Exam4Training

HP HPE2-W05 Implementing Aruba IntroSpect Online Training

Question #1

You are troubleshooting ClearPass with IntroSpect, and you notice that in Access Tracker the IntroSpect Logon Logoff actions profile is executing.

However, the ClearPass Log Source on the IntroSpect Analyzer is showing dropped entries.

Would this be a good troubleshooting step? (Confirm that the ClearPass context action is sending the User name, MAC Address, Entity Type, and User Role)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #2

You are troubleshooting ClearPass with IntroSpect, and you notice that in Access Tracker the IntroSpect Logon Logoff actions profile is executing.

However, the ClearPass Log Source on the IntroSpect Analyzer is showing dropped entries.

Would this be a good troubleshooting step? (Confirm that the ClearPass context action is sending the User name, IP Address, Entity Type, and User Role)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #3

You are troubleshooting ClearPass with IntroSpect, and you notice that in Access Tracker the IntroSpect Logon Logoff actions profile is executing.

However, the ClearPass Log Source on the IntroSpect Analyzer is showing dropped entries.

Would this be a good troubleshooting step? (Confirm that the ClearPass context action is sending the User name, MAC Address, IP Address, and Time Stamp)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #4

While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no log events for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. You are planning your troubleshooting actions.

Is this something you should check? (Under Cluster-Wide Parameters on the ClearPass Publisher, make sure Post-Auth v2 is enabled.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #5

While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no log events for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. You are planning your troubleshooting actions.

Is this something you should check? (Check the authentication service being used in ClearPass for the Login C Logout enforcement policy.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #6

While looking at the conversation page you notice some strange network behavior, such as DNS requests coming inbound from external DNS servers. Could this be the reason why? (One of your Packet Processors may be over subscribed and is dropping packets.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation: https://community.hpe.com/t5/Comware-Based/Meaning-of-FFP-in-packet-drop/tdp/

6071115#.XIH4nOdR2kw

Question #7

While looking at the conversation page you notice some strange network behavior, such as DNS requests coming inbound from external DNS servers. Could this be the reason why? (You have your network tap positioned wrong, and you are just getting outside data.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #8

While validating the data sources in a new IntroSpect installation, you have confirmed that the network tap data is correct and there are AMON log sources for both firewall and DNS.

When you lock in the Entity360, you see the usernames from Active Directory.

However, when you look under E360 > activity > for any user accounts there is no information under “Activity Card” and “Authentication” for any user. When you filter the Entity360 for IP address and look at the Activity screen you do see activity on the “Activity Card”.

Could this be a reason why you do not see the information but do not see activity? (The log broker could be configured incorrectly and not sending authentication logs to IntroSpect.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #9

Refer to the exhibit.

You are monitoring a new virtual packet processor with a network tap. You run the command “cli stats SERVER_PRE | gre-a1 drop” and then return an hour later and run the same command, but notice there is a significant increase in the number dropped packets.

Could this be a reason for the increase? (The Packet Processor may not be allocated the proper number of memory allocated on the VM server for the size of the TAP.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #10

Refer to the exhibit.

You are monitoring a new virtual packet processor with a network tap. You run the command “cli stats SERVER_PRE | gre-a1 drop’ and then return an hour later and run the same command, but notice there is a significant increase in the number dropped packets.

Could this be a reason for the increase? (The Packet Processor may not be allocated the proper number of CPUs allocated on the VM server for the size of the TAP.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A

Question #11

When IntroSpect ingests logs from different sources, it standardizes and catalogs the information. When it stores log data, it currently categorizes it into one of four standard schemas. Are these the four standard schemas? (VPN access data, email data, network data, and authentication data.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #12

Refer to the exhibit.

An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as a log source for analyzing the AD server logs. Are these correct Format and Source options? (Format = Snare, and Source Type = Syslog.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #13

Refer to the exhibit.

An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as a log source for analyzing the AD server logs. Are these correct Format and Source options? (Format = Standard, and Source Type = Syslog.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #14

You receive an email alert that a Packet Processor forwarding AMON data at a remote site to a cloud-based Analyzer has stopped communicating.

Is this a valid step to try to fix the issue? (Log into the Packet Processor and check the Alerts page to make sure that the alert is still valid.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #15

You receive an email alert that a Packet Processor forwarding AMON data at a remote site to a cloud-based Analyzer has stopped communicating.

Is this a valid step to try to fix the issue? (Contact the firewall administrator from the site and see if any rules have changed that may be blocking TCP port 389.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #16

You are configuring a ClearPass Cluster to send endpoint context to an IntroSpect Analyzer for the wireless network. You want to test the setup after you have installed the XML file with the enforcement profiles and actions. Can this method be used to test that the setup is functioning correctly?

