that initiated the connection is the one that should be recorded as a possibly compromised client, as it indicates that the device tried to access a malicious website that could infect it with malware or steal its data. In this case, the IP address of the possibly compromised client is 10.1.26.151.
質問 # 35
Refer to the scenario.
A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:
What is one immediate remediation that you should recommend?
- A. Changing the switch's DNS server to the mgmt VRF
- B. Disabling Telnet
- C. Either disabling DHCPv4-snoopinq or leaving it enabled, but also enabling ARP inspection
- D. Setting the clock manually instead of using NTP
正解:B
解説:
Explanation
According to the AOS-CX Switches Multiple Vulnerabilities1, one of the vulnerabilities (CVE-2021-41001) affects the Telnet service on AOS-CX switches. This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service condition on the switch by sending specially crafted Telnet packets. The impact of this vulnerability is high, as it could result in a loss of management access and network disruption. Therefore, one immediate remediation that you should recommend is to disable Telnet on the switch. This way, the switch can prevent any malicious Telnet traffic from reaching it and avoid the exploitation of this vulnerability.
質問 # 36
Refer to the scenario.
A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).
Switches are using local port-access policies.
The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.
The plan for the enforcement policy and profiles is shown below:
The gateway cluster has two gateways with these IP addresses:
* Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
* Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
* VRRP on VLAN 20 = 10.20.20.254
The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.
What is one change that you should make to the solution?
- A. Configure edge ports in VLAN trunk mode.
- B. Remove VLAN assignments from role configurations on the gateways.
- C. Configure the UBT solution to use VLAN extend mode.
- D. Change the ubt-client-vlan to VLAN 13.
正解:B
解説:
Explanation
The UBT solution requires that the VLAN assignments for the wired clients are done by the gateway, not by the switch. Therefore, the role configurations on the gateways should not have any VLAN assignments, as they would override the VLAN 20 that is specified in the enforcement profile. Instead, the role configurations should only have policies that define the access rights for the clients in the "eth-internet" role. This way, the gateway can assign the clients to VLAN 20 and apply the appropriate policies based on their role1
質問 # 37
Refer to the exhibit.
Aruba ClearPass Policy Manager (CPPM) is using the settings shown in the exhibit. You reference the tag shown in the exhibit in enforcement policies related to NASes of several types, including Aruba APs, Aruba gateways, and AOS-CX switches.
What should you do to ensure that clients are reclassified and receive the correct treatment based on the tag?
- A. Set the Tags Update Action to No Action. Then instead enable the RADIUS CoAs using enforcement profiles in the rules that match clients with the tag shown in the exhibit.
- B. Change the RADIUS action to [Aruba Wireless - Bounce Switch Port] which is supported by all the NASes in question.
- C. Change the RADIUS action to [Aruba Wireless -Terminate Session] which is supported by all the NASes in question.
- D. Enable profiling in each service using one of these enforcement profiles. Set the profiling action to the correct one for the NASes using that service.
正解:C
質問 # 38
Refer to the scenario.
A hospital has an AOS10 architecture that is managed by Aruba Central. The customer has deployed a pair of Aruba 9000 Series gateways with Security licenses at each clinic. The gateways implement IDS/IPS in IDS mode.
The Security Dashboard shows these several recent events with the same signature, as shown below:
Which step could give you valuable context about the incident?
- A. Find the Central client profile for the threat sources and note their category and family.
- B. View the user-table on APs and record the threat sources' 802.11 settings.
- C. View the RAPIDS Security Dashboard and see if the threat sources are listed as rogues.
- D. View firewall sessions on the APs and record the threat sources' type and OS.
正解:C
質問 # 39
A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.
What is a prerequisite for setting up the device role mappings?
- A. Configuring a NetConductor-based fabric
- B. Creating global role-to-role firewall policies in Central
- C. Configuring Device Insight (client profile) tags in Central
- D. Integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight
正解:C
解説:
Explanation
According to the Aruba Cloud Authentication and Policy Overview1, one of the prerequisites for configuring Cloud Authentication and Policy is to configure Device Insight (client profile) tags in Central. Device Insight tags are used to identify and classify IoT devices based on their behavior and characteristics. These tags can then be mapped to client roles, which are defined in the WLAN configuration for IAPs2. Client roles are used to enforce role-based access policies for the IoT devices. Therefore, option B is the correct answer.
Option A is incorrect because NetConductor is not related to Cloud Authentication and Policy. NetConductor is a cloud-based network management solution that simplifies the deployment and operation of Aruba Instant networks.
