ACompanies must apply the same access controls to all users, regardless of identity.
BCompanies that support remote workers cannot achieve zero trust security and must determine if the benefits outweigh the cost.
CCompanies should focus on protecting their resources rather than on protecting the boundaries of their internal network.
DCompanies can achieve zero trust security by strengthening perimeter security to detect a wider range of threats.
Refer to the exhibit.
(Note that the HPE Aruba Networking Central interface shown here might look slightly different from what you see in your HPE Aruba Networking Central interface as versions change; however, similar concepts continue to apply.)
An HPE Aruba Networking 9x00 gateway is part of an HPE Aruba Networking Central group that has the settings shown in the exhibit. What would cause the gateway to drop traffic as part of its IDPS settings?
AIts site-to-site VPN connections failing
BTraffic matching a rule in the active ruleset
CIts IDPS engine failing
DTraffic showing anomalous behavior
An AOS-CX switch has been configured to implement UBT to two HPE Aruba Networking gateways that implement VRRP on the users’ VLAN.
What correctly describes how the switch tunnels UBT users’ traffic to those gateways?
AThe switch always sends the users’ traffic to the VRRP master.
BThe switch always sends all users’ traffic to the primary gateway configured in the UBT zone.
CThe switch always load shares the users’ traffic across both gateways.
DThe switch always sends all users’ traffic to the gateway assigned as the active device designed gateway.
HPE Aruba Networking Central displays an alert about an Infrastructure Attack that was detected. You go to the Security> RAPIDS events and see that the attack was “Detect adhoc using Valid SSID.”
What is one possible next step?
AMake sure that you have tuned the threshold for that check, as false positives are common for it.
BMake sure that clients have updated drivers, as faulty drivers are a common explanation for this attack type.
CUse HPE Aruba Networking Central floorplans or the detecting AP identities to locate the general area for the threat.
DLook for the IP address associated with the offender and then check for that IP address among HPE Aruba Networking Central clients.
A company uses both HPE Aruba Networking ClearPass Manager (CPPM) and HPE Aruba Networking ClearPass Device Insight (CPDI).
What is one way integrating the two solutions can help the company implement Zero Trust Security?
ACPPM can inform CPDI that it has assigned a particular Aruba-User-Role to a client, CPDI can then use that information to reclassify the client.
BCPDI can use tags to inform CPPM that clients are using prohibited applications; CPPM can then tell the network infrastructure to quarantine those clients.
CCPPM can provide CPDI with custom device fingerprint definitions in order to enhance the company’s total visibility.
DCPDI can provide CPPM with extra information about user’s identity; CPPM can then use that information to apply the correct identify-based enforcement.
You have created a Web-based Health Check Service that references a posture policy. You want the service to trigger a RADIUS change of authorization (CoA) when a client receives a Healthy or Quarantine posture.
Where do you configure those rules?
AIn a RADIUS enforcement policy
BIn the Agents and Software Updates > OnGuard Settings
CIn the posture policy
DIn a WEBAUTH enforcement policy
Which issue can an HPE Aruba Networking Secure Web Gateway (SWG) solution help customers address?
AThe organization needs a faster way to quarantine clients that have generated threats, as detected by third-party firewalls.
BHybrid workers are exposing their computers to risky internet sites and infection by malware when they work from home.
CRemote workers need access to private data center applications without exposing those applications to unauthorized users.
DThe organization currently has no way to prevent users from exfiltrating sensitive data from SaaS applications.
A company has a third-party security appliance deployed in its data center. The company wants to pass all traffic for certain clients through that device before forwarding that traffic toward its ultimate destination.
Which AOS-CX switch technology fulfills this use case?
AVirtual Network Based Tunneling (VNBT)
BMC-LAG
CNetwork Analytics Engine (NAE)
DDevice profiles
What is a use case for running periodic subnet scans on devices from HPE Aruba Networking ClearPass Policy Manager (CPPM)?
ADetecting devices that fail to comply with rules defined in CPPM posture policies.
BIdentifying issues with authenticating and authorizing clients
CUsing WMI to collect additional information about Windows domain clients
DUsing DHCP fingerprints to determine a client’s device category and OS
A company has a variety of HPE Aruba Networking solutions, including an HPE Aruba Networking infrastructure and HPE Aruba Networking ClearPass Policy Manager (CPPM). The company passes traffic from the corporate LAN destined to the data center through a third-party SRX firewall. The company would like to further protect itself from internal threats.
