Big Black Friday Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Aruba Certified Network Security Professional Exam Question and Answers

Aruba Certified Network Security Professional Exam

Last Update Nov 30, 2025
Total Questions : 135

We are offering FREE HPE7-A02 HP exam questions. All you do is to just go and sign up. Give your details, prepare HPE7-A02 free exam questions and then go for complete pool of Aruba Certified Network Security Professional Exam test questions that will help you more.

HPE7-A02 pdf

HPE7-A02 PDF

$36.75  $104.99
 Add to Cart
HPE7-A02 Engine

HPE7-A02 Testing Engine

$43.75  $124.99
 Add to Cart
HPE7-A02 PDF + Engine

HPE7-A02 PDF + Testing Engine

$57.75  $164.99
 Add to Cart
Questions 1

You have set up a mirroring session between an AOS-CX switch and a management station, running Wireshark. You want to capture just the traffic sent in the

mirroring session, not the management station's other traffic.

What should you do?

Options:

A.  

Apply this capture filter: ip proto 47

B.  

Edit protocol preferences and enable ARUBA_ERM.

C.  

Edit protocol preferences and enable HPE_ERM.

D.  

Apply this capture filter: udp port 5555

Discussion 0
Questions 2

Your company wants to implement Tunneled EAP (TEAP).

How can you set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to enforce certificated-based authentication for clients using TEAP?

Options:

A.  

For the service using TEAP, set the authentication source to an internal database.

B.  

Select a service certificate when you specify TEAP as a service's authentication method.

C.  

Create an authentication method named "TEAP" with the type set to EAP-TLS.

D.  

Select an EAP-TLS-type authentication method for the TEAP method's inner method.

Discussion 0
Questions 3

As part of setting up an HPE Aruba Networking ClearPass Onboard solution for wireless clients, you created Network Settings, a Configuration Profile, and a Provisioning Settings object in ClearPass Onboard. You also ran the ClearPass Onboard Service Only Template on ClearPass Policy Manager (CPPM).

You now need to ensure that only domain users are authenticated and allowed to log into the ClearPass Onboard portal.

Which component should you edit?

Options:

A.  

The Network Settings on ClearPass Onboard

B.  

The ClearPass Onboard Service Pre-Auth service on CPPM

C.  

The 802.1X services on CPPM used for wireless clients

D.  

The Provisioning profile on ClearPass Onboard

Discussion 0
Questions 4

A company wants to apply a standard configuration to all AOS-CX switch ports and have the ports dynamically adjust their configuration based on the identity of

the user or device that connects. They want to centralize configuration of the identity-based settings as much as possible.

What should you recommend?

Options:

A.  

Having HPE Aruba Networking ClearPass Policy Manager (CPPM) send standard RADIUS AVPs to customize port settings

B.  

Having switches pull port configurations dynamically from HPE Aruba Networking Activate

C.  

Having switches download user-roles from HPE Aruba Networking gateways

D.  

Having switches download user-roles from HPE Aruba Networking ClearPass Policy Manager (CPPM)

Discussion 0
Questions 5

An admin has configured an AOS-CX switch with these settings:

port-access role employees

vlan access name employees

This switch is also configured with CPPM as its RADIUS server.

Which enforcement profile should you configure on CPPM to work with this configuration?

Options:

A.  

RADIUS Enforcement type with HPE-User-Role VSA set to "employees"

B.  

HPE Aruba Networking Downloadable Role Enforcement type with role name set to "employees"

C.  

HPE Aruba Networking Downloadable Role Enforcement type with gateway role name set to "employees"

D.  

RADIUS Enforcement type with Aruba-User-Role VSA set to "employees"

Discussion 0
Questions 6

A company wants you to create a custom device fingerprint on CPPM with rules for profiling a group of specialized devices. What is one requirement?

Options:

A.  

Connecting a known device of this type and getting it discovered in CPPM's Endpoints Repository.

B.  

Enabling HPE Aruba Networking ClearPass Device Insight integration with the correct Data Collector token.

C.  

Pre-defining the desired attributes and rules in an XML format file.

D.  

