Adding another traffic monitoring interface to the QRadar Network Insights instance

Follow these steps if you want to add additional traffic monitoring interfaces to your IBM QRadar Network Insights (appliance type 6500) installation.

Procedure

  1. Create a network interface and add it to the QRadar Network Insights instance.

    For virtual hosts, the procedure for creating the network interface varies depending on which of the supported operating environments that you are using. For more information, see the vendor documentation for your operating system.

  2. Use SSH to log in to the QRadar Console as root user.
  3. From the QRadar Console, use SSH to connect to the QRadar Network Insights instance as the root user.
  4. Start the NetworkManager service: 
    systemctl start NetworkManager
  5. Create the per-interface configuration file. 
    nmcli conn add type ethernet con-name <interface name> ifname <interface name> ipv4.method disabled 802-3-ethernet.mtu 9001

    where <interface name> is the name of the interface that the configuration file applies to.

    In this example, the interface name is ens256.
    nmcli conn add type ethernet con-name ens256 ifname ens256 ipv4.method disabled 802-3-ethernet.mtu 9001
  6. Restart the hostcontext service. 
    systemctl restart hostcontext
  7. Verify that the new interface is added to the device list file. 
    cat /opt/qradar/conf/capabilities/device.list

What to do next

Log in to QRadar and add a flow source for the new network interface. Ensure that the flow source is enabled.