HPE6-A84 Exam Dumps : Aruba Certified Network Security Expert Written Exam

Alert duration and threshold settings are used to control how often and under what conditions email notifications are sent for gateway IDS/IPS events 1. By adjusting these settings, the customer can reduce the frequency of repeat email notifications for the same threat, while still being informed of any critical or new threats.

To adjust the alert duration and threshold settings in Aruba Central, the customer can follow these steps 1:

• In the Aruba Central app, set the filter to Global, a group, or a device.
• Under Analyze, click Alerts & Events.
• Click the Config icon to open the Alert Severities & Notifications page.
• Select the Gateway IDS/IPS tab to view the alert categories and severities for gateway IDS/IPS events.
• Click on an alert category to expand it and view the alert duration and threshold settings for each severity level.
• Enter a value in minutes for the alert duration. This is the time period during which the alert is active and email notifications are sent.
• Enter a value for the alert threshold. This is the number of times the alert must be triggered within the alert duration before an email notification is sent.
• Click Save.

By increasing the alert duration and/or threshold values, the customer can reduce the number of email notifications for recurring threats, as they will only be sent when the threshold is reached within the duration. For example, if the customer sets the alert duration to 60 minutes and the alert threshold to 10 for a Critical severity level, then an email notification will only be sent if the same threat occurs 10 times or more within an hour.

The exhibit shows a screenshot of a Malwarebytes alert that indicates that a website was blocked due to compromise. The alert contains the following information:

• The type of protection: Web Protection
• The website that was blocked: 10.254.1.21
• The port that was used: 80
• The process that initiated the connection: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
• The IP address of the device that initiated the connection: 10.1.26.151

The IP address of the device that initiated the connection is the one that should be recorded as a possibly compromised client, as it indicates that the device tried to access a malicious website that could infect it with malware or steal its data. In this case, the IP address of the possibly compromised client is 10.1.26.151.

Auto-site clustering is a feature that allows gateways in the same site and group to form a cluster automatically. However, this mode does not support VRRP IP addresses, which are required for dynamic authorization (CoA) from ClearPass Policy Manager (CPPM) to the gateways. Dynamic authorization is a mechanism that allows CPPM to change the attributes or status of a client session on the gateways without requiring re-authentication. This is useful for applying policies, roles, or bandwidth limits based on various conditions. Without VRRP IP addresses, CPPM would not be able to send CoA messages to the correct gateway in case of a failover event, resulting in inconsistent or incorrect client behavior.

To enable VRRP IP addresses for dynamic authorization, you need to set up gateway clusters manually and assign a VRRP VLAN and a VRRP IP address to each cluster. This way, CPPM can use the VRRP IP address as the NAS IP address for RADIUS communications and CoA messages. The VRRP IP address will remain the same even if the active gateway in the cluster changes due to a failover event, ensuring seamless operations. You can find more information about how to set up gateway clusters manually and configure VRRP IP addresses in the Gateway Cluster Deployment - Aruba page and the ClearPass Policy Manager User Guide1.