Hello everyone,
We’re supporting a customer running IBM QRadar, and we’re looking for clarification on the behavior of the Managed Host encryption options.
Context
For a specific technical requirement, the customer attempted to disable the following options from the Managed Host settings:
- Encrypted Tunnel (OpenSSH)
- Encryption / Compression
Observed Behavior
Although the QRadar administrator confirmed that encryption was turned off, our packet capture analysis shows the following:
- All traffic between Event Collector (EC) and Event Processor (EP) is still transmitted over SSH (TCP port 22), which indicates that the OpenSSH tunnel is still active.
- We expected that disabling the encryption options would result in direct TCP communication over QRadar’s internal port ranges rather than SSH.
- Even if QRadar applies encryption at the application or payload level, the transport layer should still appear as plain TCP.
Seeing SSH at the transport level strongly suggests that the OpenSSH tunnel has not been disabled.
Questions
- Do the Managed Host encryption settings actually disable the OpenSSH tunnel, or do they only affect payload-level encryption/compression inside the SSH tunnel?
- Is there any supported method to force non-SSH TCP communication between EC and EP for controlled testing or inspection?
- If OpenSSH cannot be disabled by design, is this behavior expected and documented, and are there recommended alternatives for traffic visibility?