CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. HP
  5. HPE6-A84

Free HPE6-A84 Exam Braindumps (page: 3)

Page 2 of 16
PDF with 60 Questions

Refer to the scenario.

A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

Permitted to receive IP addresses with DHCP

Permitted access to DNS services from 10.8.9.7 and no other server

Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22

Denied access to other 10.0.0.0/8 subnets

Permitted access to the Internet

Denied access to the WLAN for a period of time if they send any SSH traffic

Denied access to the WLAN for a period of time if they send any Telnet traffic

Denied access to all high-risk websites

External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

The exhibits below show the configuration for the role.

What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?

  1. That denylisting is enabled globally on the MCs' firewalls
  2. That stateful handling of traffic is enabled globally on the MCs' firewalls and on the medical- mobile role.
  3. That AppRF and WebCC are enabled globally and on the medical-mobile role
  4. That the MCs are assigned RF Protect licenses

Answer(s): C

Explanation:

AppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories. These features are required to meet the scenario requirements of denying access to all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic. To enable AppRF and WebCC, you need to check the following settings:
On the global level, you need to enable AppRF and WebCC under Configuration > Services > AppRF and Configuration > Services > WebCC, respectively. On the role level, you need to enable AppRF and WebCC under Configuration > Security > Access Control > Roles > medical-mobile > AppRF and Configuration > Security > Access Control > Roles > medical-mobile > WebCC, respectively.
You also need to make sure that the MCs have valid licenses for AppRF and WebCC, which are included in the ArubaOS PEFNG license.



Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:
· Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
· Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
· VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.

What else should you make sure to do?

  1. Assign VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect.
  2. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.
  3. Assign sufficient VIA licenses to the gateways based on the number of wired clients that will connect.
  4. Change the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect.

Answer(s): B

Explanation:

The correct answer is B. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.
User-based tunneling (UBT) is a feature that allows the AOS-CX switches to tunnel the traffic from wired clients to a mobility gateway cluster, where they can be assigned a role and a VLAN based on their authentication and authorization. To enable UBT, the switches need to have a UBT zone configured with the IP addresses of the gateways, and a UBT client VLAN configured with the ubt- client-vlan command.
The UBT client VLAN is a special VLAN that is used to encapsulate the traffic from the tunneled clients before sending it to the gateways. The UBT client VLAN must be different from any other VLANs used on the switch or the network, and it must not be assigned to any ports or interfaces on the switch. The UBT client VLAN is only used internally by the switch for UBT, and it is not visible to the clients or the gateways.
In this scenario, the customer wants to tunnel the clients that pass user authentication to the gateway cluster, where they will be assigned to VLAN 20. Therefore, the switch must have a UBT client VLAN configured that is different from VLAN 20 or any other VLANs on the network. For example, the switch can use VLAN 4000 as the UBT client VLAN, as shown in one of the web search results. The switch must also have a UBT zone configured with the system IP addresses of the gateways as the primary and backup controllers, as explained in question. The other options are not correct or relevant for this issue:
Option A is not correct because assigning VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect would conflict with UBT. The access VLAN is the VLAN that is assigned to untagged traffic on a port, and it is used for local switching on the switch. If VLAN 20 is assigned as the access VLAN, then the traffic from the clients will not be tunneled to the gateways, but rather switched locally on VLAN 20. This would defeat the purpose of UBT and cause inconsistency in role and VLAN assignment.
Option C is not correct because VIA licenses are not required for UBT. VIA licenses are required for enabling VPN services on Aruba Mobility Controllers for remote access clients using Aruba Virtual Intranet Access (VIA) software . VIA licenses are not related to UBT or wired clients. Option D is not correct because changing the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect would not affect UBT. The port-access auth-mode mode determines how a port handles authentication requests from multiple clients connected to a single port . Client-mode is the default mode that allows only one client per port, while multi-client- mode allows multiple clients per port. The port-access auth-mode mode does not affect how UBT works or how traffic is tunneled from a port.



A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.
What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?

  1. Configuring a relatively high threshold for the gateway threat count alerts
  2. Making sure that the gateways have formed a cluster and operate in default gateway mode
  3. Setting the IDS or IPS policy to the least restrictive option, Lenient
  4. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors

Answer(s): D

Explanation:

The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.

Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection. The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it.
The other options are not correct or relevant for this issue:
Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails. Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it provides less security and more false negatives .



A company has Aruba gateways that are Implementing gateway IDS/IPS in IDS mode. The customer complains that admins are receiving too frequent of repeat email notifications for the same threat. The threat itself might be one that the admins should investigate, but the customer does not want the email notification to repeat as often.
Which setting should you adjust in Aruba Central?

  1. Report scheduling settings
  2. Alert duration and threshold settings
  3. The IDS policy setting (strict, medium, or lenient)
  4. The allowlist settings in the IDS policy

Answer(s): B

Explanation:

Alert duration and threshold settings are used to control how often and under what conditions email notifications are sent for gateway IDS/IPS events. By adjusting these settings, the customer can reduce the frequency of repeat email notifications for the same threat, while still being informed of any critical or new threats.

To adjust the alert duration and threshold settings in Aruba Central, the customer can follow these steps 1:
In the Aruba Central app, set the filter to Global, a group, or a device.
Under Analyze, click Alerts & Events.
Click the Config icon to open the Alert Severities & Notifications page. Select the Gateway IDS/IPS tab to view the alert categories and severities for gateway IDS/IPS events.
Click on an alert category to expand it and view the alert duration and threshold settings for each severity level.
Enter a value in minutes for the alert duration. This is the time period during which the alert is active and email notifications are sent.
Enter a value for the alert threshold. This is the number of times the alert must be triggered within the alert duration before an email notification is sent.
Click Save.
By increasing the alert duration and/or threshold values, the customer can reduce the number of email notifications for recurring threats, as they will only be sent when the threshold is reached within the duration. For example, if the customer sets the alert duration to 60 minutes and the alert threshold to 10 for a Critical severity level, then an email notification will only be sent if the same threat occurs 10 times or more within an hour.






Post your Comments and Discuss HP HPE6-A84 exam with other Community members:

HPE6-A84 Discussions & Posts