Question

01/25

IP Flow collectors enable viewing and understanding traffic flow from devices without
agents. What kind of information is provided to the management server?

Real-time Data flow

Aggregated daily flow

Raw daily flow Data

Sampled Flow Data

Question
02/25

Which of the following Centra components cannot run the "cluster orchestration"role

SPAN Collector

Aggregator

ESXi Collector

Deception Server
What protocols are not supported by IP flow collectors?
 IPFix

SNMP

UDP

TCP

□ NetFlow
An Admin responsible for the Guardicore deployment needs to check the
system health status of their Management.What is the best way to do so?

Log onto the Management system console,review the Nomad

server logs and verify no services are in a crash loop.
Log onto the Management server UI, and check the health
status on the Dashboard for any failing services.

Log in to the Management system console, run htop on

all the Management Cluster nodes, and verify the load
is not high.

Log onto the Management system console, run "gc-cluster-

cli health" and inspect the Agent, Collectors, and Deception
sections for any failing services.
You would like to install a first agent in an environment that is
currently deployed with Collectors only. Your objective is to collect a
short sample of process-level flow information and assess its value
compared to the visibility provided by the
Collectors.Unfortunately,you do not currently have the compute
resources to deploy an Aggregator. In such case you can:

Install the agent pointing it to report to the IP of one

of the existing Collectors and activating service on the
Collector to also process Agent reports.
 Install the agent pointing it to report to the IP of
Management,as a temporal solution

It is possible to install the agent as a standalone agent

that doesn't connect to the Guardicore backend at all.
Instead, have the desired process level flow information
written to a local log file on the server with the agent,
then analyze it.

An Aggregator must be installed. If you don't have

the resources,contact Guardicore support to raise a
request for a cloud-hosted Aggregator (SaaS).
Question
06/25

What is the main command used to manage Aggregators via CLI?

"gc-mgmtctl"

"gc-cluster-cli"
 "htop"

"monicore-ctrl"
KO Cloud access was not configured on a company's Guardicore Centra deployment, because the company
did not approve access from the Management server to the internet. Several months after the deployment
of Guardicore Centra,a major Red Hat Linux kernel upgrade was published, and the server team decided to
upgrade the kernels on their Red Hat servers. Which modules will not be operational on the Red Hat
servers?

Reveal

Deception

Enforcement

□ Detection
Following a monitoring server failure, an administrator in charge of Guardicore Centra's health wants
to make sure that there is no Guardicore Agent issue.What will be the best way to do it?
 Run an ansible script to fetch all the Guardicore agent local logs from the
end-point servers.

Log onto the Management server UJI, open the agents log and filter the log to see
only the entries that were created since the monitoring server failed.

Log onto the Management server UI, open the agents screen,select all the
agents,and click on the agent diagnostics button.

Log onto the Management server UI, open the agents screen,and look for
agent flags.
Your internal auditors require a feed from Guardicore that will document login and
activities taken on the Guardicore platform. What would be the recommended solution
to offer them?
 You can write a script to send your auditors each new entry in the
REST server log located on the Management, which contains all user
and API activities.

You can configure Guardicore to forward auditable events via Syslog

to your auditors.

You can write a script that will, using the Guardicore API, extract the
required information and send it to the Auditors on a regular basis.

You can configure Guardicore to email the auditors whenever

there is an auditable event.
As a preparation for an application segmentation project for the Ecomm application, the system
administrator is creating a Centra UI access for the application team members. The administrator
wants to make sure the application team can only create or edit rules related to their application.
What should he prepare to achieve that?
 Create a user for each of the application team's users,allowing them guest
access to Centra UI

Create a permission scheme for the application team, with the role of the
application owner and the scope of the Ecomm application label.

Create a new role that is with the name Ecomm Policy editors and link it to
the team member's users.

Create a user for each of the application team's users, allowing them
administrative access to Centra UI
Following the preparation done by the administrator in the last session, the
administrator wants to make sure any future team members will be granted the same
permissions without requesting them through a ticket.Which of the following is a way to
achieve this?

Enabling Kerberos authentication allows this without any further steps

needed.
 No shortcuts - Each user needs to be created by the administrator with
the right permissions.

Granting administrative UI access to the Ecomm team leader.This way

he will be able to create users for future team members.

