HPE6-A84 Exam Dumps : Aruba Certified Network Security Expert Written Exam

The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.

Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules 1. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes 2. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection 2.

The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time 2. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors 3. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it 3.

The other options are not correct or relevant for this issue:

• Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails 4.
• Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails .
• Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails 2. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it provides less security and more false negatives .

According to the ClearPass Policy Manager User Guide1, userAccountControl is a custom attribute in Active Directory that contains a set of flags that define the properties and behavior of user accounts. One of these flags is ACCOUNTDISABLE, which indicates whether the account is disabled or not. By adding this attribute to the filters in the AD authentication source, CPPM can retrieve this attribute for each user and use it as a condition in the enforcement policies to prevent users with disabled accounts from connecting even if they have valid certificates. Therefore, option C is the correct answer.

 This is because an Endpoint Context Server (ECS) is a feature that allows ClearPass to receive contextual information from external sources, such as Aruba Central, and use it for policy enforcement and reporting. An ECS can be configured to point to the Aruba Central API and fetch data such as device type, category, OS, applications, traffic flows, etc.

An ECS can be used to communicate the information that an IoT client has used SSH to Aruba ClearPass Policy Manager (CPPM). The ECS can query the Aruba Central API and retrieve the network traffic flows of the wireless IoT devices that are categorized as “Raspberry Pi” clients. The ECS can then filter the traffic flows by the SSH protocol and send the relevant information to CPPM. CPPM can then use this information for policy decisions, such as allowing or denying SSH access, or triggering alerts or actions.

B. On CPPM enable Device Insight integration. This is not a valid step because Device Insight is a feature that allows ClearPass to discover, profile, and fingerprint devices on the network using deep packet inspection (DPI) and machine learning (ML). Device Insight does not communicate with Aruba Central or receive information from it. Moreover, Device Insight might not be able to detect SSH traffic on encrypted wireless IoT devices without decrypting it first.

C. On Central configure APs and gateways to use CPPM as the RADIUS accounting server. This is not a valid step because RADIUS accounting is a feature that allows network devices to send periodic updates about the status and activity of authenticated users or devices to a RADIUS server, such as CPPM. RADIUS accounting does not communicate with Aruba Central or receive information from it. Moreover, RADIUS accounting might not be able to capture SSH traffic on wireless IoT devices without inspecting it first.

D. On Central set up CPPM as a Webhook application. This is not a valid step because Webhook is a feature that allows Aruba Central to send notifications or events to external applications or services using HTTP requests. Webhook does not communicate with CPPM or send information to it. Moreover, Webhook might not be able to send SSH traffic information on wireless IoT devices without filtering it first.