HP HPE6-A84 Exam Practice Test Instant Access

Question 1

Refer to the scenario.

A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:

What is one immediate remediation that you should recommend?

AChanging the switch's DNS server to the mgmt VRF

BSetting the clock manually instead of using NTP

CEither disabling DHCPv4-snoopinq or leaving it enabled, but also enabling ARP inspection

DDisabling Telnet

Answer : D

According to the AOS-CX Switches Multiple Vulnerabilities1, one of the vulnerabilities (CVE-2021-41001) affects the Telnet service on AOS-CX switches. This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service condition on the switch by sending specially crafted Telnet packets. The impact of this vulnerability is high, as it could result in a loss of management access and network disruption. Therefore, one immediate remediation that you should recommend is to disable Telnet on the switch. This way, the switch can prevent any malicious Telnet traffic from reaching it and avoid the exploitation of this vulnerability.

Question 2

Refer to the scenario.

A customer is using an AOS 10 architecture with Aruba APs and Aruba gateways (two per site). Admins have implemented auto-site clustering for gateways with the default gateway mode disabled. WLANs use tunneled mode to the gateways.

The WLAN security is WPA3-Enterprise with authentication to an Aruba ClearPass Policy Manager (CPPM) cluster VIP. RADIUS communications use RADIUS, not RadSec.

CPPM is using the service shown in the exhibits.

Which step can you take to improve operations during a possible gateway failover event?

AChanqe the WLANs to mixed-mode forwardinq so that vou can select multiple qatewav clusters.

BSet up qatewav clusters manually and set VRRP IP addresses for dynamic authorization.

CUse auto-group clustering instead of auto-site clustering for the gateways.

DEnable default gateway mode for the gateway clusters.

Answer : B

Auto-site clustering is a feature that allows gateways in the same site and group to form a cluster automatically. However, this mode does not support VRRP IP addresses, which are required for dynamic authorization (CoA) from ClearPass Policy Manager (CPPM) to the gateways. Dynamic authorization is a mechanism that allows CPPM to change the attributes or status of a client session on the gateways without requiring re-authentication. This is useful for applying policies, roles, or bandwidth limits based on various conditions. Without VRRP IP addresses, CPPM would not be able to send CoA messages to the correct gateway in case of a failover event, resulting in inconsistent or incorrect client behavior.

To enable VRRP IP addresses for dynamic authorization, you need to set up gateway clusters manually and assign a VRRP VLAN and a VRRP IP address to each cluster. This way, CPPM can use the VRRP IP address as the NAS IP address for RADIUS communications and CoA messages. The VRRP IP address will remain the same even if the active gateway in the cluster changes due to a failover event, ensuring seamless operations. You can find more information about how to set up gateway clusters manually and configure VRRP IP addresses in the Gateway Cluster Deployment - Aruba page and the ClearPass Policy Manager User Guide1.

Question 3

Refer to the scenario.

A customer requires these rights for clients in the ''medical-mobile'' AOS firewall role on Aruba Mobility Controllers (MCs):

External devices should not be permitted to initiate sessions with ''medical-mobile'' clients, only send return traffic.

The exhibits below show the configuration for the role.

What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?

AThat denylisting is enabled globally on the MCs' firewalls

BThat stateful handling of traffic is enabled globally on the MCs' firewalls and on the medical-mobile role.

CThat AppRF and WebCC are enabled globally and on the medical-mobile role

DThat the MCs are assigned RF Protect licenses

Answer : C

AppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories12. These features are required to meet the scenario requirements of denying access to all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic.

To enable AppRF and WebCC, you need to check the following settings:

On the global level, you need to enable AppRF and WebCC underConfiguration > Services > AppRFandConfiguration > Services > WebCC, respectively12.

On the role level, you need to enable AppRF and WebCC underConfiguration > Security > Access Control > Roles > medical-mobile > AppRFandConfiguration > Security > Access Control > Roles > medical-mobile > WebCC, respectively12.

You also need to make sure that the MCs have valid licenses for AppRF and WebCC, which are included in the ArubaOS PEFNG license3.

Question 4

Refer to the exhibit.

A customer requires protection against ARP poisoning in VLAN 4. Below are listed all settings for VLAN 4 and the VLAN 4 associated physical interfaces on the AOS-CX access layer switch:

What is one issue with this configuration?

AARP proxy is not enabled on VLAN 4.

BLAG 1 is configured as trusted for ARP inspection but should be untrusted.

CDHCP snooping is not enabled on VLAN 4.

DEdge ports are not configured as untrusted for ARP inspection.

