Exam HPE7-A02 Topic 6 Question 85 Discussion
Actual exam question for HP's HPE7-A02 exam
Question #: 85
Topic #: 6
Question #: 85
Topic #: 6
You manage AOS-10 APs with HPE Aruba Networking Central. A role is configured on these APs with these rules (in order):
* Allow UDP on port 67 to any destination
* Allow any to network 10.1.4.0/23
* Deny any to network 10.1.0.0/18 + log
* Deny any to network 10.0.0.0/8
* Allow any to any destination
You add this new rule immediately before rule 4:
* Deny SSH to network 10.1.0.0/21 + denylist
After this change, what happens when a client assigned to this role sends SSH traffic to 10.1.7.12?
* Allow UDP on port 67 to any destination
* Allow any to network 10.1.4.0/23
* Deny any to network 10.1.0.0/18 + log
* Deny any to network 10.0.0.0/8
* Allow any to any destination
You add this new rule immediately before rule 4:
* Deny SSH to network 10.1.0.0/21 + denylist
After this change, what happens when a client assigned to this role sends SSH traffic to 10.1.7.12?
Suggested Answer: B Vote an answer
Aruba firewall / role access rules are evaluated top-down, first-match wins; once a rule matches, no later rules are processed.
Let's walk the packet through the ordered rules:
* The traffic is SSH, not UDP/67 # rule 1 does not match.
* Destination 10.1.7.12 is not in 10.1.4.0/23 # rule 2 does not match.
* 10.1.7.12 is in 10.1.0.0/18 # rule 3 matches first.
* Rule 3 action: Deny any to 10.1.0.0/18 + log.
* Because rule 3 already matched, the later "Deny SSH to 10.1.0.0/21 + denylist" rule is never evaluated, so no denylist is applied.
Aruba documentation for session ACLs and firewall rules explicitly states that rules are evaluated from top to bottom and "the first match terminates further evaluation," and logging/denylist flags on a rule are applied only when that specific rule matches.
So the outcome is: the SSH traffic is dropped and logged, but the client is not denylisted # Option B.
Let's walk the packet through the ordered rules:
* The traffic is SSH, not UDP/67 # rule 1 does not match.
* Destination 10.1.7.12 is not in 10.1.4.0/23 # rule 2 does not match.
* 10.1.7.12 is in 10.1.0.0/18 # rule 3 matches first.
* Rule 3 action: Deny any to 10.1.0.0/18 + log.
* Because rule 3 already matched, the later "Deny SSH to 10.1.0.0/21 + denylist" rule is never evaluated, so no denylist is applied.
Aruba documentation for session ACLs and firewall rules explicitly states that rules are evaluated from top to bottom and "the first match terminates further evaluation," and logging/denylist flags on a rule are applied only when that specific rule matches.
So the outcome is: the SSH traffic is dropped and logged, but the client is not denylisted # Option B.
by Troy at May 17, 2026, 03:26 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).