Option C is incorrect because integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight is not a prerequisite for setting up the device role mappings. CPPM and Device Insight can work together to provide enhanced visibility and control over IoT devices, but they are not required for Cloud Authentication and Policy.
Option D is incorrect because creating global role-to-role firewall policies in Central is not a prerequisite for setting up the device role mappings. Global role-to-role firewall policies are used to define the traffic rules between different client roles across the entire network, but they are not required for Cloud Authentication and Policy.
質問 # 40
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22 Denied access to other 10.0.0.0/8 subnets Permitted access to the Internet Denied access to the WLAN for a period of time if they send any SSH traffic Denied access to the WLAN for a period of time if they send any Telnet traffic Denied access to all high-risk websites External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The exhibits below show the configuration for the role.
There are multiple issues with the configuration.
What is one of the changes that you must make to the policies to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit'.)
- A. In the "medical-mobile" policy, change the source in rule 1 to "user."
- B. In the "medical-mobile" policy, move rules 6 and 7 to the top of the list.
- C. Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical-mobile" policy.
- D. In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.
正解:D
質問 # 41
Refer to the scenario.
A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.
In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as
"Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.
You want a fast way to find a list of all the IoT clients that have used SSH.
What step can you take?
- A. Use Central's Gateway IDS/IPS Security Dashboard to search for SSH events and sources.
- B. Use Central's Live Events monitoring tool to detect which clients meet the desired criteria.
- C. Create and apply a Central client profile tag that selects the SSH application and the clients' category.
- D. Run a search for SSH traffic and loT client IDs in Aruba ClearPass Policy Manager's (CPPM's) accounting information.
正解:C
質問 # 42
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
You are helping the developer find the right URI for the monitor.
Refer to the exhibit.
You have used the REST API reference interface to submit a test call. The results are shown in the exhibit.
Which URI should you give to the developer?
- A. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics.access_rejec
- B. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics
- C. /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp
- D. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics?attributes=a
正解:A
解説:
Explanation
This is because this URI specifies the exact attribute that contains the number of access rejects from the RADIUS server, which is the information that the NAE script needs to monitor and trigger an alert.
A: /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics. This is not the correct URI because it returns the entire authstatistics object, which contains more information than the access rejects, such as access accepts, challenges, timeouts, etc. This might make the NAE script more complex and inefficient to parse and process the data.
B: /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics?attributes=access_ This is not a valid URI because it has two question marks, which is a syntax error. The question mark is used to indicate the start of the query string, which can have one or more parameters separated by ampersands. The correct way to specify multiple attributes is to use a comma-separated list after the question mark, such as?attributes=attr1,attr2,attr3.
C: /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp. This is not a valid URI because it has an extra underscore before servers, which is a typo. The correct resource name is servers, not _servers.
Moreover, this URI does not specify any attributes, which means it will return the default attributes of the RADIUS server object, such as name, port, protocol, etc., but not the authstatistics or access_rejects.
質問 # 43
......
HP HPE6-A84(Aruba Certified Network Security Expert Writde)認定試験は、Aruba製品とソリューションを使用してネットワークセキュリティを専門とするIT専門家向けに設計されています。この認定試験は、Arubaテクノロジーを使用して安全なワイヤレスおよび有線ネットワークを設計、実装、および管理するために必要な知識とスキルを検証します。 HPE6-A84認定試験は、802.1x認証、ロールベースのアクセス制御(RBAC)、ファイアウォールポリシー、安全なトンネルプロトコルなど、Arubaのネットワークセキュリティ機能を深く理解する必要がある高度なレベルの試験です。
HP HPE6-A84(Aruba Certified Network Security Expert Written)試験は、ネットワークセキュリティの分野における IT プロフェッショナルの知識と技術をテストする高度な認定試験です。この試験は、Aruba ネットワーキングテクノロジーの包括的な認定プログラムである Aruba Certified Expert(ACE)プログラムの一部であります。HPE6-A84 試験は、ネットワークセキュリティの概念とテクノロジーに良い理解を持った経験豊富な IT プロフェッショナルに適しています。
Aruba Certified Network Security Expertの筆記試験は、グローバルに認識されているベンダーの中立認証です。この認定を獲得した個人は、ネットワークセキュリティに関する専門知識と、安全なネットワークソリューションを設計および実装する能力を示しています。この認定は、ネットワークセキュリティを深く理解している専門家を探している雇用主によって非常に人気があります。
HP HPE6-A84リアル2024年最新のブレーン問題集で模擬試験問題集:https://jp.fast2test.com/HPE6-A84-premium-file.html