Disabling the "Automatically download Endpoint Profiler Fingerprints" feature in cluster-wide parameters.

Discussion 0
Questions 7

A company has HPE Aruba Networking Central-managed APs. The company wants to block all clients connected through the APs from using YouTube.

Which steps should you take?

Options:

A.  

Deploy gateways and have the APs tunnel traffic to the gateways. Then, enable the gateway IDS/IPS engine.

B.  

Enable Client IPS at the "custom" level, and then specify the check for YouTube.

C.  

Enable WebCC on all client firewall roles. Then, create WebCC category rules that deny suspicious URLs.

D.  

Enable DPI. Then, create application rules to deny YouTube on the firewall roles.

Discussion 0
Questions 8

Refer to Exhibit.

A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). In the CPDI interface, you go to the Generic Devices

page and see the view shown in the exhibit.

What correctly describes what you see?

Options:

A.  

Each cluster is a group of unclassified devices that CPDI's machine learning has discovered to have similar attributes.

B.  

Each cluster is a group of devices that match one of the tags configured by admins.

C.  

Each cluster is all the devices that have been assigned to the same category by one of CPDI's built-in system rules.

D.  

Each cluster is a group of devices that have been classified with user rules, but for which CPDI offers different recommendations.

Discussion 0
Questions 9

A company has an HPE Aruba Networking ClearPass cluster with several servers. ClearPass Policy Manager (CPPM) is set up to:

. Update client attributes based on Syslog messages from third-party appliances

. Have the clients reauthenticate and apply new profiles to the clients based on the updates

To ensure that the correct profiles apply, what is one step you should take?

Options:

A.  

Configure a CoA action for all tag updates in the ClearPass Device Insight integration settings.

B.  

Tune the CoA delay on the ClearPass servers to a value of 5 seconds or greater.

C.  

Set the cluster's Endpoint Context Servers polling interval to a value of 5 seconds or less.

D.  

Configure the cluster to periodically clean up (delete) unknown endpoints.

Discussion 0
Questions 10

What role can Internet Key Exchange (IKE)/IKEv2 play in an HPE Aruba Networking client-to-site VPN?

Options:

A.  

It provides an alternative to IPsec that is suitable for legacy clients.

B.  

It provides a more modern and secure alternative to IPsec.

C.  

It helps to negotiate the IPsec SA automatically and securely.

D.  

It helps remote clients download IPsec profiles for later use.

Discussion 0
Questions 11

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) and HPE Aruba Networking ClearPass Device Insight (CPDI) and has integrated the

two. CPDI admins have created a tag. CPPM admins have created rules that use that tag in the wired 802.1X and wireless 802.1X services' enforcement policies.

The company requires CPPM to apply the tag-based rules to a client directly after it learns that the client has that tag.

What is one of the settings that you should verify on CPPM?

Options:

A.  

The "Device Sync" setting is set to 1 in the ClearPass Device Insight Integration settings.

B.  

Both 802.1X services have the "Profile Endpoints" option enabled and an appropriate CoA profile selected in the Profiler tab.

C.  

Both 802.1X services have the "Use cached Role and Posture attributes from the previous sessions" setting.

D.  

The "Polling Interval" is set to 1 in the ClearPass Device Insight Integration settings.

Discussion 0
Questions 12

A company has AOS-CX switches and HPE Aruba Networking APs, which run AOS-10 and bridge their SSIDs. Company security policies require 802.1X on all edge ports, some of which connect to APs. How should you configure the auth-mode on AOS-CX switches?

Options:

A.  

Leave all edge ports in client auth-mode and configure device auth-mode in the AP role.

B.  

Configure all edge ports in client auth-mode.

C.  

Configure all edge ports in device auth-mode.

D.  

Leave all edge ports in device auth-mode and configure client auth-mode in the AP role.

Discussion 0
Questions 13

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to authenticate managers on its AOS-CX switches. The company wants CPPM to control which commands managers are allowed to enter.

Which service must you add to the managers' TACACS+ enforcement profile?

Options:

A.  

Cpass:HTTP

B.  

Shell

C.  

ARAP

D.  

