IBM Security Network Protection (XGS) V5.3.2 System Administration v1.0 (C2150-620)

Page:    1 / 4   
Total 60 questions

The System Administrator for a bank has deployed the following Network Access Policy on the XGS appliance using default built-in Application & Inspection objects, as shown in the diagram below. No schedule objects were used in all rules.

The clients are on one side of the protection interface pair and the server are on the other side, including the gateway to internet. One user opened a browser to access The traffic is blocked and the System Administrator opens the Network Access Events to find the events associated with the source IP address of the client.

Which Application is reported for that event?

  • A. tls
  • B. http
  • C. https
  • D. Unknown

Answer : B

A System Administrator has a requirement to be able to pause and resume an XGS for VMware machine to allow the ESXi server to move the servers to another machine.
Which statements regarding VMware Tools functionality is relevant to this requirement?

  • A. VMware Tools can be used to suspend inspection on the XGS for VMware and traffic will be forced into an automatic bypass mode.
  • B. VMware Tools can be used to suspend inspection on the XGS for VMware and traffic will not be forced into an automatic bypass mode.
  • C. VMware Tools functionality can be added to the appliance to provide a more streamlined used experience when migrating to another ESXi host.
  • D. VMware Tools functionality is already included and will be used when called by the hypervisor to manage the XGS for VMware virtual machine.

Answer : C

The System Administrator for a financial organization wants to register an XGS appliance to SiteProtector. There are two SiteProtector Sites:
-> SiteProtector_1 in Strict mode has AgentManager_1 installed in it.
-> SiteProtector_2 in Compatible mode has AgentManager_2 installed in it.
The System Administrator has configured XGS SiteProtector Management policy as follows:

In which SiteProtector instance should this XGS appear as Active based on the above policy given that there are no other network issues?

  • A. XGS should be seen as Active in SiteProtector_2 only.
  • B. XGS should be seen as Active in SiteProtector_1 only.
  • C. XGS should be seen as Active in both SiteProtector sites.
  • D. XGS should not be active in any of the SiteProtector sites.

Answer : A

When registering an XGS appliance to the Site Protector, a System Administrator decided to use a strict cryptography level.
Which protocol is allowed in this configuration?

  • A. SSLv3
  • B. TKS v1.1
  • C. TLS v2.1
  • D. SP 800-131A

Answer : C

Strict Cryptography: If selected, the appliance complies with cryptographic security standard SP 800-131A. Select this option to connect to a SiteProtector System that is also installed in strict mode.

Protocols allowed: TLS v1.2 -

Certificates: SHA-2 RSA-2048 -

Ciphers: SHA-2 or stronger -

A System Administrator begins receiving widespread reports of traffic latency and disruption from users and wants to determine which device in a network is causing the problem.
Which step can the System Administrator take to rule out the XGS?

  • A. Clear all active quarantine rules.
  • B. Restart the packet processing daemon.
  • C. Use the dpi off command to disable inspection.
  • D. Ping sample hosts from the command line and note the time.

Answer : C

Question -
How can you bypass inspection on QRadar Network Security (XGS) to troubleshoot issues like latency or the XGS blocking traffic?

Answer -
Starting in firmware and continuing, you have the ability to bypass the inspection engine on the XGS for certain testing scenarios (such as traffic being blocked or latency through the XGS).
All of the analysis is a result of the Protocol Analysis Module (PAM). PAM is responsible for Network Access Policy (NAP) rules, IPS, SSL inspection, URL analysis, and so on. Bypassing PAM allows the traffic to go through unanalyzed to help determine whether the XGS is causing the issue.
To bypass PAM, do the following:
1. SSH to the device and login as admin.
2. Enter analysis to enter the analysis module.
3. To disable PAM, enter the following:
dpi off
You should now see a message that says:
DPI is bypassed.
This setting will be reverted upon next packet processing service restart.

A Network Administrator wants to block all social media type websites, including Facebook and Google+.
Which Network Object should be used to achieve a broad match on all social media websites?

