STUDY QUESTIONS2 Flashcards
Why use block-session timer?
Denied packets can consume more CPU. If you add a session for denied packets, it will consume less
how do you enable sessions for denied packets?
Config system settings –> set ses-denied-traffic enable
what is the default value for “set block-session-time” in System Global
30 seconds
FSSO- What are the different config modes?
DC Mode, Polling Mode and Terminal Server
FSSO - There are 2 sub-types of Polling mode - mention them
Collector agent-based and Agentless
FSSO - DC - What are the requirements for DC Mode?
One DC agent per domain controller, one collector agent on a windowes server
FSSO - DC - what is the responsibility of a COLLECTOR AGENT (CA) in DC mode?
Group verification, workstation checks, update login records on FG, send domain local security group, OU
FSSO - DC - How does it work?
1) user auth 2)DC agent sees log event and forwards to CA 3)CA sends it to FG
FSSO - DC - What ports are used?
UDP 8002 (CA-DC) and TCP8000 (CA and FG)
FSSO - POLLING - With AGENT —- What is required?
Only CA
FSSO - POLLING - With AGENT —- How does it work?
Agent polls each DOMAIN CONTROLLER for log event
FSSO - POLLING - With AGENT —- What ports are used?
SMB/tcp 445, TCP 135,137,139
FSSO - POLLING - With AGENT —- What methods exist to pull info?
1) WMI 2)WinSec 3)NETAPI
FSSO - POLLING - With AGENT —- Describe WMI
dc returns REQUESTED login events every 3 seconds (can read selected logs), reduceds network
FSSO - POLLING - With AGENT —- Describe WinSecLog
CA polls all sec events every 10 sec (slower, latency, but sees all)