Aruba:Common

Discussion 0
Questions 14

Refer to the Exhibit:

These packets have been captured from VLAN 10. which supports clients that receive their IP addresses with DHCP.

What can you interpret from the packets that you see here?

These packets have been captured from VLAN 10, which supports clients that receive their IP addresses with DHCP. What can you interpret from the packets that you see here?

Options:

A.  

Someone is possibly implementing a MAC spoofing attack to gain unauthorized access.

B.  

The mirroring session that captured the packets was likely misconfigured and captured duplicate traffic.

C.  

An admin has likely misconfigured two clients to use the same DHCP settings.

D.  

Someone is possibly implementing an ARP poisoning and MITM attack.

Discussion 0
Questions 15

A company has HPE Aruba Networking APs and AOS-CX switches, as well as HPE Aruba Networking ClearPass. The company wants CPPM to have HTTP User-

Agent strings to use in profiling devices.

What can you do to support these requirements?

Options:

A.  

Add the CPPM server's IP address to the IP helper list in all client VLANs on routing switches.

B.  

Schedule periodic subnet scans of all client subnets on CPPM.

C.  

Configure mirror sessions on the APs and switches to copy client HTTP traffic to CPPM.

D.  

On the APs and switches, configure a redirect to ClearPass Guest in the role for devices being profiled.

Discussion 0
Questions 16

A company has been running Gateway IDS/IPS on its gateways in IDS mode for several weeks. The company wants to transition to IPS mode.

What is one step you should recommend?

Options:

A.  

Disable traffic inspection and reboot before re-enabling traffic inspection with the new mode.

B.  

Change the mode on one gateway at a time to establish a smoother transition period.

C.  

Consider applying a stricter IPS policy to minimize issues during the transition period.

D.  

Check for legitimate traffic that has been flagged as a threat and allow list the associated rules.

Discussion 0
Questions 17

You are setting up an HPE Aruba Networking VIA solution for a company. You have already created a VPN pool with IP addresses for the remote clients. During

tests, however, the clients do not receive IP addresses from that pool.

What is one setting to check?

Options:

A.  

That the pool uses valid, public IP addresses that are assigned to the company

B.  

That the pool is associated with the role to which the VIA clients are being assigned

C.  

That the pool uses an IP subnet that is different from any subnet configured on the VPNC

D.  

That the pool is referenced in the clients' VIA Connection Profile

Discussion 0
Questions 18

The exhibit shows the 802.1X-related settings for Windows domain clients. What should admins change to make the settings follow best security practices?

Options:

A.  

Specify at least two server names under the "Connect to these servers" field.

B.  

Select the desired Trusted Root Certificate Authority and select the check box next to "Don't prompt users."

C.  

Under the "Connect to these servers" field, use a wildcard in the server name.

D.  

Clear the check box for using simple certificate selection and select the desired certificate manually.

Discussion 0
Questions 19

A company has HPE Aruba Networking infrastructure devices. The devices authenticate clients to HPE Aruba Networking ClearPass Policy Manager (CPPM). You want CPPM to track information about clients, such as their IP addresses and their network bandwidth utilization. What should you set up on the network infrastructure devices to help that happen?

Options:

A.  

Logging with CPPM configured as a Syslog server.

B.  

Dynamic authorization enabled in the RADIUS settings for CPPM.

C.  

RADIUS accounting to CPPM, including interim updates.

D.  

An IF-MAP interface with CPPM as the destination.

Discussion 0
Questions 20

A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). You have identified a device, which is currently

classified as one type, but you want to classify it as a custom type. You also want to classify all devices with similar attributes as this type, both already-discovered

devices and new devices discovered later.

What should you do?

Options:

A.  

Create a user tag from the Generic Devices page, select the desired attributes for the tag, and save the tag.

B.  

In the device details, select reclassify, create a user rule based on its attributes, and choose "Save & Reclassify."

C.  

In the device details, select filter, create a user tag based on the device attributes, and save the tag.

D.  

Create a user rule from the Generic Devices page, select the desired attributes for the rule, and choose "Save."