Using LDAP authentication, link the application team's Active

Directory group to the relevant permission scheme.
As an administrator, you are tasked with installing several aggregators.You started
with installinga single aggregator for a test. What will be the best options for you to
install the rest of the aggregators in an efficient and optimal manner?

□ Access the/etc/guardicore folder

□ Install the aggregators one at a time

 □ Access the etc/default/guardicore folder

□ Edit the file guestinstaller.conf

Edit the file guardicore setup.conf

You attempt to stop the Guardicore Agent on Windows OS. Looking at the Windows
Services,you notice the stop option for the Guardicore Agent Service is grayed out.When
you look at the agent icon in the status bar - you see an "Unlock Agent"icon.What does
that mean?

Agent Administration lock is active. Stopping the agent cannot be

performed from Windows Services.

This is likely a technical issue with the Agent. Remove it and install it
again. If the issue persists, contact Guardicore Support.
 You need to first end all running Guardicore tasks (for instance,using
Task Manager), and then the Guardicore Agent Servrice will no longer
be grayed out.

You do not have permission to disable the Guardicore Agent Service

You have 4 aggregators in your environment that cover 1000 agents, and you
notice some are overloaded while others function properly. Before you can allow
spinning additional aggregators, you would like to distribute the load caused by
agents uniformly across your aggregators and see if this resolves the issue.What
would you do to quickly attempt a solution?

Sorry,this cannot be achieved. Deploy additional Aggregators.

Check the "Agents load balancer" role in all Aggregators

clusters so they will share the agents' load. Once done, reboot
all Aggregators to force agents to reconnect while re-balancing
load.
 Reinstall the agents, with each group of 250 agents installed
against an IP of a different aggregator among the 4 available
ones.

Configure Aggregator High Availability so Aggregators will share

the Agents load.
You attempt to access the management UI to set the debugging mode for your
Windows agent, but you get a “service unavailable”. How can you accomplish the
task?

From your agent CLI modify C:\ProgramData\Guardicore\logs by

adding “-v” to the module you want debugging information from

Under the agent screen, select the agent and override its
configuration, then under enforcement tick the button to enable the
verbose logging
 This is not possible without Management UI access.

From the local agent UI under settings, check "Enable verbose

logging" for the relevant modules.
You want to move your Linux agent to verbose logging.What will you do?

From your agent CLI modify the /etc/default/guardicore file by adding "-
v" to the module you want debugging information from,save the file and
then restart the module.

From the agent CLI open/var/log/guardicore.Checkgc-enforcement-

agent.log file and look for DEBUG messages in the log.

You will edit the aggregator.conf file and change the value of Debug from
False to True and restart the relevant Aggregator service.

You will use: gc-set-debug "service" "true/false"

You have multiple environments in your organization. You want to deploy agents with different
modules active in each environment. How would you achieve this goal?

Not possible, agent installation is strict and cannot be modified,all agents are
installed against the default value pre-configured in Centra.

Install all the agents altogether, with similar modules on/off. Then,from Centra UI →
Agents screen choose multiple agents that share the same environment and override
the configuration. For every agent module, set manually the module mode.

In the Centra UI,create multiple "Agents → Installation Profiles",each with the relevant
modules on/off. When deploying agents,use a different profile per environment.

The agents pull the active module from the aggregator.For every aggregator in the
cluster, enable/disable the aggregator roles to match each agent configuration based
on the agent environment.
You plan to upgrade multiple agents from v42 to the latest agents version whose packages are
loaded onto your Centra Management. You require the process to not require external systems
other than Guardicore Centra. You would also like the process to be completed quickly.How
would you achieve this?

From Centra UI --> Agent installation instruictions, use offline installation,

and download the installation package file for every OS you have.Place the
installation file in a shared repository in your environment and contact
Guardicore support to assist in the rapid deployment of agents installation
against the latest version from Centra.

Write an API automation script that will upgrade all the agents directly
from the management.

Use the "Remote Agents Upgrade" feature from Centra UI. A Remote
Upgrade History log will be created once the procedure is complete.The
status of all participated agents and with the upgrade status.

From Agents Installation Instructions, choose the relevant Operation System

and copy the instructions to notepad and perform a manual installation on
each agent. You should see the success/fail result immediately on each
installation attempt.
In a Centra environment that is connected to the KO cloud, the administrator would like to
enable Guardicore Linux Agents KO update, so whenever there is a new KO fetch-it will
automatically update on the agent side.What would you suggest the admin do?

