Configuring IPtables

Nokia Firewalls require a TCP reset (rst) or a TCP acknowledge (ack) from IBM QRadar on port 256 before they forward syslog events.

About this task

The Nokia Firewall TCP request is an online status request that is designed to ensure that QRadar is online and able to receive syslog events. If a valid reset or acknowledge is received from QRadar, then Nokia Firewall begins forwarding events to QRadar on UDP port 514. By default, QRadar does not respond to any online status requests from TCP port 256.

You must configure IPtables on your QRadar Console or any Event Collector that receives Check Point events from a Nokia Firewall to respond to an online status request.

Procedure

  1. Using SSH, log in to QRadar as the root user.

    Login: root

    Password: <password>

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.pre

    The IPtables configuration file is displayed.

  3. Type the following command to instruct QRadar to respond to your Nokia Firewall with a TCP reset on port 256:

    -A INPUT -s <IP address> -p tcp --dport 256 -j REJECT --reject-with tcp-reset

    Where <IP address> is the IP address of your Nokia Firewall. You must include a TCP reset for each Nokia Firewall IP address that sends events to your QRadar Console or Event Collector, for example,

    • -A INPUT -s <IP_address1>/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset

    • -A INPUT -s <IP_address2>/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset

    • -A INPUT -s <IP_address3>/32 -p tcp --dport 256 -j REJECT --reject-with tcp-reset

  4. Save your IPtables configuration.
  5. Type the following command to update IPtables in QRadar:

    ./opt/qradar/bin/iptables_update.pl

  6. Repeat steps 1 - 5 to configure any additional QRadar Event Collectors that receive syslog events from a Nokia Firewall.

    You are now ready to configure your Nokia Firewall to forward events to QRadar.