Discussion 0
Questions 21

HPE Aruba Networking Central displays a Gateway Threat Count alert in the alert list. How can you gather more information about what caused the alert to trigger?

Options:

A.  

Use HPE Aruba Networking Central tools to run a Network Check on the gateway with which the alert is associated.

B.  

Use Live Monitoring on the gateway to download a packet capture of recent traffic flowing through the gateway.

C.  

Check the threat list for the gateway associated with the alert. Access threat details and download packet info.

D.  

Check the gateway's Audit Trail in HPE Aruba Networking Central for more details about the threats that triggered the alert.

Discussion 0
Questions 22

All of the switches in the exhibit are AOS-CX switches.

What is the preferred configuration on Switch-2 for preventing rogue OSPF routers in this network?

Options:

A.  

Disable OSPF entirely on VLANs 10-19.

B.  

Configure OSPF authentication on VLANs 10-19 in password mode.

C.  

Configure OSPF authentication on Lag 1 in MD5 mode.

D.  

Configure passive-interface as the OSPF default and disable OSPF passive on Lag 1.

Discussion 0
Questions 23

You have downloaded a packet capture that you generated on HPE Aruba Networking Central. When you open the capture in Wireshark, you see the output shown in the

exhibit.

What should you do in Wireshark so that you can better interpret the packets?

Options:

A.  

Choose to decode UDP port 5555 packets as ARUBA_ERM and set the Aruba ERM Type to 0.

B.  

Edit preferences for IEEE 802.11 and chose to ignore the Protection bit with IV.

C.  

Apply the following display filter: wlan.fc.type == 1.

D.  

Edit the Enabled Protocols and make sure that 802.11, GRE, and Aruba_ERM are enabled.

Discussion 0
Questions 24

A company wants to turn on Wireless IDS/IPS infrastructure and client detection at the high level on HPE Aruba Networking APs. The company does not want to

enable any prevention settings.

What should you explain about HPE Aruba Networking recommendations?

Options:

A.  

HPE Aruba Networking recommends turning on both wired and wireless prevention whenever you enable detection at high.

B.  

HPE Aruba Networking recommends using hybrid AP mode, as opposed to Air Monitors (AMs), when implementing detection without prevention.

C.  

HPE Aruba Networking recommends disabling client detection when you configure infrastructure detection at high, as infrastructure detection includes all the client checks and more.

D.  

HPE Aruba Networking recommends configuring infrastructure and client detection at a custom level and disabling or tuning some of the settings that are likely to produce false positives.

Discussion 0
Questions 25

A company wants to implement Virtual Network based Tunneling (VNBT) on a particular group of users and assign those users to an overlay network with VNI

3000.

Assume that an AOS-CX switch is already set up to:

. Implement 802.1X to HPE Aruba Networking ClearPass Policy Manager (CPPM)

. Participate in an EVPN VXLAN solution that includes VNI 3000

Which setting should you configure in the users' AOS-CX role to apply VNBT to them when they connect?

Options:

A.  

Gateway zone set to "3000" with no gateway role set

B.  

Gateway zone set to "vni-3000" with no gateway role set

C.  

Access VLAN set to the VLAN mapped to VNI 3000

D.  

Access VLAN ID set to "3000"

Discussion 0
Questions 26

A company already uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as the RADIUS server for authenticating wireless clients with 802.1X. Now you are setting up 802.1X on AOS-CX switches to authenticate many of those same clients on wired connections. You decide to copy CPPM's wireless 802.1X service and then edit it with a new name and enforcement policy. What else must you change for authentication to work properly?

Options:

A.  

Role mapping policy

B.  

Authentication methods

C.  

Authentication source

D.  

Service rules

Discussion 0
Questions 27

A company wants HPE Aruba Networking ClearPass Policy Manager (CPPM) to respond to Syslog messages from its Palo Alto Next Generation Firewall (NGFW)

by quarantining clients involved in security incidents.

Which step must you complete to enable CPPM to process the Syslogs properly?

Options:

A.  

Configure the Palo Alto as a context server on CPPM.

B.  

Install a Palo Alto Extension through ClearPass Guest.

C.  

