HP HPE7-A02 시험

Question No : 1

Which statement describes Zero Trust Security?

• A.Companies should focus on protecting their resources rather than on protecting the boundaries of their internal network.
• B.Companies must apply the same access controls to all users, regardless of identity.
• C.Companies that support remote workers cannot achieve zero trust security and must determine if the benefits outweigh the cost.
• D.Companies can achieve zero trust security by strengthening their perimeter security to detect a wider range of threats.

답을 확인하기

정답:
Explanation:
Zero Trust Security is a security model that operates on the principle that no entity, whether inside or outside the network, should be trusted by default. Instead, every access request is thoroughly verified before granting access to resources. This model emphasizes protecting resources rather than merely securing the network perimeter, acknowledging that threats can originate both inside and outside the network.

Question No : 2

A company has HPE Aruba Networking APs and AOS-CX switches, as well as HPE Aruba Networking ClearPass. The company wants CPPM to have HTTP User-Agent strings to use in profiling devices.
What can you do to support these requirements?

• A.Add the CPPM server's IP address to the IP helper list in all client VLANs on routing switches.
• B.Schedule periodic subnet scans of all client subnets on CPP
• C.Configure mirror sessions on the APs and switches to copy client HTTP traffic to CPP
• D.On the APs and switches, configure a redirect to ClearPass Guest in the role for devices being profiled.

답을 확인하기

정답:
Explanation:
To support the requirement for HPE Aruba Networking ClearPass Policy Manager (CPPM) to have HTTP User-Agent strings for profiling devices, you should add the CPPM server's IP address to the IP helper list in all client VLANs on routing switches. This configuration ensures that DHCP requests and other relevant client traffic are forwarded to CPPM, allowing it to capture HTTP User-Agent strings and use them for device profiling.

Question No : 3

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) and HPE Aruba Networking ClearPass Device Insight (CPDI) and has integrated the two. CPDI admins have created a tag. CPPM admins have created rules that use that tag in the wired 802.1X and wireless 802.1X services' enforcement policies.
The company requires CPPM to apply the tag-based rules to a client directly after it learns that the client has that tag.
What is one of the settings that you should verify on CPPM?

• A.The "Device Sync" setting is set to 1 in the ClearPass Device Insight Integration settings.
• B.Both 802.1X services have the "Profile Endpoints" option enabled and an appropriate CoA profile selected in the Profiler tab.
• C.Both 802.1X services have the "Use cached Role and Posture attributes from the previous sessions" setting.
• D.The "Polling Interval" is set to 1 in the ClearPass Device Insight Integration settings.

답을 확인하기

정답:
Explanation:
To ensure that HPE Aruba Networking ClearPass Policy Manager (CPPM) applies tag-based rules to a client immediately after learning the client has that tag, verify that both 802.1X services have the "Profile Endpoints" option enabled and an appropriate Change of Authorization (CoA) profile selected in the Profiler tab. This setup ensures that when a device is profiled and tagged, CPPM can immediately enforce the updated policies through CoA.

Question No : 4

You have installed an HPE Aruba Networking Network Analytic Engine (NAE) script on an AOS-CX switch to monitor a particular function.
Which additional step must you complete to start the monitoring?

• A.Reboot the switch.
• B.Enable NAE, which is disabled by default.
• C.Edit the script to define monitor parameters.
• D.Create an agent from the script.

답을 확인하기

정답:
Explanation:
After installing an HPE Aruba Networking Network Analytic Engine (NAE) script on an AOS-CX switch, the additional step required to start the monitoring is to create an agent from the script. The agent is responsible for executing the script and collecting the monitoring data as defined by the script parameters.

Question No : 5

A company needs you to integrate HPE Aruba Networking ClearPass Policy Manager (CPPM) with HPE Aruba Networking ClearPass Device Insight (CPDI).
What is one task you should do to prepare?

• A.Install the root CA for CPPM's HTTPS certificate as trusted in the CPDI application.
• B.Configure WMI, SSH, and SNMP external accounts for device scanning on CPP
• C.Enable Insight in the CPPM server configuration settings.
• D.Collect a Data Collector token from HPE Aruba Networking Central.

답을 확인하기

정답:
Explanation:
To integrate HPE Aruba Networking ClearPass Policy Manager (CPPM) with HPE Aruba Networking ClearPass Device Insight (CPDI), one of the necessary tasks is to enable Insight in the CPPM server configuration settings. This configuration allows CPPM to communicate and share data with CPDI, facilitating the integration and enabling enhanced device profiling and policy enforcement capabilities.

