The System Administrator for a bank has deployed the following Network Access Policy on the XGS appliance using default built-in Application & Inspection objects, as shown in the diagram below. No schedule objects were used in all rules.
Answer : B
A System Administrator has a requirement to be able to pause and resume an XGS for VMware machine to allow the ESXi server to move the servers to another machine.
Which statements regarding VMware Tools functionality is relevant to this requirement?
Answer : C
The System Administrator for a financial organization wants to register an XGS appliance to SiteProtector. There are two SiteProtector Sites:
-> SiteProtector_1 in Strict mode has AgentManager_1 installed in it.
-> SiteProtector_2 in Compatible mode has AgentManager_2 installed in it.
The System Administrator has configured XGS SiteProtector Management policy as follows:
Answer : A
When registering an XGS appliance to the Site Protector, a System Administrator decided to use a strict cryptography level.
Which protocol is allowed in this configuration?
Answer : C
Strict Cryptography: If selected, the appliance complies with cryptographic security standard SP 800-131A. Select this option to connect to a SiteProtector System that is also installed in strict mode.
Protocols allowed: TLS v1.2 -
Certificates: SHA-2 RSA-2048 -
Ciphers: SHA-2 or stronger -
References:
https://www.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc/tasks/alps_sp_configuring_cms_settings.htm
A System Administrator begins receiving widespread reports of traffic latency and disruption from users and wants to determine which device in a network is causing the problem.
Which step can the System Administrator take to rule out the XGS?
Answer : C
Question -
How can you bypass inspection on QRadar Network Security (XGS) to troubleshoot issues like latency or the XGS blocking traffic?
Answer -
Starting in firmware 5.3.1.4 and continuing, you have the ability to bypass the inspection engine on the XGS for certain testing scenarios (such as traffic being blocked or latency through the XGS).
All of the analysis is a result of the Protocol Analysis Module (PAM). PAM is responsible for Network Access Policy (NAP) rules, IPS, SSL inspection, URL analysis, and so on. Bypassing PAM allows the traffic to go through unanalyzed to help determine whether the XGS is causing the issue.
To bypass PAM, do the following:
1. SSH to the device and login as admin.
2. Enter analysis to enter the analysis module.
3. To disable PAM, enter the following:
dpi off
You should now see a message that says:
DPI is bypassed.
This setting will be reverted upon next packet processing service restart.
References:
http://www-01.ibm.com/support/docview.wss?uid=swg21965579
A Network Administrator wants to block all social media type websites, including Facebook and Google+.
Which Network Object should be used to achieve a broad match on all social media websites?
Answer : D
Configuring a URL category in a Network Access Policy to control access to certain websites.
This use case describes how to configure a Network Access Policy to control the user"™s access to a specific URL Category. In this example, XGS blocks the user"™s access to social media sites using a URL Category.
References: Implementation Guide for IBM Security Network Protection ('XGS for Techies') second edition, Version 2.0, page 82
A System Administrator has configured SSL Inspection in XGS, but end users get promoted to verify the certificate in the browser when viewing SSL web pages.
To fix the issue the System Administrator must distribute the CA certificates so that it can be imported in the Trusted Root Certification Authorities in end users"™ browsers.
Which Menu option allows the System Administrator to download the CA Certificate?
Answer : C
In order for Outbound SSL to work properly, the XGS Certificate Authority (CA) certificate must be installed in the browser in order for the browser to verify the identity of the XGS. If you do not add the CA certificate, Outbound SSL will not work properly, introduce latency, and could cause pages to fail to load.
If users get prompted to verify the certificate in the browser when viewing SSL web pages, this indicates that the CA is not loaded or is loaded in the incorrect place. The CA certificate must be loaded in the Trusted Root Certification Authorities tab in Certificates in Internet Explorer and the Authorities tab in the
Certificates Manager in Firefox.
To download the CA certificate, log on to the LMI and go to Manage System Settings > Network Settings > Outbound SSL Certificates. Select the Active Device
CA certificate and select Download.
References:
http://www-01.ibm.com/support/docview.wss?uid=swg21958051
A System Administrator wants to integrate the XGS product with an existing SIEM deployment.
Which configuration changes should be made to ensure that the SIEM product receives information about security attack incidents?
Answer : C
Configuring the IBM Security Network Protection (XGS) remote syslog to send events to QRadar SIEM.