Enable Insight and ingress event processing on the CPPM server.

D.  

Configure CPPM to trust the root CA certificate for the NGFW.

Discussion 0
Questions 28

A company is implementing a client-to-site VPN based on tunnel-mode IPsec.

Which devices are responsible for the IPsec encapsulation?

Options:

A.  

Gateways at the remote clients' locations and devices accessed by the clients at the main site

B.  

The remote clients and devices accessed by the clients at the main site

C.  

The remote clients and a gateway at the main site

D.  

Gateways at the remote clients' locations and a gateway at the main site

Discussion 0
Questions 29

A company wants to use the HPE Aruba Networking ClearPass OnGuard agent to assign posture to clients.

How do you define the conditions by which a client receives a particular posture?

Options:

A.  

Create rules within a posture policy

B.  

Create rules within a WebAuth enforcement policy

C.  

Create the rules directly in a service’s Enforcement tab

D.  

Create rules directly in a service’s Posture tab

Discussion 0
Questions 30

An AOS-CX switch has this admin user account configured on it:

netadmin in the operators group.

You have configured these commands on an AOS-CX switch:

tacacs-server host cp.example.com key plaintext &12xl,powmay7855

aaa authentication login ssh group tacacs local

aaa authentication allow-fail-through

A user accesses the switch with SSH and logs in as netadmin with the correct password. When the switch sends a TACACS+ request to the ClearPass server at cp.example.com, the server does not send a response. Authentication times out.

What happens?

Options:

A.  

The user is logged in and granted operator access.

B.  

The user is logged in and allowed to enter auditor commands only.

C.  

The user is logged in and granted administrators access.

D.  

The user is not allowed to log in.

Discussion 0
Questions 31

You are proposing HPE Aruba Networking ZTNA to an organization that currently uses a third-party, IPsec-based client-to-site VPN.

What is one advantage of ZTNA that you should emphasize?

Options:

A.  

ZTNA improves security for SaaS applications, which now make up the majority of remote user traffic.

B.  

ZTNA offers no greater security than the current solution, but it makes it much easier for admins to create and maintain consistent policies.

C.  

ZTNA is specifically designed to enhance security for Internet of Things (IoT) devices, which traditional client-to-site VPNs cannot address.

D.  

ZTNA shrinks the attack surface, eliminating publicly exposed ports and reducing the extent of the private network exposed to remote users.

Discussion 0
Questions 32

You are using Wireshark to view packets captured from HPE Aruba Networking infrastructure, but you’re not sure that the packets are displaying correctly. In which circumstance does it make sense to configure Wireshark to ignore protection bits with the IV for the 802.11 protocol?

Options:

A.  

When the traffic was captured on the data plane of an HPE Aruba Networking gateway and sent to a remote IP.

B.  

When the traffic was mirrored from an AOS-CX switch port connected to an AP.

C.  

When the traffic was captured from an AP with HPE Aruba Networking Central.

D.  

When the traffic was captured on the control plane of an HPE Aruba Networking MC and sent to a remote IP.

Discussion 0
Questions 33

A company has wired VolP phones, which transmit tagged traffic and connect to AOS-CX switches. The company wants to tunnel the phones' traffic to an HPE

Aruba Networking gateway for applying security policies.

What is part of the correct configuration on the AOS-CX switches?

Options:

A.  

UBT mode set to VLAN extend

B.  

A VXLAN VNI mapped to the VLAN assigned to the VolP phones

C.  

VLANs assigned to the VolP phones configured on the switch uplinks

D.  

A UBT reserved VLAN set to a VLAN dedicated for that purpose

Discussion 0
Questions 34

A ClearPass Policy Manager (CPPM) service includes these settings:

    Role Mapping Policy:

      Evaluate: Select first

      Rule 1 conditions:

        Authorization:AD:Groups EQUALS Managers

        Authentication:TEAP-Method-1-Status EQUALS Success

        Rule 1 role: manager

Rule 2 conditions:

    Authentication:TEAP-Method-1-Status EQUALS Success

    Rule 2 role: domain-comp

Default role: [Other]

Enforcement Policy:

    Evaluate: Select first

    Rule 1 conditions:

      Tips Role EQUALS manager AND Tips Role EQUALS domain-comp

      Rule 1 profile list: domain-manager

Rule 2 conditions:

    Tips Role EQUALS manager

    Rule 2 profile list: manager-only

Rule 3 conditions:

    Tips Role EQUALS domain-comp

    Rule 3 profile list: domain-only

Default profile: [Deny access]

A client is authenticated by the service. CPPM collects attributes indicating that the user is in the Contractors group, and the client passed both TEAP methods.