  • A. Address Object
  • B. URL List Object
  • C. Inspection Object
  • D. URL Category Object

Answer : D

Configuring a URL category in a Network Access Policy to control access to certain websites.
This use case describes how to configure a Network Access Policy to control the user"™s access to a specific URL Category. In this example, XGS blocks the user"™s access to social media sites using a URL Category.
References: Implementation Guide for IBM Security Network Protection ('XGS for Techies') second edition, Version 2.0, page 82

A System Administrator has configured SSL Inspection in XGS, but end users get promoted to verify the certificate in the browser when viewing SSL web pages.
To fix the issue the System Administrator must distribute the CA certificates so that it can be imported in the Trusted Root Certification Authorities in end users"™ browsers.
Which Menu option allows the System Administrator to download the CA Certificate?

  • A. Inbound SSL Certificates
  • B. Appliance SSL Certificate
  • C. Outbound SSL Certificates
  • D. Management Certificate Authorities

Answer : C

In order for Outbound SSL to work properly, the XGS Certificate Authority (CA) certificate must be installed in the browser in order for the browser to verify the identity of the XGS. If you do not add the CA certificate, Outbound SSL will not work properly, introduce latency, and could cause pages to fail to load.
If users get prompted to verify the certificate in the browser when viewing SSL web pages, this indicates that the CA is not loaded or is loaded in the incorrect place. The CA certificate must be loaded in the Trusted Root Certification Authorities tab in Certificates in Internet Explorer and the Authorities tab in the
Certificates Manager in Firefox.
To download the CA certificate, log on to the LMI and go to Manage System Settings > Network Settings > Outbound SSL Certificates. Select the Active Device
CA certificate and select Download.

A System Administrator wants to integrate the XGS product with an existing SIEM deployment.
Which configuration changes should be made to ensure that the SIEM product receives information about security attack incidents?

  • A. Enable Remote IPFix Flow Data Export for an IPS object.
  • B. Enable QRadar format/LEEF format for the Event Log object.
  • C. Add a remote syslog object with the IP address of the SIEM console to all IPS objects in use.
  • D. Add a quarantine response object with the IP Address of the SIEM console to the Advance Threat Protection Agent list.

Answer : C

Configuring the IBM Security Network Protection (XGS) remote syslog to send events to QRadar SIEM.
You can configure remote syslog for the IPS objects in both, the SiteProtector Console and the LMI, from the Network Access Policy (NAP) or the Shared Objects one.

A customer is considering purchasing a 7100 XGS to protect its perimeter against Distributed Denial of Service (DDoS) attacks. Before making the purchase, a
Customer Support Representative suggests reviewing the pam.chm file.
Which pam.chm section will contain a comprehensive list of DDoS attacks?

  • A. Events
  • B. Categories
  • C. Event Responses
  • D. Protocols and File Types

Answer : B

You can view information regarding signatures, signature categories, and signature tuning parameters in the pam.chm help file.

A System Administrator wants to install a snapshot during the first time configuration of an XGS appliance.
How can this be done?

  • A. Use the front panel USB port.
  • B. Use a console cable connection.
  • C. Use the Command Line interface over SSH.
  • D. Use the web-based Local Management Interface.

Answer : C

Log in to the Local Management Interface (LMI) of the XGS sensor and navigate to Manage System Settings > Snapshots.
The Security Network Protection (XGS) has removed root access for appliance security. In place of root access, IBM has developed a predefined set of the module commands to allow console and SSH CLI access. The modules available are broken up into a hierarchical structure with commands specific to each module. The prompt changes to display the module you are in and displays a list of the available commands.
At any point, type help to display a list of the available commands.
The tab key can be used to finish commands (if you wanted to enter support, you can type su then tab key to complete support).


The requirements are as follows:
-> Avoid having to push certificates to all workstations
-> Protect users from fraudulent web sites
-> Protect all internal server from malicious attacks
The steps to implement this plan are as follows:
Obtain an SSL Inspection license for the XGS

-> Obtain a certificate from a public CA and upload it to the XGS via Outbound SSL Certificates
-> Obtain the certificate and private key of the internal public-facing web server and upload it to the XGS via Inbound SSL Certificates
-> Configure Outbound SSL Inspection Settings to block connections if the server certificate is invalid or self-signed
-> Create Outbound SSL Inspection rules that inspect all traffic
-> Create Inbound SSL Inspection rules that only decrypt traffic destined for the internal web server IP address
After implementing the plan, the System Administrator finds that users are blocked when trying to access the private company intranet site.
What should the System Administrator do to allow the users to access the intranet?

