HP HPE7-A02 Practice Test - Questions Answers, Page 3

List of questions
Question 21

A company has HPE Aruba Networking Central-managed APs. The company wants to block all clients connected through the APs from using YouTube.
Which steps should you take?
Deploy gateways and have the APs tunnel traffic to the gateways. Then, enable the gateway IDS/IPS engine.
Enable Client IPS at the 'custom' level, and then specify the check for YouTube.
Enable WebCC on all client firewall roles. Then, create WebCC category rules that deny suspicious URLs.
Enable DPI. Then, create application rules to deny YouTube on the firewall roles.
To block all clients connected through HPE Aruba Networking Central-managed APs from accessing YouTube, you should enable DPI (Deep Packet Inspection) and then create application rules to deny YouTube on the firewall roles. DPI allows the network to inspect and classify traffic based on application signatures, making it possible to enforce application-specific policies. By creating rules that specifically block YouTube traffic, you can effectively prevent clients from accessing the service.
Question 22

What is one use case for implementing user-based tunneling (UBT) on AOS-CX switches?
Centralizing the distribution of wired traffic without requiring HPE Aruba Networking gateways
Tunneling traffic directly to a third-party firewall in a client data center
Adding 802.1X while continuing to use the existing VLAN and ACL structure in the Ethernet network
Applying enhanced security features such as deep packet inspection (DPI) to wired traffic
Implementing user-based tunneling (UBT) on AOS-CX switches is beneficial for applying enhanced security features such as deep packet inspection (DPI) to wired traffic. UBT allows the traffic from specific users or devices to be tunneled to a central controller or security appliance where advanced security policies, including DPI, can be applied. This approach ensures that even wired traffic benefits from the same level of security and inspection typically available for wireless traffic, thus enhancing overall network security.
Question 23

A company has HPE Aruba Networking APs running AOS-10 that connect to AOS-CX switches. The APs will:
. Authenticate as 802.1X supplicants to HPE Aruba Networking ClearPass Policy Manager (CPPM)
. Be assigned to the 'APs' role on the switches
. Have their traffic forwarded locally
What information do you need to help you determine the VLAN settings for the 'APs' role?
Whether the APs have static or DHCP-assigned IP addresses
Whether the switches are using local user-roles (LURs) or downloadable user-roles (DURs)
Whether the switches have established tunnels with an HPE Aruba Networking gateway
Whether the APs bridge or tunnel traffic on their SSIDs
To determine the VLAN settings for the 'APs' role on AOS-CX switches, it is crucial to know whether the APs bridge or tunnel traffic on their SSIDs. If the APs are bridging traffic, the VLAN settings on the switch need to align with the VLANs used by the SSIDs. If the APs are tunneling traffic to a controller or gateway, the VLAN settings might differ as the traffic is encapsulated and forwarded through the tunnel. Understanding this aspect ensures that the VLAN configuration on the switches correctly supports the traffic forwarding method employed by the APs.
Question 24

Your company wants to implement Tunneled EAP (TEAP).
How can you set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to enforce certificated-based authentication for clients using TEAP?
For the service using TEAP, set the authentication source to an internal database.
Select a service certificate when you specify TEAP as a service's authentication method.
Create an authentication method named 'TEAP' with the type set to EAP-TLS.
Select an EAP-TLS-type authentication method for the TEAP method's inner method.
To set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to enforce certificate-based authentication for clients using Tunneled EAP (TEAP), you need to select an EAP-TLS-type authentication method for TEAP's inner method. TEAP allows for a combination of certificate-based (EAP-TLS) and password-based (EAP-MSCHAPv2) authentication. By choosing EAP-TLS as the inner method, you ensure that the clients are authenticated using their certificates, thus enforcing certificate-based authentication within the TEAP framework.
Question 25

Admins have recently turned on Wireless IDS/IPS infrastructure detection at the high level on HPE Aruba Networking APs. When you check WIDS events, you see several RTS rate and CTS rate anomalies, which were triggered by neighboring APs.
What can you interpret from this event?
These neighboring APs are likely to be wireless clients that are inappropriately bridging their wired and wireless NICs; you should track down and remove them.
These neighboring APs might be hackers trying to launch a DoS, but are more likely operating normally; you should start by tuning the event thresholds.
These neighboring APs are actually rogue APs, and you should enable wireless tarpit containment on them.
These neighboring APs are actually rogue APs, and you should enable wireless de-authentication containment on them.
When Wireless IDS/IPS infrastructure detection reports RTS (Request to Send) and CTS (Clear to Send) rate anomalies triggered by neighboring APs, it is often an indication of unusual, but not necessarily malicious, behavior. These anomalies can be caused by neighboring APs operating normally but under specific conditions that trigger the alerts. Before assuming a security threat, it is recommended to tune the event thresholds to better match the environment and reduce false positives. This approach helps to distinguish between normal operations and potential DoS attacks.
Question 26

HPE Aruba Networking Central displays an alert about an Infrastructure Attack that was detected. You go to the Security > RAPIDS events and see that the attack was 'Detect adhoc using Valid SSID.'
What is one possible next step?
Question 27

A company has a variety of HPE Aruba Networking solutions, including an HPE Aruba Networking infrastructure and HPE Aruba Networking ClearPass Policy
Manager (CPPM). The company passes traffic from the corporate LAN destined to the data center through a third-party SRX firewall. The company would like to further protect itself from internal threats.
What is one solution that you can recommend?
Question 28

A company wants to apply a standard configuration to all AOS-CX switch ports and have the ports dynamically adjust their configuration based on the identity of the user or device that connects. They want to centralize configuration of the identity-based settings as much as possible.
What should you recommend?
Question 29

A company issues user certificates to domain computers using its Windows CA and the default user certificate template. You have set up HPE Aruba Networking
ClearPass Policy Manager (CPPM) to authenticate 802.1X clients with those certificates. However, during tests, you receive an error that authorization has failed because the usernames do not exist in the authentication source.
What is one way to fix this issue and enable clients to successfully authenticate with certificates?
Question 30

You need to use 'Tips:Posture' conditions within an 802.1X service's enforcement policy.
Which guideline should you follow?
Question