Which enforcement policy will be applied?

Options:

A.  

[Deny Access Profile]

B.  

manager-only

C.  

domain-manager

D.  

domain-only

Discussion 0
Questions 35

You are setting up policy rules in HPE Aruba Networking SSE. You want to create a single rule that permits users in a particular user group to access multiple applications. What is an easy way to meet this need?

Options:

A.  

Associate the applications directly with the IdP used to authenticate the users; choose any for the destination in the policy rule.

B.  

Apply the same tag to the applications; select the tag as a destination in the policy rule.

C.  

Place all the applications in the same connector zone; select that zone as a destination in the policy rule.

D.  

Select the applications within a non-default web profile; select that profile in the policy rule.

Discussion 0
Questions 36

Assume that an AOS-CX switch is already implementing DHCP snooping and ARP inspection successfully on several VLANs.

What should you do to help minimize disruption time if the switch reboots?

Options:

A.  

Configure the switch to act as an ARP proxy.

B.  

Create static IP-to-MAC bindings for the DHCP and DNS servers.

C.  

Save the IP-to-MAC bindings to external storage.

D.  

Configure the IP helper address on this switch, rather than a core routing switch.

Discussion 0
Questions 37

You have installed an HPE Aruba Networking Network Analytic Engine (NAE) script on an AOS-CX switch to monitor a particular function.

Which additional step must you complete to start the monitoring?

Options:

A.  

Reboot the switch.

B.  

Enable NAE, which is disabled by default.

C.  

Edit the script to define monitor parameters.

D.  

Create an agent from the script.

Discussion 0
Questions 38

A company has HPE Aruba Networking gateways that implement gateway IDS/IPS. Admins sometimes check the Security Dashboard, but they want a faster way to discover if a gateway starts detecting threats in traffic.

What should they do?

Options:

A.  

Set up Webhooks that are attached to the HPE Aruba Networking Central Threat Dashboard.

B.  

Use Syslog to integrate the gateways with HPE Aruba Networking ClearPass Policy Manager (CPPM) event processing.

C.  

Set up email notifications using HPE Aruba Networking Central's global alert settings.

D.  

Integrate HPE Aruba Networking ClearPass Device Insight (CPDI) with Central and schedule hourly reports.

Discussion 0
Questions 39

A company has HPE Aruba Networking APs running AOS-10 and managed by HPE Aruba Networking Central. The company also has AOS-CX switches. The security team wants you to capture traffic from a particular wireless client. You should capture this client’s traffic over a 15-minute time period and then send the traffic to them in a PCAP file. What should you do?

Options:

A.  

Access the CLI for the client’s AP. Set up a mirroring session between its radio and a management station running Wireshark.

B.  

Go to the client’s AP in HPE Aruba Networking Central. Use the "Security" page to run a packet capture.

C.  

Go to that client in HPE Aruba Networking Central. Use the "Live Events" page to run a packet capture.

D.  

Access the CLI for the client’s AP's switch. Set up a mirroring session between the AP’s port and a management station running Wireshark.

Discussion 0
Questions 40

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to authenticate managers on its AOS-CX switches. The

company wants CPPM to control which commands managers are allowed to enter. You see there is no field to enter these commands in ClearPass.

How do you start configuring the command list on CPPM?

Options:

A.  

Add the Shell service to the managers' TACACS+ enforcement profiles.

B.  

Edit the TACACS+ settings in the AOS-CX switches' network device entries.

C.  

Create an enforcement policy with the TACACS+ type.

D.  

Edit the settings for CPPM's default TACACS+ admin roles.

Discussion 0