From which solution can ClearPass Policy Manager (CPPM) receive detailed information about client device type OS and status?
Correct Answer: C
ClearPass Policy Manager (CPPM) can receive detailed information about client device type, OS, and status from ClearPass OnGuard. ClearPass OnGuard is part of the ClearPass suite and provides posture assessment and endpoint health checks. It gathers detailed information on the status and security posture of devices trying to connect to the network, such as whether antivirus software is up to date, which operating system is running, and other details that characterize the device's compliance with the network's security policies. References: Aruba ClearPass product documentation that details the capabilities of ClearPass OnGuard. Network security resources that describe endpoint health checks and the importance of device posture assessment for access control.
Question 87
Refer to the exhibit. A diem is connected to an ArubaOS Mobility Controller. The exhibit snows all Tour firewall rules that apply to this diem What correctly describes how the controller treats HTTPS packets to these two IP addresses, both of which are on the other side of the firewall 10.1 10.10 203.0.13.5
Correct Answer: C
Question 88
A client is connected to a Mobility Controller (MC). These firewall rules apply to this client's role: ipv4 any any svc-dhcp permit ipv4 user 10.5.5.20 svc-dns permit ipv4 user 10.1.5.0 255.255.255.0 https permit ipv4 user 10.1.0.0 255.255.0.0 https deny_opt ipv4 user any any permit What correctly describes how the controller treats HTTPS packets to these two IP addresses, both of which are on the other side of the firewall: 10.1.20.1 10.5.5.20
Correct Answer: D
In an HPE Aruba Networking AOS-8 Mobility Controller (MC), firewall rules are applied based on the user role assigned to a client. The rules are evaluated in order, and the first matching rule determines the action (permit or deny) for the packet. The client's role has the following firewall rules: ipv4 any any svc-dhcp permit: Permits DHCP traffic (UDP ports 67 and 68) from any source to any destination. ipv4 user 10.5.5.20 svc-dns permit: Permits DNS traffic (UDP port 53) from the user to the IP address 10.5.5.20. ipv4 user 10.1.5.0 255.255.255.0 https permit: Permits HTTPS traffic (TCP port 443) from the user to the subnet 10.1.5.0/24. ipv4 user 10.1.0.0 255.255.0.0 https deny_opt: Denies HTTPS traffic from the user to the subnet 10.1.0.0/16, with the deny_opt action (which typically means deny with an optimized action, such as dropping the packet without logging). ipv4 user any any permit: Permits all other traffic from the user to any destination. The question asks how the MC treats HTTPS packets (TCP port 443) to two IP addresses: 10.1.20.1 and 10.5.5.20. HTTPS packet to 10.1.20.1: Rule 1: Does not match (traffic is HTTPS, not DHCP). Rule 2: Does not match (destination is 10.1.20.1, not 10.5.5.20; traffic is HTTPS, not DNS). Rule 3: Does not match (destination 10.1.20.1 is not in the subnet 10.1.5.0/24). Rule 4: Matches (destination 10.1.20.1 is in the subnet 10.1.0.0/16, and traffic is HTTPS). The action is deny_opt, so the packet is denied. HTTPS packet to 10.5.5.20: Rule 1: Does not match (traffic is HTTPS, not DHCP). Rule 2: Does not match (traffic is HTTPS, not DNS). Rule 3: Does not match (destination 10.5.5.20 is not in the subnet 10.1.5.0/24). Rule 4: Does not match (destination 10.5.5.20 is not in the subnet 10.1.0.0/16). Rule 5: Matches (catches all other traffic). The action is permit, so the packet is permitted. Therefore, the HTTPS packet to 10.1.20.1 is denied, and the HTTPS packet to 10.5.5.20 is permitted. Option A, "Both packets are denied," is incorrect because the packet to 10.5.5.20 is permitted. Option B, "The first packet is permitted, and the second is denied," is incorrect because the packet to 10.1.20.1 (first) is denied, and the packet to 10.5.5.20 (second) is permitted. Option C, "Both packets are permitted," is incorrect because the packet to 10.1.20.1 is denied. Option D, "The first packet is denied, and the second is permitted," is correct based on the rule evaluation. The HPE Aruba Networking AOS-8 8.11 User Guide states: "Firewall policies on the Mobility Controller are evaluated in order, and the first matching rule determines the action for the packet. For example, a rule such as ipv4 user 10.1.0.0 255.255.0.0 https deny_opt will deny HTTPS traffic to the specified subnet, while a subsequent rule like ipv4 user any any permit will permit all other traffic that does not match earlier rules. The 'user' keyword in the rule refers to the client's IP address, and the rules are applied to traffic initiated by the client." (Page 325, Firewall Policies Section) Additionally, the guide notes: "The deny_opt action in a firewall rule drops the packet without logging, optimizing performance for high-volume traffic. Rules are processed sequentially, and only the first matching rule is applied." (Page 326, Firewall Actions Section) : HPE Aruba Networking AOS-8 8.11 User Guide, Firewall Policies Section, Page 325. HPE Aruba Networking AOS-8 8.11 User Guide, Firewall Actions Section, Page 326.
Question 89
Your Aruba Mobility Master-based solution has detected a rogue AP Among other information the ArubaOS Detected Radios page lists this Information for the AP SSID = PubllcWiFI BSSID = a8M27 12 34:56 Match method = Exact match Match type = Eth-GW-wired-Mac-Table The security team asks you to explain why this AP is classified as a rogue. What should you explain?
Correct Answer: A
The AP is classified as a rogue because it is connected to your LAN and is transmitting wireless traffic with your network's default gateway's MAC address as a source MAC. In this scenario, the 'Match method = Exact match' and 'Match type = Eth-GW-wired-Mac-Table' indicates that the rogue AP has been detected by matching the Ethernet gateway's MAC address, which is on the wired network, implying that the rogue AP is connected to the corporate LAN. Since the AP does not belong to the company, its presence on the network is unauthorized and is thus classified as a rogue AP. References: ArubaOS documentation on rogue AP detection and classification. Wireless security best practices that explain how the presence of unauthorized APs on the LAN constitutes a security threat.
Question 90
A company has an Aruba solution with a Mobility Master (MM) Mobility Controllers (MCs) and campus Aps. What is one benefit of adding Aruba Airwave from the perspective of forensics?
Correct Answer: B
Adding Aruba Airwave to an Aruba solution that includes a Mobility Master (MM), Mobility Controllers (MCs), and campus APs offers several benefits, notably in the realm of network forensics. One of the significant advantages is that Airwave can retain detailed information about the network for much longer periods than what is typically possible with just ArubaOS solutions. This extensive data retention is crucial for forensic analysis, allowing network administrators and security professionals to conduct thorough investigations of past incidents. With access to historical data, professionals can identify trends, pinpoint security breaches, and understand the impact of specific changes or events within the network over time. : Aruba's official product documentation and user guides for Airwave and ArubaOS, which outline features, benefits, and use cases related to network management and forensic capabilities. Industry case studies and whitepapers that discuss the implementation and advantages of integrating Airwave into existing network infrastructure for enhanced monitoring and security.