(Connect to the wireless network, and send a test authentication from a test device/user in the network. Observe the results in Access Tracker.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #17

You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect system for alarms. Is this a correct statement about alarms? (The alarm bell icon on the header bar indicates active alarms, and clicking on it will take you to the Alerts>page.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #18

You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect system for alarms. Is this a correct statement about alarms? (You must navigate to the IntroSpect Analyzer Menu>Alerts page to see if there are any alarms.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/26587/

Default.aspx

Question #19

You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect system for alarms. Is this a correct statement about alarms? (To see the alarms, navigate to the IntroSpect Analyzer Menu> System Status>Alerts> page.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/26587/

Default.aspx

Question #20

You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect system for alarms. Is this a correct statement about alarms? (A memory_full alarm will fire when there is less han 1 GB of free memory for more than thirty minutes.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?

EntryId=27259

(2.4 user guide)

Question #21

An IntroSpect installation has been up for a day. While validating the log sources, you see an Aruba Firewall log source configured on a Packet Processor that has shown up on the interface in the analyzer.

While evaluating conversation data you notice there is no eflow data from AMON. You log into the controller and confirm there is user activity in the dashboard. Would this be a correct statement about this situation? (The log source on the Packet Processor may not be pointed to the analyzer IP address.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?

EntryId=27259

Question #22

An IntroSpect installation has been up for a day. While validating the log sources, you see an Aruba Firewall log source configured on a Packet Processor that has shown up on the interface in the analyzer.

While evaluating conversation data you notice there is no eflow data from AMON. You log into the controller and confirm there is user activity in the dashboard.

Would this be a correct statement about this situation? (The Packet Processor has been configured correctly.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #23

A customer with approximately 200 users in Active Directory, is running Aruba Mobility Controllers, Palo Alto firewalls, and Pulse Secure VPN and InfoBlox DNS on their network. They would like to implement the 2RU Fixed Configuration Analyzer Standard Edition.

Would this be a good response to the customer? (The Standard Edition will work for this customer as long as they do not want to capture the InfoBlox DNS logs.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #24

A customer with approximately 200 users in Active Directory, is running Aruba Mobility Controllers, Palo Alto firewalls, and Pulse Secure VPN and InfoBlox DNS on their network. They would like to implement the 2RU Fixed Configuration Analyzer Standard Edition.

Would this be a good response to the customer? (The 2RU Fixed Configuration Analyzer should work for this smaller customer.

However, they will need the Advanced Edition to monitor the DNS server.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #25

You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs from

multiple systems around your network. Can this 3rd-party tool collect the logs and push them to Analyzer? (IBM QRadar SIEM will push logs to IntroSpect.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation: IBM QRadar SIEM will push logs to IntroSpect

Question #26

You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs from multiple systems around your network. Can this 3rd-party tool collect the logs and push them to Analyzer? (Splunk Enterprise will allow push notifications.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #27

In a meeting with a customer that runs a fully automated manufacturing facility that is connected to the business and corporate offices, the operations manager asks why they need IntroSpect to monitor the manufacturing network. Is this a reason they should monitor the manufacturing network security? (Because the controllers and sensors do not store customer data or corporate intellectual property, even if the automation network was to be breached it would not expose anything valuable.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #28

In a meeting with a customer that runs a fully automated manufacturing facility that is connected to the business and corporate offices, the operations manager asks why they need IntroSpect to monitor the manufacturing network. Is this a reason they should monitor the manufacturing network security? (The devices on the automation network are vulnerable to attack because they are highly functional and could be weaponized by an attacker and used to attack the corporate network.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation: https://www.arubanetworks.com/assets/ds/DS_IntroSpect.pdf

Question #29

Refer to the exhibit.

Given the network diagram, would this be a proper location for a network tap? (Port G at the Head Quarters Site would expose all East/West traffic bound for the data center.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #30

You deploy IntroSpect Analyzer in your existing network. You want to monitor email for suspect malware activity. Would this action be supported by IntroSpect? (Deploy a supported DNP like Proofpoint Email Protection, and integrate with The IntroSpect Analyzer.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B

Question #31

You deploy IntroSpect Analyzer in your existing network. You want to monitor email for suspect malware activity. Would this action be supported by IntroSpect? (Deploy Splunk SIEM to gather logs from the email servers.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #32

You are planning to configure ClearPass to send endpoint context to IntroSpect. You need to create a checklist of functions that must be enabled in ClearPass to support this. Is this an option that is required? (System Monitor Service.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #33

