I'm using a Palo Alto(PA) 5050 as our PCAP device for the QRIF we are using a QRadar 3105 all-in-one in conjunction with this . I have the DNA0 port connected into the span port on the PA and can see traffic being pushed from the PA to the QRIF I can also see network activity on the QRadar web interface, but the forensics tab it not showing anything. We are not currently running SSL decrypt on the PA so I know our traffic should be fairly small but we are not currently receiving anything. I've tried to go into the QRIF and reconfig the wfConfig.xml file, but once i'm in the root directory for it (/opt/ibm/forensics/jobmanager/conf) the wfConfig.xml file doesn't exist... Was this something that was missed during the initial setup by us or is this a file that we need to inject at this point?
Bottom line the QRIF, QRadar and the PA are all connected and talking but the QRIF isn't showing me any forensics being captured at all.
Thank you for any help