HP Exam HPE6-A84 Topic 8 Question 13 Discussion

Actual exam question for HP's HPE6-A84 exam

Question #: 13
Topic #: 8

You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.

Which integration can you suggest?

ASending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients

BImporting clients' MAC addresses to configure known clients for MAC authentication more quickly

CEstablishing a double layer of authentication at both the campus edge and the data center DMZ

DImporting the firewall's rules to program downloadable user roles for AOS-CX switches more quickly

Show Suggested Answer

Suggested Answer: B

This is because SNMPv3 is a secure version of SNMP that provides authentication, encryption, and access control for network management. SNMPv3-only is a configuration option on AOS-CX switches that disables SNMPv1 and SNMPv2c, which are insecure versions of SNMP that use plain text community strings for authentication. By setting the snmp-server settings to ''snmpv3-only'', the switch will only respond to SNMPv3 requests and reject any SNMPv1 or SNMPv2c requests, thus remedying the vulnerability and meeting the customer's requirements.

A) Enabling control plane policing to automatically drop SNMP GET requests. This is not a valid recommendation because control plane policing is a feature that protects the switch from denial-of-service (DoS) attacks by limiting the rate of traffic sent to the CPU. Control plane policing does not disable SNMPv1 or SNMPv2c, but rather applies a rate limit to all SNMP requests, regardless of the version. Moreover, control plane policing might also drop legitimate SNMP requests if they exceed the rate limit, which could affect the network management.

C) Adding an SNMP community with a long random name. This is not a valid recommendation because an SNMP community is a shared secret that acts as a password for accessing network devices using SNMPv1 or SNMPv2c. Adding an SNMP community with a long random name does not disable SNMPv1 or SNMPv2c, but rather creates another community string that can be used for authentication. Moreover, adding an SNMP community with a long random name does not improve the security of SNMPv1 or SNMPv2c, as the community string is still transmitted in plain text and can be intercepted by an attacker.

D) Enabling SNMPv3, which implicitly disables SNMPv1/v2. This is not a valid recommendation because enabling SNMPv3 does not implicitly disable SNMPv1 or SNMPv2c on AOS-CX switches. Enabling SNMPv3 only adds support for the secure version of SNMP, but does not remove support for the insecure versions. Therefore, enabling SNMPv3 alone does not remedy the vulnerability or meet the customer's requirements.

by Alease at Mar 08, 2024, 02:07 PM

Limited Time Offer

25%

Off

Get Premium HPE6-A84 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

1 months ago

Importing firewall rules to program user roles on AOS-CX switches? That's some next-level integration! I bet the network admin can't wait to automate all that tedious configuration work.

upvoted 0 times

Jamika

3 days ago

B) Importing clients' MAC addresses to configure known clients for MAC authentication more quickly

upvoted 0 times

...

Ceola

28 days ago

A) Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients

upvoted 0 times

...

Bulah

1 months ago

A double layer of authentication? Sounds like a security professional's dream come true! The client's gonna love the extra layer of protection, even if it means more hassle for them.

upvoted 0 times

...

2 months ago

I think option A is the best integration for this scenario.

upvoted 0 times

...