HP HPE7-A02 시험

Question No : 1

Refer to Exhibit.



A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). In the CPDI interface, you go to the Generic Devices page and see the view shown in the exhibit.
What correctly describes what you see?

• A.Each cluster is a group of unclassified devices that CPDI's machine learning has discovered to have similar attributes.
• B.Each cluster is a group of devices that match one of the tags configured by admins.
• C.Each cluster is all the devices that have been assigned to the same category by one of CPDI's built-in system rules.
• D.Each cluster is a group of devices that have been classified with user rules, but for which CPDI offers different recommendations.

답을 확인하기

정답:
Explanation:
In HPE Aruba Networking ClearPass Device Insight (CPDI), the clusters shown in the exhibit represent groups of unclassified devices that CPDI's machine learning algorithms have identified as having similar attributes. These clusters are formed based on observed characteristics and behaviors of the devices, helping administrators to categorize and manage devices more effectively.

Question No : 2

A company wants to turn on Wireless IDS/IPS infrastructure and client detection at the high level on HPE Aruba Networking APs. The company does not want to enable any prevention settings.
What should you explain about HPE Aruba Networking recommendations?

• A.HPE Aruba Networking recommends turning on both wired and wireless prevention whenever you enable detection at high.
• B.HPE Aruba Networking recommends using hybrid AP mode, as opposed to Air Monitors (AMs), when implementing detection without prevention.
• C.HPE Aruba Networking recommends disabling client detection when you configure infrastructure detection at high, as infrastructure detection includes all the client checks and more.
• D.HPE Aruba Networking recommends configuring infrastructure and client detection at a custom level and disabling or tuning some of the settings that are likely to produce false positives.

답을 확인하기

정답:
Explanation:
When enabling Wireless IDS/IPS infrastructure and client detection at a high level on HPE Aruba Networking APs without enabling prevention settings, HPE Aruba Networking recommends configuring detection at a custom level and adjusting settings to minimize false positives. This approach allows for effective monitoring while reducing the risk of unnecessary alerts and maintaining the accuracy of detections.

Question No : 3

A company has an HPE Aruba Networking ClearPass cluster with several servers.
ClearPass Policy Manager (CPPM) is set up to:
. Update client attributes based on Syslog messages from third-party appliances
. Have the clients reauthenticate and apply new profiles to the clients based on the updates
To ensure that the correct profiles apply, what is one step you should take?

• A.Configure a CoA action for all tag updates in the ClearPass Device Insight integration settings.
• B.Tune the CoA delay on the ClearPass servers to a value of 5 seconds or greater.
• C.Set the cluster's Endpoint Context Servers polling interval to a value of 5 seconds or less.
• D.Configure the cluster to periodically clean up (delete) unknown endpoints.

답을 확인하기

정답:
Explanation:
To ensure that the correct profiles apply after client attributes are updated based on Syslog messages, you should tune the Change of Authorization (CoA) delay on the ClearPass servers to a value of 5 seconds or greater. This delay allows sufficient time for the attribute updates to be processed and for the reauthentication to occur correctly, ensuring that the updated profiles are accurately applied to the clients.

Question No : 4

What is a use case for running periodic subnet scans on devices from HPE Aruba Networking ClearPass Policy Manager (CPPM)?

• A.Using DHCP fingerprints to determine a client's device category and OS
• B.Detecting devices that fail to comply with rules defined in CPPM posture policies
• C.Identifying issues with authenticating and authorizing clients
• D.Using WMI to collect additional information about Windows domain clients

답을 확인하기

정답:
Explanation:
Running periodic subnet scans on devices from HPE Aruba Networking ClearPass Policy Manager (CPPM) can be used to gather DHCP fingerprints, which help determine a client's device category and operating system. DHCP fingerprints are unique patterns in DHCP request packets that provide valuable information about the device type and OS, assisting in device profiling and policy enforcement.

Question No : 5

A company has HPE Aruba Networking APs and AOS-CX switches, as well as HPE Aruba Networking ClearPass. The company wants CPPM to have HTTP User-Agent strings to use in profiling devices.
What can you do to support these requirements?

• A.Add the CPPM server's IP address to the IP helper list in all client VLANs on routing switches.
• B.Schedule periodic subnet scans of all client subnets on CPP
• C.Configure mirror sessions on the APs and switches to copy client HTTP traffic to CPP
• D.On the APs and switches, configure a redirect to ClearPass Guest in the role for devices being profiled.

답을 확인하기

정답:
Explanation:
To support the requirement for HPE Aruba Networking ClearPass Policy Manager (CPPM) to have HTTP User-Agent strings for profiling devices, you should add the CPPM server's IP address to the IP helper list in all client VLANs on routing switches. This configuration ensures that DHCP requests and other relevant client traffic are forwarded to CPPM, allowing it to capture HTTP User-Agent strings and use them for device profiling.