Contact Guardicore on a bi-weekly basis and query for new KOs.

Migrate the Management to SaaS.

Nothing to be done here. Agents are configured by defaultto

automatically update the agent kernel module.

On agent installation profile, or under agent override configuration enable

automatic download option: Enable automatic download of kernel module
when available.
You are coaching a junior Centra Administrator about
enforcement modes.He wants to know the difference between
Monitoring and Reveal Only modes.What would you tell him?

They are not similar; Monitoring mode

does not record policy verdicts in the
network log.

Reveal Only Mode has the same functionality as

Monitoring mode,except policy verdicts for this
Agent do not appear in the Network log.

Monitoring mode allows the agent to enforce

Alert and Block rules,and Violations will appear in
the Reveal map, in the Incident screens, and in
the Network log.
Reveal only provides deep visibility for
network flows and monitoring does not.

Monitoring mode is like Disabled mode but

enforce policies while Reveal mode does not.
 You are attempting to configure off corporate policy for your endpoints. You navigate to the agent screens,
You have successfully
choose andeployed
agent, click50
thenew
Moreagents in your
button, and select Data Center.The
Override next
configuration. day,you
Under open Module
the Enforcement

Centra's UI andyou check “Enable off-corporate policy”. When trying to configure an allow rule for access to the internet
find the flag “Agent Missing” on some of the agents deployed.What s the
outside your corporate network, you do not see the network profile to choose from.What is the likely
meaning of that flag?
reason the option is not displayed?

Your agents might not be running v48.4.0 version,hence they cannot have the
The Agent was installed with environment variables that represent an
feature.
installation configuration that is no longer supported.

This is probably a bug, contact Guardicore Support

It usually happens when there is no connectivity to the Agent, or when

the machine isMicrosoft's Network Location Awareness is not enabled on the agent.
turned off.

You do not have permissions to enable the feature.

Recent Agent configuration changes were not applied to the
Agent.Uninstall and not
You have reinstall thetheagent
enabled in orderpolicy
off corporate to fixonthis.
the endpoint from system and
configuration menu.
Administration lock prevents tampering with agent by an unprivileged user.You access the agent screen and
cannot find the option to set the administration lock.How can you fix this issue, so you have it available from that
Nothing,
screen? this message is deprecated. It should be ignored.
From the agent Command prompt running the following command:gc-agents-service.exe--ctrl
set-adminlock-state--args LOCKED.

From the management server CLI by running the following command:

gc-mgmtctl setconf --group management--option
enableagents_admin_lock--value true.

From management server CLI by running the follwing comcammand:

gc-mgmtctl set conf --group management--option
enableagents_admin_lock--value false

From the aggregator CLI by running the following command:gc-monicore-ctrl set conf --
group management --option enableagents_admin_lock-value true
-

As senior Centra administrator you are tasked with mentoring newhires about the configuration of
administration lock. What are the different ways of setting it up?

□ Editing of installation Profiles agent controller relevant settings

□ From Windows agents Command prompt

□ Agents screen From Guardicore UI

□ From the Windows agent local User Interface

From the aggregator CLI running gc-monicore-ctrl--agent-□ controller.

□ From Linux agents CLI by editing /etc/default/Guardicore file

Question
25/25
Agents have 5 modules running. What are the roles associated with the controller module?

Redirect blocked connections for further analysis.

Monitoring and control of the agent's configuration

□ In charge of Insight capabilities for running queries on agents

Reporting visibility data collected by the agent to the management □

server.

Initiate TCP connection to the aggregator on TCP port 443 suing TLS 1.2
You are coaching a junior Centra Administrator about enforcemenic mnoues.ne wants to know
the difference between Monitoring and Reveal Only modes.What would you tell him?

Reveal Only Mode has the same functionality as Monitoring mode,except

policy verdicts for this Agent do not appear in the Network log.

Monitoring mode is like Disabled mode but enforce policies while Reveal
mode does not.

They are not similar; Monitoring mode does not record policy verdicts in
the network log.

Reveal only provides deep visibility for network flows and monitoring
does not.

Monitoring mode allows the agent to enforce Alert and Block rules,and Violations
will appear in the Reveal mnap, in the Incident screens, and in the Network log.