IBM Support

Stateful inspection on QRadar Network Security sensors

Question & Answer


Question

Is stateful inspection used for NAP rules on QRadar Network Security (XGS) sensors?

Answer

The XGS sensor uses stateful inspection when analyzing traffic.

Example:

Traffic is being sent between Server 1 and Server 2, with the XGS sensor deployed in the network between the two servers like the following:

Server 1 --- XGS --- Server 2

In this environment, a rule is configured on the XGS to block traffic from Server 2 to Server 1.
  • Test 1: Ping traffic (ICMP) is sent from Server 1 to Server 2. The ping is able to successfully travel from Server 1 to Server 2 and the reply traffic is able to successfully return from Server 2 to Server 1.
  • Test 2: Ping traffic (ICMP) is sent from Server 2 to Server 1. The ping is dropped by the XGS before it reaches Server 1.

[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Network Access Policy","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Network Access Policy","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
23 January 2021

UID

swg22013039