Question No : 6

You are using OpenSSL to obtain a certificate signed by a Certification Authority (CA). You have entered this command:
openssl req -new -out file1.pem -newkey rsa:3072 -keyout file2.pem Enter PEM pass phrase: ********** Verifying - Enter PEM pass phrase: **********
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]: California
Locality Name (eg, city) []: Sunnyvale
Organization Name (eg, company) [Internet Widgits Pty Ltd]: example.com
Organizational Unit Name (eg, section) []: Infrastructure
Common Name (e.g. server FQDN or YOUR name) []: radius.example.com
What is one guideline for continuing to obtain a certificate?
A. You should use a third-party tool to encrypt file2.pem before sending it and file1.pem to the CA.
B. You should concatenate file1.pem and file2.pem into a single file, and submit that to the desired CA to sign.
C. You should submit file1.pem, but not file2.pem, to the desired CA to sign.
D. You should submit file2.pem, but not file1.pem, to the desired CA to sign.

답을 확인하기

정답: C
Explanation:
When using OpenSSL to obtain a certificate signed by a Certification Authority (CA), you should
submit the Certificate Signing Request (CSR) file, which is file1.pem, to the CA. The CSR contains the information about the entity requesting the certificate and the public key, but not the private key, which is in file2.pem.
The CA uses the information in the CSR to create and sign the certificate.

Question No : 7

You need to create a rule in an HPE Aruba Networking ClearPass Policy Manager (CPPM) role mapping policy that references a ClearPass Device Insight Tag.
Which Type (namespace) should you specify for the rule?

• A.Application
• B.Tips
• C.Device
• D.Endpoint

답을 확인하기

정답:
Explanation:
When creating a rule in an HPE Aruba Networking ClearPass Policy Manager (CPPM) role mapping policy that references a ClearPass Device Insight Tag, you should specify the "Endpoint" Type (namespace) for the rule. This ensures that the policy can properly reference and utilize the tags assigned to endpoints by ClearPass Device Insight for making role mapping decisions.

Question No : 8

Assume that an AOS-CX switch is already implementing DHCP snooping and ARP inspection successfully on several VLANs.
What should you do to help minimize disruption time if the switch reboots?

• A.Configure the switch to act as an ARP proxy.
• B.Create static IP-to-MAC bindings for the DHCP and DNS servers.
• C.Save the IP-to-MAC bindings to external storage.
• D.Configure the IP helper address on this switch, rather than a core routing switch.

답을 확인하기

정답:
Explanation:
To minimize disruption time if an AOS-CX switch reboots while implementing DHCP snooping and ARP inspection, you should save the IP-to-MAC bindings to external storage. This ensures that the DHCP snooping and ARP inspection tables, which are crucial for preventing spoofing attacks, are preserved across reboots. When the switch restarts, it can reload these bindings from the external storage, thereby maintaining network security and reducing the downtime associated with rebuilding these tables.

Question No : 9

A company has HPE Aruba Networking APs running AOS-10 and managed by HPE Aruba Networking
Central. The company also has AOS-CX switches. The security team wants you to capture traffic from a particular wireless client. You should capture this client's traffic over a 15 minute time period and then send the traffic to them in a PCAP file.
What should you do?

• A.Go to the client's AP in HPE Aruba Networking Central. Use the "Security" page to run a packet capture.
• B.Access the CLI for the client's A
• C.Set up a mirroring session between its radio and a management station running Wireshark.
• D.Access the CLI for the client's AP's switch. Set up a mirroring session between the AP's port and a management station running Wireshark.
• E.Go to that client in HPE Aruba Networking Central. Use the "Live Events" page to run a packet capture.

답을 확인하기

정답:
Explanation:
To capture traffic from a particular wireless client for a 15-minute period and then send the traffic in a PCAP file, you should go to the client's AP in HPE Aruba Networking Central and use the "Security" page to run a packet capture. This method allows you to directly capture the client's traffic from the AP managing the wireless connection, ensuring that you gather the relevant traffic data for analysis.

Question No : 10

You are setting up an HPE Aruba Networking VIA solution for a company. You need to configure access control policies for applications and resources that remote clients can access when connected to the VPN.
Where on the VPNC should you configure these policies?