You are planning to configure ClearPass to send endpoint context to IntroSpect. You need to create a checklist of functions that must be enabled in ClearPass to support this. Is this an option that is required? (Ingress Event Processing.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #34

You are planning to configure ClearPass to send endpoint context to IntroSpect. You need to create a checklist of functions that must be enabled in ClearPass to support this. Is this an option that is required? (Time Source Now as part of the authorization in the service.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=2ahUKEwiBra-C-

_HgAhWLsKQKHQ4yDkkQFjABegQICBAC&url=http%3A%2F%2Fsupport.arubanetworks.com%

2FDocumentation%2Ftabid%2F77%2FDMXModule%2F512%2FCommand%2FCore_Download%2FMethod% 2Fattachment%2FDefault.aspx%3FEntryId%3D33268&usg=AOvVaw3plzLBTQalED4qNGbdU1Dx

Question #35

You are a security analyst for a company where an Aruba infrastructure, such as Controllers, ClearPass, and Airwave, has been deployed. The company has recently deployed Aruba IntroSpect for security analytics. You are trying to understand the functionality of three components: Analyzer, Compute Node(CN), and Packet Processor of the IntroSpect system. Is this a good description of the functions of the Analyzer Node in the system? (The Analyzer Node is the center of the system, providing all of the control and interface to the other components.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #36

A company wants to integrate ClearPass with the IntroSpect. Is this a supported version? (ClearPass 6.7.4.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #37

A company wants to integrate ClearPass with the IntroSpect. Is this a supported version? (ClearPass 6.7.3.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #38

While discussing network security with an associate, the associate asks why a company would need internal monitoring when they have firewalls and Wireless Intrusion Protection configured. Is this an appropriate response? (You point out that while these security measures are required, there are other attack vectors in a network that are simply not protected by these.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #39

While reviving the logs at a customer site you notice that one particular device is accessing multiple servers in the environment, using a number of different user accounts. When you QUESTION NO: the IT admin, they tell you that the computer is a JumpBox and running software used to monitor all of the servers in the environment.

Would this be a logical next step? (You can safely ignore this activity as this is normal behavior for a

JumpBox.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #40

While reviving the logs at a customer site you notice that one particular device is accessing multiple servers in the environment, using a number of different user accounts. When you QUESTION NO: the IT admin, they tell you that the computer is a JumpBox and running software used to monitor all of the servers in the environment.

Would this be a logical next step? (As a next step, you should audit all of the accounts that are being used on the JumpBox to determine if the JumpBox is being accessed by unauthorized accounts.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A

Question #41

Refer to the exhibit.

Would this be a correct option when configuring a user account for a ClearPass to use to communicate with IntroSpect? (The username and email address must match.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?

EntryId=27259

Question #42

Refer to the exhibit.

Would this be a correct option when configuring a user account for a ClearPass to use to communicate with IntroSpect? (The email address needs to match the username used in ClearPass.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: A
Question #43

Refer to the exhibit.

Would this be a correct option when configuring a user account for a ClearPass to use to communicate with IntroSpect? (The username must be the host name of the ClearPass server, and the email address needs to be the username on the ClearPass server.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #44

During a discovery at a large company, the customer asks if they can run IntroSpect on a segment of the network and only monitor a small group of users and servers as a trial. As their IT staff becomes familiar with the analytics, they want to expand the installation to the entire enterprise. Would this be a valid option for the customer? (It is easy to support growth with the Scale-out Analyzer appliance, as Analyzer Nodes may be added over time to support the larger demand from the full environment.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #45

During a discovery at a large company, the customer asks if they can run IntroSpect on a segment of the network and only monitor a small group of users and servers as a trial. As their IT staff becomes familiar with the analytics, they want to expand the installation to the entire enterprise. Would this be a valid option for the customer? (The customer can deploy the analyzer at the first site and use whitelist/blacklist functions to contain the scope of the analytics to the smaller site.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #46

You have been asked to provide a Bill of Materials (BoM) for a mature small business with two sites. The IT Director prefers all hardware to be on-premise but is open to cloud-based solution. In conversations with the IT staff, you determine that the main site has approximately 550 network devices and 400 users. All users are in Active Directory. Eighty of the users use a Pulse Secure VPN to work remotely.

The second site is a warehouse operation with approximately 40 users and another 10 users that use Pulse Secure VPN. All wireless is using Aruba Networks Instant APs. There are Active Directory servers at both sites. All logs are currently being gathered into Splunk. The team feels that they can properly monitor the corporate site network with a single tap port on a central switch at the main office. There will be a network tap at the remote site.

Is this a suggestion you would make to the customer? (The customer should purchase the Scale-Out option for their data center, with a Packet Processor at the remote site.)

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Exit mobile version