Question No : 6

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) and HPE Aruba Networking ClearPass Device Insight (CPDI) and has integrated the two. CPDI admins have created a tag. CPPM admins have created rules that use that tag in the wired 802.1X and wireless 802.1X services' enforcement policies.
The company requires CPPM to apply the tag-based rules to a client directly after it learns that the client has that tag.
What is one of the settings that you should verify on CPPM?

• A.The "Device Sync" setting is set to 1 in the ClearPass Device Insight Integration settings.
• B.Both 802.1X services have the "Profile Endpoints" option enabled and an appropriate CoA profile selected in the Profiler tab.
• C.Both 802.1X services have the "Use cached Role and Posture attributes from the previous sessions" setting.
• D.The "Polling Interval" is set to 1 in the ClearPass Device Insight Integration settings.

답을 확인하기

정답:
Explanation:
To ensure that HPE Aruba Networking ClearPass Policy Manager (CPPM) applies tag-based rules to a client immediately after learning the client has that tag, verify that both 802.1X services have the "Profile Endpoints" option enabled and an appropriate Change of Authorization (CoA) profile selected in the Profiler tab. This setup ensures that when a device is profiled and tagged, CPPM can immediately enforce the updated policies through CoA.

Question No : 7

You have installed an HPE Aruba Networking Network Analytic Engine (NAE) script on an AOS-CX switch to monitor a particular function.
Which additional step must you complete to start the monitoring?

• A.Reboot the switch.
• B.Enable NAE, which is disabled by default.
• C.Edit the script to define monitor parameters.
• D.Create an agent from the script.

답을 확인하기

정답:
Explanation:
After installing an HPE Aruba Networking Network Analytic Engine (NAE) script on an AOS-CX switch, the additional step required to start the monitoring is to create an agent from the script. The agent is responsible for executing the script and collecting the monitoring data as defined by the script parameters.

Question No : 8

A company needs you to integrate HPE Aruba Networking ClearPass Policy Manager (CPPM) with HPE Aruba Networking ClearPass Device Insight (CPDI).
What is one task you should do to prepare?

• A.Install the root CA for CPPM's HTTPS certificate as trusted in the CPDI application.
• B.Configure WMI, SSH, and SNMP external accounts for device scanning on CPP
• C.Enable Insight in the CPPM server configuration settings.
• D.Collect a Data Collector token from HPE Aruba Networking Central.

답을 확인하기

정답:
Explanation:
To integrate HPE Aruba Networking ClearPass Policy Manager (CPPM) with HPE Aruba Networking ClearPass Device Insight (CPDI), one of the necessary tasks is to enable Insight in the CPPM server configuration settings. This configuration allows CPPM to communicate and share data with CPDI, facilitating the integration and enabling enhanced device profiling and policy enforcement capabilities.

Question No : 9

You are using OpenSSL to obtain a certificate signed by a Certification Authority (CA).
You have entered this command:
openssl req -new -out file1.pem -newkey rsa: 3072 -keyout file2.pem Enter PEM pass phrase: ********** Verifying - Enter PEM pass phrase: **********
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: California
Locality Name (eg, city) []: Sunnyvale
Organization Name (eg, company) [Internet Widgits Pty Ltd]: example.com
Organizational Unit Name (eg, section) []: Infrastructure
Common Name (e.g. server FQDN or YOUR name) []: radius.example.com
What is one guideline for continuing to obtain a certificate?
A. You should use a third-party tool to encrypt file2.pem before sending it and file1.pem to the CA.
B. You should concatenate file1.pem and file2.pem into a single file, and submit that to the desired CA to sign.
C. You should submit file1.pem, but not file2.pem, to the desired CA to sign.
D. You should submit file2.pem, but not file1.pem, to the desired CA to sign.

답을 확인하기

정답: C
Explanation:
When using OpenSSL to obtain a certificate signed by a Certification Authority (CA), you should submit the Certificate Signing Request (CSR) file, which is file1.pem, to the CA. The CSR contains the information about the entity requesting the certificate and the public key, but not the private key, which is in file2.pem. The CA uses the information in the CSR to create and sign the certificate.

Question No : 10

You need to create a rule in an HPE Aruba Networking ClearPass Policy Manager (CPPM) role mapping policy that references a ClearPass Device Insight Tag.
Which Type (namespace) should you specify for the rule?

• A.Application
• B.Tips
• C.Device
• D.Endpoint

답을 확인하기

정답:
Explanation:
When creating a rule in an HPE Aruba Networking ClearPass Policy Manager (CPPM) role mapping policy that references a ClearPass Device Insight Tag, you should specify the "Endpoint" Type (namespace) for the rule. This ensures that the policy can properly reference and utilize the tags assigned to endpoints by ClearPass Device Insight for making role mapping decisions.

