Installing a QRadar data gateway on Google Cloud Platform

You connect to IBM® QRadar® on Cloud through a data gateway. You can install the data gateway on a Google Cloud Platform (GCP) instance by using the provided image.

Before you begin

Ensure that your appliance meets the data gateway system requirements. See System requirements for data gateways.

Schedule a maintenance window for this task and ensure that users do not deploy changes while the data gateway is being added to your deployment.

Ensure that you have the full host name of the Console that you connect to through your gateway appliance.

About this task

For any issues with QRadar software, engage IBM Support. If you experience any problems with GCP infrastructure, refer to GCP documentation. If IBM Support determines that your issue is caused by the GCP infrastructure, you must contact GCP for support to resolve the underlying issue with the GCP infrastructure.

You must use static private and public IP addresses.

Data gateways must be installed one at a time. If you are installing more than one data gateway, wait until you complete installation of one before you install the next one.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

Procedure

  1. Create a project name in GCP that allows for a fully qualified domain name (FQDN) to be no more than 63 characters long. The FQDN consists of the deployment name followed by -vm, the zone, the region, the project name, and .internal.

    For example, if your project name is abc-stq-xyz, the appliance deployment name is qr-con, the zone is us-east4-c, and the region is c, the FQDN is qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and 25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be split between your project name and your deployment name.

  2. In the project that you created in step 1, configure your network interface.
    1. Click Google Cloud Platform > VPC network > VPC networks.
      ©2019 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.
    2. Click CREATE VPC NETWORK.
    3. Give your network a name, and configure the settings as needed. Set DNS server policy to No server policy.
    4. Click Create.
  3. Add an SSH key to the project if you haven't already done so. The key must be created for a user called cloud-user.
    1. Click Google Cloud Platform > Compute Engine > Metadata.
      ©2019 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.
    2. Click SSH Keys.
    3. Click Edit.
    4. Click Add item.
    5. Enter an SSH key, followed by cloud-user.
    6. Click Save.
  4. Download the QRadar 7.5.0 UP7 virtual appliance image from the IBM Fix Central website: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+SIEM&fixids=7.5.0-UP7-CMP-GoogleCloud-SingleImage-QRADAR-202309270935&function=fixId&parent=IBM%20Security
    1. Download the image and the .sig files. The download can take a few hours.
    2. Use the .sig file to verify the integrity of the downloaded image. For more information, see How to validate downloads from IBM Fix Central are trusted and code signed.
  5. Go to Google Cloud and upload the image file to Google Cloud Storage. The upload can take up to an hour.
    Attention: Do not rename the image file. Renaming the image can cause the import to fail.
  6. Run the following command in Google Cloud Shell to import raw image to your GCP account. 
    gcloud compute images create <IMAGE NAME> --project=<GCP PROJECT NAME> --source-uri gs://<BUCKET NAME>/<RAW FILE PATH> --guest-os-features=MULTI_IP_SUBNET,UEFI_COMPATIBLE
    The import process can take up to an hour.
  7. Go to Navigation Menu > Computer Engine > Images, select the image that you imported, and then click Create Instance.
  8. Set a deployment name for the appliance that allows for a fully qualified domain name (FQDN) to be no more than 63 characters long. The FQDN consists of the deployment name, the zone, the project name, and .internal.

    For example, if your project name is abc-stq-xyz, the appliance deployment name is qr-con, the zone is us-east4-c, and the region is c, the FQDN is qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and 25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be split between your project name and your deployment name.

  9. Select the zone that your project is in.
  10. Select a Machine Type that meets the minimum system requirements.
    For more information, see QRadar on Cloud onboarding.
  11. Select the network interface that you created.
  12. Set the firewall rules for your appliance that allow ports 22 and 443 only from trusted IP addresses to create an allowlist of IP addresses that can access your QRadar deployment.
    In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.
  13. Check I accept the GCP Marketplace Terms of Service.
  14. Click Deploy.
  15. Set a static IP address for your appliance.
    1. Click Google Cloud Platform > Compute Engine > VM instances.
    2. Select your appliance from the list.
    3. Click Edit.
    4. Edit the network interface.
      • Set the Internal IP type parameter to Static and reserve a new IP address.
      • Select or create a static External IP address.
    5. Click Done.
  16. When the instance is ready, log in using SSH and your key pair by typing the following command: 
    ssh -i <key.pem> cloud-user@<public_IP_address>
  17. To check the length of your FQDN, type the following command: 
    hostname -f | wc -c
    If the command returns a value greater than 63, installation fails. Restart this procedure with a shorter virtual machine name.
  18. Type the following command: 
    sudo /root/setup_mh 7000
  19. The system prompts you to set a root password. The password must meet the following criteria:
    • Contains at least 5 characters
    • Contains no spaces
    • Includes one or more of the following special characters: @, #, ^, and *.

    You cannot change this password until after the installation process is complete. The root password is also the gateway host password.

  20. Upgrade the data gateway to the same version of QRadar as your Console.
    1. Log in to the Console.
    2. To find the version of QRadar that the Console is at, click the navigation menu (), and then click About.
    3. Download the SFS file for the version of QRadar that the Console is at from Fix Central (https://www.ibm.com/support/fixcentral).
    4. Copy the software update SFS file to your data gateway.
    5. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    6. On your data gateway, move the SFS file to the /storetmp directory by typing the following command: 
      sudo mv <version_number>_QRadar_patchupdate-<full_version_number>.sfs /storetmp
    7. Open the superuser shell by typing the following command: 
      sudo su -
    8. Create the /media/updates directory by typing the following command: 
      mkdir /media/updates
    9. Mount the SFS file by typing the following command: 
      mount -o loop -t squashfs /storetmp/<version_number>_QRadar_patchupdate-<full_version_number>.sfs /media/updates
    10. Run the software update installer by typing the following command: 
      /media/updates/installer
  21. Use the QRadar on Cloud Self Serve app to generate a token for your data gateway and allowlist the data gateway's IP address. For more information, see Access management to the console.
  22. After you receive your token:
    1. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    2. Because the appliance restarted after the previous step, open the superuser shell again by typing the following command: 
      sudo su -
    3. To mitigate a known issue with an intermittent connection, type the following command on the newly added data gateway: 
      mkdir /etc/systemd/system/tunnel-monitor.service.d/; printf "[Service]\nExecStart=\nExecStart=/bin/true\n" > /etc/systemd/system/tunnel-monitor.service.d/override.conf; chmod 644 /etc/systemd/system/tunnel-monitor.service.d/override.conf; systemctl daemon-reload
    4. To finish the initial data gateway setup, type the following command: 
      /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
  23. Exit the superuser shell by typing the following command: 
    exit

What to do next

Editing a target processor for your data gateway