  • A. Add intranet CA certificates to trusted Certificate Authorities.
  • B. Add intranet CA certificates to the Inbound SSL Certificates store.
  • C. Add an inbound SSL Inspection rule to ignore the traffic to the intranet site.
  • D. Disable the self-signed certificate option in Outbound SSL Inspection Settings.

Answer : A

A financial company bought an XGS appliance to protect the servers running online trade applications. One XGS is just deployed in the staging environment and the initial setup configuration was done; all Security Policies are factory-default. A junior System Administrator accesses the Local Management Interface and opens the Network Access Policy page, and notices that Network Objects can be Drag/Drop on Rules as in the diagram:

Which three actions can be performed using Drag/Drop? (Choose three.)

  • A. Drag Address folder and drop on Source column of a rule
  • B. Drag Identity folder and drop on Destination column of a rule
  • C. Drag Inspection folder and drop on Inspection column of a rule
  • D. Drag Response folder and drop on response column of a rule
  • E. Drag Applications folder and drop on Application column of a rule
  • F. Drag Schedule Objects folder and drop on Schedule column of a rule

Answer : ACE

Based on the the attributes Source address, Destination Address, Application, and Inspection, the
Network Access Policy allows for Protection Domains and Connection Events to be configured in XGS.
References: Implementation Guide for IBM Security Network Protection ('XGS for Techies') second edition, Version 2.0, page 21

The System Administrator is about to perform a copy of settings between the same model appliances; however, the Administrator does not want to copy protection interface settings.
Which turning parameter must be added to the Advances Tuning Parameters policy on the XGS prior to applying the snapshot?

  • A. snapshot. apply.ignore.route
  • B. snapshot. apply.ignore.adapter
  • C. snapshot. apply.ignore. perf_level
  • D. snapshot. apply.ignore. management _network

Answer : B

snapshot. apply.ignore.adapter
Create a snapshot that disables the protection interface policy. This is used to prevent protection interface policy mismatch for the current number of interfaces.
Incorrect Answers:
A: Create a snapshot that disables the static route policy. This is used to avoid applying erroneous static routes between sensors.
C: Create a snapshot that disables the flexible performance level. This is used to prevent discrepancies in flexible performance licenses between sensors.
D: Create a snapshot to disable management policy. This is used to prevent snapshots from changing the management IP address.

A System Administrator want to configure an XGS so that only when the SQL_Injection security event is enabled in the IPS policy and triggered, the XGS performs a packet capture of the complete connection from the point of the event triggering.
How should the System Administrator configure the XGS?

  • A. Edit the SQL_Injection security event within the IPS policy and apply a response to capture the connection.
  • B. Edit the IPS object that contains the SQL_Injection security event and apply a response to capture the connection.
  • C. Create a Network Access policy object with a capture connection response object for the SQL_Injection security event.
  • D. Create an IPS Filter Policy object for the SQL_Injection security event and apply a response to capture the connection.

Answer : D

You can configure the IPS Event Filter policy to tune the Threat (Severity) Level and responses for a specific Intrusion Prevention Policy rule (security events/ signature).
Incorrect Answers:
C: IPS event filters offer you the ability to change settings for a single or for a group of security events without having to create new Network Access policies or
Intrusion Prevention policies. The IPS Event Filter policy is similar to the Network Access Policy in that it is a single entity that you add rules to.

A System Administrator has reviewed recent changes on the XGS from the Local Management Interface (LMI) and has determined that a fix pack has been applied that may be inhibiting network functionality. The System Administrator plans to remove the fix pack during the next change control window.
Which step should be taken?

  • A. Use the Fix Packs page in LMI.
  • B. Use the Firmware Settings page in the LMI.
  • C. Use the Command Line Interface command: firmware rollback.
  • D. Use the Command Line Interface command: fixpacks rollback.

Answer : D

Fixpacks command include rollback, which uninstalls the most recently installed fix pack.

Page:    1 / 4   
Total 60 questions