Answer : D

This is because ARP inspection is a security feature that validates ARP packets in a network and prevents ARP poisoning attacks12ARP inspection works by intercepting, logging, and discarding ARP packets with invalid IP-to-MAC address bindings1To enable ARP inspection, the switch needs to know which ports are trusted and which are untrusted. Trusted ports are those that connect to authorized DHCP servers or other network devices that are not vulnerable to ARP spoofing.Untrusted ports are those that connect to end hosts or devices that might send forged ARP packets13

In the exhibit, LAG 1 is configured as a trusted port for ARP inspection, which is correct because it connects to the core switch. However, the edge ports (1/1/1-1/1/24) are not configured as untrusted ports for ARP inspection, which is incorrect because they connect to end hosts that might be compromised by an attacker. By default, all ports are untrusted for ARP inspection, but this can be changed by using the commandip arp inspection truston the interface configuration mode3Therefore, to protect VLAN 4 against ARP poisoning, the edge ports should be configured as untrusted for ARP inspection by using the commandno ip arp inspection truston the interface configuration mode.This way, the switch will validate the ARP packets received on these ports against the DHCP snooping database or an ARP access-list and drop any invalid packets34

A) ARP proxy is not enabled on VLAN 4.This is not an issue because ARP proxy is an optional feature that allows the switch to respond to ARP requests on behalf of hosts in different subnets5It is not related to ARP poisoning or ARP inspection.

B) LAG 1 is configured as trusted for ARP inspection but should be untrusted. This is not an issue because LAG 1 connects to the core switch, which is a trusted device that does not send forged ARP packets.

C) DHCP snooping is not enabled on VLAN 4.This is not an issue because DHCP snooping is a separate feature that prevents rogue DHCP servers from offering IP addresses to clients6It is not directly related to ARP poisoning or ARP inspection, although it can provide information for ARP inspection validation if enabled

Question 5

Refer to the scenario.

A customer requires these rights for clients in the ''medical-mobile'' AOS firewall role on Aruba Mobility Controllers (MCs):

External devices should not be permitted to initiate sessions with ''medical-mobile'' clients, only send return traffic.

The exhibits below show the configuration for the role.

There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, ''medical-mobile'' rule 1 is ''ipv4 any any svc-dhcp permit,'' and rule 8 is ''ipv4 any any any permit''.)

AIn the ''medical-mobile'' policy, move rules 2 and 3 between rules 7 and 8.

BIn the ''medical-mobile'' policy, change the subnet mask in rule 3 to 255.255.248.0.

CMove the rule in the ''apprf-medical-mobile-sacl'' policy between rules 7 and 8 in the ''medical-mobile'' policy.

DIn the ''medical-mobile'' policy, change the source in rule 8 to ''user.''

Answer : B

The subnet mask in rule 3 of the ''medical-mobile'' policy is currently 255.255.252.0, which means that the rule denies access to the 10.1.12.0/22 subnet as well as the adjacent 10.1.16.0/22 subnet1. This is not consistent with the scenario requirements, which state that only the 10.1.12.0/22 subnet should be denied access, while the rest of the 10.1.0.0/16 range should be permitted access.

To fix this issue, the subnet mask in rule 3 should be changed to 255.255.248.0, which means that the rule only denies access to the 10.1.8.0/21 subnet, which includes the 10.1.12.0/22 subnet1. This way, the rule matches the scenario requirements more precisely.

Question 6

Refer to the exhibit.

Which IP address should you record as a possibly compromised client?

A10.1.26.151

B10.1J.100

C10.1.26.1

D10.254.1.21

Answer : A

The exhibit shows a screenshot of a Malwarebytes alert that indicates that a website was blocked due to compromise. The alert contains the following information:

The type of protection: Web Protection

The website that was blocked: 10.254.1.21

The port that was used: 80

The process that initiated the connection: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

The IP address of the device that initiated the connection: 10.1.26.151

The IP address of the device that initiated the connection is the one that should be recorded as a possibly compromised client, as it indicates that the device tried to access a malicious website that could infect it with malware or steal its data. In this case, the IP address of the possibly compromised client is 10.1.26.151.

Question 7

You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.

Which integration can you suggest?

ASending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients

BImporting clients' MAC addresses to configure known clients for MAC authentication more quickly

CEstablishing a double layer of authentication at both the campus edge and the data center DMZ

DImporting the firewall's rules to program downloadable user roles for AOS-CX switches more quickly

Answer : A

This option allows CPPM to receive real-time information about the network activity and security posture of the clients from the firewall, and then apply appropriate enforcement actions based on the configured policies12.For example, if a client is detected to be infected with malware or violating the network usage policy, CPPM can quarantine or disconnect the client from the network2.

HP Aruba Certified Network Security Expert Written HPE6-A84 Exam Practice Test