Topic
  • 3 replies
  • Latest Post - ‏2015-08-27T13:12:55Z by TSilliman
jpowell07
jpowell07
2 Posts

Pinned topic Setup for non QRadar PCAP

‏2015-08-09T01:03:34Z |

I'm using a Palo Alto(PA) 5050 as our PCAP device for the QRIF we are using a QRadar 3105 all-in-one in conjunction with this . I have the DNA0 port connected into the span port on the PA and can see traffic being pushed from the PA to the QRIF I can also see network activity on the QRadar web interface, but the forensics tab it not showing anything. We are not currently running SSL decrypt on the PA so I know our traffic should be fairly small but we are not currently receiving anything. I've tried to go into the QRIF and reconfig the wfConfig.xml file, but once i'm in the root directory for it (/opt/ibm/forensics/jobmanager/conf) the wfConfig.xml file doesn't exist... Was this something that was missed during the initial setup by us or is this a file that we need to inject at this point?

 

Bottom line the QRIF, QRadar and the PA are all connected and talking but the QRIF isn't showing me any forensics being captured at all.

 

Thank you for any help

 

  • TSilliman
    TSilliman
    6 Posts

    Re: Setup for non QRadar PCAP

    ‏2015-08-19T21:30:05Z  

    Hello,

     

    I just noticed your post, were you able to get a response to your question?  If not, please let me know and we can coordinate resources to get you an answer.

     

    Thanks - Tom

  • jpowell07
    jpowell07
    2 Posts

    Re: Setup for non QRadar PCAP

    ‏2015-08-20T01:08:30Z  

    Tom,

     

    I haven't received a reply to this question yet.

    While reading through the QRIF info on the IBM portal I noted that it states we need to have PCAP software installed on the PCAP appliance... Our PA firewall is capable of doing PCAP capture inherently so is the installation of the PCAP software necessary for the PA to talk to the QRIF effectively?

     

    v/r,

     

    Jeff

  • TSilliman
    TSilliman
    6 Posts

    Re: Setup for non QRadar PCAP

    ‏2015-08-27T13:12:55Z  

    Tom,

     

    I haven't received a reply to this question yet.

    While reading through the QRIF info on the IBM portal I noted that it states we need to have PCAP software installed on the PCAP appliance... Our PA firewall is capable of doing PCAP capture inherently so is the installation of the PCAP software necessary for the PA to talk to the QRIF effectively?

     

    v/r,

     

    Jeff

    Jeff,

     

    Our PCAP devices ship as an appliance.  My understanding is that other capture devices, like your PA, can be used but some programming to get them communicating through the APIs would be necessary.  For the time being you can export PCAPs from the PA to be digested in QRIF so that you can start getting an understanding of the capabilities of the software.

     

    Can you please reference the spot you are speaking about in the IBM portal so I can make sure I fully understand and get back to you with a more complete answer as to what your options are?

     

    Thanks - Tom