Nokia Firewalls require a TCP reset (rst) or a TCP
acknowledge (ack) from IBM
QRadar on port 256 before they
forward syslog events.
About this task
The Nokia Firewall TCP request is an online status request that is designed to ensure that QRadar is online and able to
receive syslog events. If a valid reset or acknowledge is received from QRadar, then Nokia Firewall begins
forwarding events to QRadar on
UDP port 514. By default, QRadar does not respond to any online status requests from TCP port 256.
You must configure IPtables on your QRadar
Console or any Event Collector that receives
Check Point events from a Nokia Firewall to respond to an online status request.
Procedure
-
Using SSH, log in to QRadar as the root user.
Login: root
Password: <password>
-
Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables.pre
The IPtables configuration file is displayed.
-
Type the following command to instruct QRadar to respond to your Nokia
Firewall with a TCP reset on port 256:
-A INPUT -s <IP address> -p tcp --dport 256 -j REJECT --reject-with
tcp-reset
Where <IP address> is the IP address of your Nokia Firewall. You must
include a TCP reset for each Nokia Firewall IP address that sends events to your QRadar
Console or Event Collector, for example,
-
-A INPUT -s <IP_address1>/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset
-
-A INPUT -s <IP_address2>/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset
-
-A INPUT -s <IP_address3>/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset
-
Save your IPtables configuration.
-
Type the following command to update IPtables in QRadar:
./opt/qradar/bin/iptables_update.pl
-
Repeat steps 1 - 5 to configure any additional QRadar Event Collectors that receive syslog events
from a Nokia Firewall.
You are now ready to configure your Nokia Firewall to forward events to QRadar.