You can configure remote syslog for the IPS objects in both, the SiteProtector Console and the LMI, from the Network Access Policy (NAP) or the Shared Objects one.
References:
http://www-01.ibm.com/support/docview.wss?uid=swg21662575
A customer is considering purchasing a 7100 XGS to protect its perimeter against Distributed Denial of Service (DDoS) attacks. Before making the purchase, a
Customer Support Representative suggests reviewing the pam.chm file.
Which pam.chm section will contain a comprehensive list of DDoS attacks?
Answer : B
You can view information regarding signatures, signature categories, and signature tuning parameters in the pam.chm help file.
References:
http://www-01.ibm.com/support/docview.wss?uid=swg21498057
A System Administrator wants to install a snapshot during the first time configuration of an XGS appliance.
How can this be done?
Answer : C
Log in to the Local Management Interface (LMI) of the XGS sensor and navigate to Manage System Settings > Snapshots.
The Security Network Protection (XGS) has removed root access for appliance security. In place of root access, IBM has developed a predefined set of the module commands to allow console and SSH CLI access. The modules available are broken up into a hierarchical structure with commands specific to each module. The prompt changes to display the module you are in and displays a list of the available commands.
Notes:
At any point, type help to display a list of the available commands.
The tab key can be used to finish commands (if you wanted to enter support, you can type su then tab key to complete support).
Example:
The requirements are as follows:
-> Avoid having to push certificates to all workstations
-> Protect users from fraudulent web sites
-> Protect all internal server from malicious attacks
The steps to implement this plan are as follows:
Obtain an SSL Inspection license for the XGS
Answer : A
A financial company bought an XGS appliance to protect the servers running online trade applications. One XGS is just deployed in the staging environment and the initial setup configuration was done; all Security Policies are factory-default. A junior System Administrator accesses the Local Management Interface and opens the Network Access Policy page, and notices that Network Objects can be Drag/Drop on Rules as in the diagram:
Answer : ACE
Based on the the attributes Source address, Destination Address, Application, and Inspection, the
Network Access Policy allows for Protection Domains and Connection Events to be configured in XGS.
References: Implementation Guide for IBM Security Network Protection ('XGS for Techies') second edition, Version 2.0, page 21
The System Administrator is about to perform a copy of settings between the same model appliances; however, the Administrator does not want to copy protection interface settings.
Which turning parameter must be added to the Advances Tuning Parameters policy on the XGS prior to applying the snapshot?
Answer : B
snapshot. apply.ignore.adapter
Create a snapshot that disables the protection interface policy. This is used to prevent protection interface policy mismatch for the current number of interfaces.
Incorrect Answers:
A: Create a snapshot that disables the static route policy. This is used to avoid applying erroneous static routes between sensors.
C: Create a snapshot that disables the flexible performance level. This is used to prevent discrepancies in flexible performance licenses between sensors.
D: Create a snapshot to disable management policy. This is used to prevent snapshots from changing the management IP address.
References:
http://www-01.ibm.com/support/docview.wss?uid=swg21986978
A System Administrator want to configure an XGS so that only when the SQL_Injection security event is enabled in the IPS policy and triggered, the XGS performs a packet capture of the complete connection from the point of the event triggering.
How should the System Administrator configure the XGS?
Answer : D
You can configure the IPS Event Filter policy to tune the Threat (Severity) Level and responses for a specific Intrusion Prevention Policy rule (security events/ signature).
Incorrect Answers:
C: IPS event filters offer you the ability to change settings for a single or for a group of security events without having to create new Network Access policies or
Intrusion Prevention policies. The IPS Event Filter policy is similar to the Network Access Policy in that it is a single entity that you add rules to.
References:
https://www.ibm.com/support/knowledgecenter/en/SSHLHV_5.3.2/com.ibm.alps.doc/tasks/alps_configuring_quarantine_response_objects.htm
A System Administrator has reviewed recent changes on the XGS from the Local Management Interface (LMI) and has determined that a fix pack has been applied that may be inhibiting network functionality. The System Administrator plans to remove the fix pack during the next change control window.
Which step should be taken?
Answer : D
Fixpacks command include rollback, which uninstalls the most recently installed fix pack.
References:
https://www.ibm.com/support/knowledgecenter/en/SSHLHV_5.3.2/com.ibm.alps.doc/references/alps_command_line_interface.htm
Have any questions or issues ? Please dont hesitate to contact us