Question & Answer
Question
How can you bypass inspection on QRadar Network Security (XGS) to troubleshoot issues like latency or the XGS blocking traffic?
Answer
Starting in firmware 5.3.1.4 and continuing, you have the ability to bypass the inspection engine on the XGS for certain testing scenarios (such as traffic being blocked or latency through the XGS).
All of the analysis is a result of the Protocol Analysis Module (PAM). PAM is responsible for Network Access Policy (NAP) rules, IPS, SSL inspection, URL analysis, and so on. Bypassing PAM allows the traffic to go through unanalyzed to help determine whether the XGS is causing the issue.
To bypass PAM, do the following:
Notes:
All of the analysis is a result of the Protocol Analysis Module (PAM). PAM is responsible for Network Access Policy (NAP) rules, IPS, SSL inspection, URL analysis, and so on. Bypassing PAM allows the traffic to go through unanalyzed to help determine whether the XGS is causing the issue.
To bypass PAM, do the following:
- SSH to the device and login as admin.
- Enter
analysisto enter the analysis module. - To disable PAM, enter the following:
dpi off
You should now see a message that says:
DPI is bypassed.
This setting will be reverted upon next packet processing service restart. - Test the issue to see whether it is present while PAM is disabled.
- Once the testing is completed, re-enable PAM by using the following command in the analysis module:
dpi on
You should now see a message that says:
DPI is active.
This setting will be reverted upon next packet processing service restart.
Notes:
- Disabling PAM is intended for debugging or support use and should be done only if requested by Customer Support.
- While PAM is disabled, traffic is going through the XGS unanalyzed so the appliance is providing no protection.
- If troubleshooting a latency issue and the issue persists after bypassing PAM, the latency could still exist due to the low-level packet handling code, a hardware issue, or something else in the network.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3.1;5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
24 January 2021
UID
swg21965579