Question No : 11

Assume that an AOS-CX switch is already implementing DHCP snooping and ARP inspection successfully on several VLANs.
What should you do to help minimize disruption time if the switch reboots?

• A.Configure the switch to act as an ARP proxy.
• B.Create static IP-to-MAC bindings for the DHCP and DNS servers.
• C.Save the IP-to-MAC bindings to external storage.
• D.Configure the IP helper address on this switch, rather than a core routing switch.

답을 확인하기

정답:
Explanation:
To minimize disruption time if an AOS-CX switch reboots while implementing DHCP snooping and ARP inspection, you should save the IP-to-MAC bindings to external storage. This ensures that the DHCP snooping and ARP inspection tables, which are crucial for preventing spoofing attacks, are preserved across reboots. When the switch restarts, it can reload these bindings from the external storage, thereby maintaining network security and reducing the downtime associated with rebuilding these tables.

Question No : 12

A company has HPE Aruba Networking APs running AOS-10 and managed by HPE Aruba Networking Central. The company also has AOS-CX switches. The security team wants you to capture traffic from a particular wireless client. You should capture this client's traffic over a 15 minute time period and then send the traffic to them in a PCAP file.
What should you do?

• A.Go to the client's AP in HPE Aruba Networking Central. Use the "Security" page to run a packet capture.
• B.Access the CLI for the client's A
• C.Set up a mirroring session between its radio and a management station running Wireshark.
• D.Access the CLI for the client's AP's switch. Set up a mirroring session between the AP's port and a management station running Wireshark.
• E.Go to that client in HPE Aruba Networking Central. Use the "Live Events" page to run a packet capture.

답을 확인하기

정답:
Explanation:
To capture traffic from a particular wireless client for a 15-minute period and then send the traffic in a PCAP file, you should go to the client's AP in HPE Aruba Networking Central and use the "Security" page to run a packet capture. This method allows you to directly capture the client's traffic from the AP managing the wireless connection, ensuring that you gather the relevant traffic data for analysis.

Question No : 13

You are setting up an HPE Aruba Networking VIA solution for a company. You need to configure access control policies for applications and resources that remote clients can access when connected to the VPN.
Where on the VPNC should you configure these policies?

• A.In the tunneled network settings within the VIA Connection Profile
• B.In the cloud security settings using IPsec maps
• C.In the roles to which VIA clients are assigned after IKE authentication
• D.In the roles to which VIA clients are assigned after VIA Web authentication

답을 확인하기

정답:
Explanation:
To configure access control policies for applications and resources that remote clients can access when connected to the VPN, you should configure these policies in the roles to which VIA clients are assigned after IKE (Internet Key Exchange) authentication on the VPNC. These roles define the permissions and access controls for the clients once they are authenticated, ensuring that they can only access the applications and resources allowed by their assigned roles.

Question No : 14

A company is implementing a client-to-site VPN based on tunnel-mode IPsec.
Which devices are responsible for the IPsec encapsulation?

• A.Gateways at the remote clients' locations and devices accessed by the clients at the main site
• B.The remote clients and devices accessed by the clients at the main site
• C.The remote clients and a gateway at the main site
• D.Gateways at the remote clients' locations and a gateway at the main site

답을 확인하기

정답:
Explanation:
In a client-to-site VPN based on tunnel-mode IPsec, the remote clients and a gateway at the main site are responsible for the IPsec encapsulation. The remote clients initiate the VPN connection and encapsulate their traffic in IPsec, which is then decapsulated by the gateway at the main site.

Question No : 15

A company wants HPE Aruba Networking ClearPass Policy Manager (CPPM) to respond to Syslog messages from its Palo Alto Next Generation Firewall (NGFW) by quarantining clients involved in security incidents.
Which step must you complete to enable CPPM to process the Syslogs properly?

• A.Configure the Palo Alto as a context server on CPP
• B.Install a Palo Alto Extension through ClearPass Guest.
• C.Enable Insight and ingress event processing on the CPPM server.
• D.Configure CPPM to trust the root CA certificate for the NGF

답을 확인하기

정답:
Explanation:
To enable HPE Aruba Networking ClearPass Policy Manager (CPPM) to process Syslog messages from a Palo Alto Next Generation Firewall (NGFW) and quarantine clients involved in security incidents, you need to configure the Palo Alto as a context server on CPPM. This setup allows CPPM to receive and understand the context of the Syslog messages sent by the Palo Alto NGFW, enabling it to take appropriate actions such as quarantining clients.