What is one solution that you can recommend?
AHave the third-party firewall send Syslogs to CPPM, which can work with network devices to lock internal attackers out of the network.
BAdd ClearPass Device Insight (CPDI) to the solution, integrate it with the third-party firewall to develop more complete device profiles.
CConfigure CPPM to poll the third-party firewall for a broad array of information about internal clients, such as profile and posture.
DUse tunnel mode SSIDs and user-based tunneling (UBT) on AOS-CX switches to pass all internal traffic directly through the third-party firewall.
You want to examine the applications that a device is using and look for any changes in application usage over several different ranges.
In which HPE Aruba Networking solution can you view this information in an easy-to-view format?
AHPE Aruba Networking ClearPass OnGuard agent installed on the device
BHPE Aruba Networking Central within a device’s Live Monitoring page
CHPE Aruba Networking ClearPass Insight using an Active Endpoint Security report
DHPE Aruba Networking ClearPass Device Insight (CPDI) in the device’s network activity
A company has HPE Aruba Networking APs running AOS-10 and managed by HPE Aruba Networking Central. The company also has AOS-CX switches. The security team wants you to capture traffic from a particular wireless client. You should capture this client’s traffic over a 15-minute time period and then send the traffic to them in a PCAP file.
What should you do?
AAccess the CLI for the client’s AP. Set up a mirroring session between its radio and a management station running Wireshark.
BGo to the client’s AP in HPE Aruba Networking Central. Use the “Security” page to run a packet capture.
CGo to that client in HPE Aruba Networking Central. Use the “Live Events” page to run a packet capture.
DAccess the CLI for the client’s AP’s switch. Set up a mirroring session between the AP’s port and a management station running Wireshark.
A company wants you to create a custom device fingerprint on CPPM with rules for profiling a group of specialized devices.
What is one requirement?
AConnecting a known device of this type and getting it discovered in CPPM’s Endpoints Repository
BEnabling HPE Aruba Networking ClearPass Device Insight integration with the correct Data Collector token
CPre-defining the desired attributes and rules in a XML format file
DDisabling the Automatically download Endpoint Profiler Fingerprints feature in cluster-wide parameters.
You are using Wireshark to view packets captures from HPE Aruba Networking infrastructure, but you’re not sure that the packets are displaying correctly. In which circumstances does it make sense to configure Wireshark to ignore protection bits with the IV for the 802.11 protocol?
AWhen the traffic was captured on the data plane of an HPE Aruba Networking gateway and sent to a remote IP
BWhen the traffic was mirrored from an AOS-CX switch port connected to an AP
CWhen the traffic was captured from an AP with HPE Aruba Networking Central
DWhen the traffic was captured on the control plane of an HPE Aruba Networking MC and set to a remote IP
A company has AOS-CX switches, which authenticate clients to HPE Aruba Networking ClearPass Policy Manager (CPPM). CPPM is set up to receive a variety of information about clients’ profile and posture. New information can mean that CPPM should change a client’s reinforcement profile.
What should you set up on the switches to help the solution function correctly?
AEnable RADIUS accounting to CPPM, including interim RADIUS accounting.
BConfigure a RADIUS track that references CPPM’s FQDN or IP address.
CEnable dynamic authorization, and specify CPPM as a dynamic authorization client.
DRe-configure the authentication sever on the switch, specifying CPPM as a TACACS server.
A company wants to apply role-based access control lists (ACLs) on AOS-CX switches, which are implementing authentication to HPE Aruba Networking ClearPass Policy Manager (CPPM). The company wants to centralize configuration as much as possible.
Which correctly describes your options?
AYou can configure the role on CPPM; however, the CPPM role must reference a policy name that is configured on the switch.
BYou can configure the role name on CPPM; however, the role settings, including policy and classes, must be configured locally on the switch.
CYou can configure the role, its policy, and the classes referenced in the policy all on CPPM.
DYou can configure the role and its policy on CPPM; however, the classes referenced in the policy must be configured locally on the switch.
A company has AOS-CX switches at the access layer, these switches are managed by the HPE Aruba Networking Central. You have identified suspicious activity on a wired client. You want to analyze the client’s traffic with Wireshark, which you have on your management station.
What should you do?
AAccess the client’s switch’s CLI from your management station. Access the switch shell and run a TCP dump on the client port.
BGo to the client’s switch in HPE Aruba Networking Central. Use the “Security” page to run a packet capture.