• A.In the tunneled network settings within the VIA Connection Profile
• B.In the cloud security settings using IPsec maps
• C.In the roles to which VIA clients are assigned after IKE authentication
• D.In the roles to which VIA clients are assigned after VIA Web authentication

답을 확인하기

정답:
Explanation:
To configure access control policies for applications and resources that remote clients can access when connected to the VPN, you should configure these policies in the roles to which VIA clients are assigned after IKE (Internet Key Exchange) authentication on the VPNC. These roles define the permissions and access controls for the clients once they are authenticated, ensuring that they can only access the applications and resources allowed by their assigned roles.

Question No : 11

A company is implementing a client-to-site VPN based on tunnel-mode IPsec.
Which devices are responsible for the IPsec encapsulation?

• A.Gateways at the remote clients' locations and devices accessed by the clients at the main site
• B.The remote clients and devices accessed by the clients at the main site
• C.The remote clients and a gateway at the main site
• D.Gateways at the remote clients' locations and a gateway at the main site

답을 확인하기

정답:
Explanation:
In a client-to-site VPN based on tunnel-mode IPsec, the remote clients and a gateway at the main site are responsible for the IPsec encapsulation. The remote clients initiate the VPN connection and encapsulate their traffic in IPsec, which is then decapsulated by the gateway at the main site.

Question No : 12

A company wants HPE Aruba Networking ClearPass Policy Manager (CPPM) to respond to Syslog messages from its Palo Alto Next Generation Firewall (NGFW) by quarantining clients involved in security incidents.
Which step must you complete to enable CPPM to process the Syslogs properly?

• A.Configure the Palo Alto as a context server on CPP
• B.Install a Palo Alto Extension through ClearPass Guest.
• C.Enable Insight and ingress event processing on the CPPM server.
• D.Configure CPPM to trust the root CA certificate for the NGF

답을 확인하기

정답:
Explanation:
To enable HPE Aruba Networking ClearPass Policy Manager (CPPM) to process Syslog messages from a Palo Alto Next Generation Firewall (NGFW) and quarantine clients involved in security incidents, you need to configure the Palo Alto as a context server on CPPM. This setup allows CPPM to receive and understand the context of the Syslog messages sent by the Palo Alto NGFW, enabling it to take appropriate actions such as quarantining clients.

Question No : 13

Which use case is fulfilled by applying a time range to a firewall rule on an AOS device?

• A.Enforcing the rule only during the specified time range
• B.Tuning the session timeout for sessions established with this rule
• C.Locking clients that violate the rule for the specified time range
• D.Setting the time range over which hit counts for the rule are aggregated

답을 확인하기

정답:
Explanation:
Applying a time range to a firewall rule on an AOS device fulfills the use case of enforcing the rule only during the specified time range. This allows administrators to control when specific firewall rules are active, which can be useful for implementing policies that only need to be in effect during certain hours, such as blocking or allowing access to specific resources outside of business hours.

Question No : 14

What is a use case for the HPE Aruba Networking ClearPass OnGuard dissolvable agent?

• A.Continuously monitoring Windows domain clients for compliance
• B.Implementing a one-time compliance scan
• C.Auto-remediating posture issues on clients
• D.Periodically scanning Linux clients for security issues

답을 확인하기

정답:
Explanation:
The use case for the HPE Aruba Networking ClearPass OnGuard dissolvable agent is implementing a one-time compliance scan. The dissolvable agent is designed to perform a compliance check without requiring a permanent installation on the client device. This is ideal for environments where a quick, temporary assessment of the device's security posture is needed without the overhead of a persistent agent.

Question No : 15

A company has HPE Aruba Networking gateways that implement gateway IDS/IPS. Admins sometimes check the Security Dashboard, but they want a faster way to discover if a gateway starts detecting threats in traffic.
What should they do?

• A.Use Syslog to integrate the gateways with HPE Aruba Networking ClearPass Policy Manager (CPPM) event processing.
• B.Integrate HPE Aruba Networking ClearPass Device Insight (CPDI) with Central and schedule hourly reports.
• C.Set up email notifications using HPE Aruba Networking Central's global alert settings.
• D.Set up Webhooks that are attached to the HPE Aruba Networking Central Threat Dashboard.

답을 확인하기

정답:
Explanation:
For a faster way to discover if a gateway starts detecting threats in traffic, admins should set up email notifications using HPE Aruba Networking Central's global alert settings. This setup ensures that the security team is promptly informed via email whenever the IDS/IPS on the gateways detects any threats, allowing for immediate investigation and response.