CSet up a policy that implements a captive portal redirect to your management station. Apply that policy to the client’s port.
DSet up a mirror session on the client’s switch; set the client port as the source and your station IP address as the tunnel destination.
You are setting up policy rules in HPE Aruba Networking SSE. You want to create a single rule that permits users in a particular user group to access multiple applications. What is an easy way to meet this need?
AAssociate the applications directly with the IdP used to authenticate the users; chose any for the destination in the policy rule
BApply the same tag to the applications; select the tag as a destination in the policy rule
CPlace all the applications in the same connector zone; select that zone as a destination in the policy rule
DSelect the applications within a non-default web profile, select that profile in the policy rule
The following firewall role is configured on HPE Aruba Networking Central-managed APs:
A client has authenticated and been assigned to the “employees” role. The client has IP address 10.2.2.2.
Which correctly describes behavior in this policy?
AHTTPS traffic from 10.2.2.2 to 10.5.5.5 is denied.
BHTTPS traffic from 10.2.2.2 to 203.0.113.12 is denied.
CTraffic from 10.5.3.3 in an active HTTPS session between 10.2.2.2 and 10.5.3.3 is permitted.
DTraffic from 198.51.100.12 in an active HTTP session between 10.2.2.2 and 198.51.100.12 is denied.
A company has HPE Aruba Networking APs running AOS-10 that connect to AOS-CX switches. The APs will:
-Authenticate as 802.1X supplicants to HPE Aruba Networking ClearPass Policy Manager (CPPM)
-Be assigned to the “APs” role on the switches
-Have their traffic forwarded locally
What information do you need to help you determine the VLAN settings for the “APs” role?
AWhether the switches are using local user-roles (LURs) or downloadable user-roles (DURs)
BWhether the APs bridge or tunnel traffic on their SSIDs
CWhether the switches have established tunnels with an HPE Aruba Networking gateway
DWhether the APs have static or DHCP-assigned IP addresses
A company has HPE Aruba Networking infrastructure devices. The devices authenticate clients to HPE Aruba Networking ClearPass Policy Manager (CPPM). You want CPPM to track information about clients, such as their IP addresses and their network bandwidth utilization.
What should you set up on the network infrastructure devices to help that happen?
ALogging with CPPM configured as a Syslog server
BDynamic authorization enabled in the RADIUS settings for CPPM
CRADIUS accounting to CPPM, including interim updates
DAn IF-MAP interface with CPPM as the destination
A company has HPE Aruba Networking Central-managed APs. The company wants to block all clients connected through the APs from using YouTube.
Which steps should you take?
AEnable WebCC on all client firewall roles. Then, create WebCC category rules that deny suspicious URLs.
BEnable DPI. Then, create application rules to deny YouTube on the firewall roles.
CEnable Client IPS at the “custom” level, and then specify the check for YouTube.
DDeploy gateways and have the APIs tunnel traffic to the gateways. Then, enable the gateway IDS/IPS engine.
A company has HPE Aruba Networking APs and AOS-CX switches. The APs bridge wireless traffic. They receive DHCP IP addresses on VLAN 18. Wireless users are assigned to VLAN 12. The company wants APIs to start using 802.1X authentication.
You are configuring the port-access role to which the APs are assigned post-authentication.
What is one recommended setting for that role?
ATrust for DSCP
BAccess VLAN 18 with no support for VLAN 12
CAuth-mode left at client-mode
DNo trust for DSCP
A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). You have identified a device, which is currently classified as one type, but you want to classify it as a custom type. You also want to classify all devices with similar attributes as this type, both already-discovered devices and new devices discovered later.
What should you do?
ACreate a user tag from the Generic Devices page, select the desired attributes for the tag, and save the tag.
BIn the device details, select filter, create a user tag based on the device attributes, and save the tag.
CIn the device details, select reclassify, create a user rule based on its attributes, and choose “Save & Reclassify.”
DCreate a user rule from the Generic Devices page, select the desired attributes for the rule, and choose “Save.”
Refer to the exhibit.
These packets have been captured from VLAN 10, which supports clients that receive their IP addresses with DHCP.
What can you interpret from the packets that you see here?
ASomeone is possibly implementing a MAC spoofing attack to again unauthorized access.
BThe mirroring session that captured the packets was likely misconfigured and captured duplicate traffic.
CAn admin has likely misconfigured two clients to use the same DHCP settings.
DSomeone is possibly implementing an ARP poisoning and MITM attack.
Preview
