QRadar Network Insights installations on Google Cloud

To deploy QRadar Network Insights on Google Cloud, follow this procedure.

  1. Verify that your virtual appliance meets the minimum system requirements..

    Verify that the instance that you plan to install can support the flow inspection level that you want to achieve.

  2. Install the QRadar components by using the IBM QRadar SIEM image on Fix Central or Google Cloud Marketplace.

    Install a QRadar Console and a QRadar Network Insights managed host. Other managed hosts, such as flow processors, are optional. For more information about how to install QRadar components on Google Cloud, see Configuring a QRadar 7.5.0 UP7 virtual appliance on Google Cloud Platform.

  3. Add the QRadar Network Insights managed host to the QRadar Console.
  4. Configure the flow sources.
  5. Configure a traffic mirroring session.
  6. Verify that the deployment is receiving flow data.

System requirements for QRadar Network Insights installations on Google Cloud

To prepare for the IBM QRadar Network Insights installation, verify that your virtual appliance meets the minimum system requirements.

The QRadar Network Insights instance must meet the following requirements:
Requirement Value
Processor

8 cores (minimum)

Tip: Tip: Reference the core value not the CPU value.
Memory 64 GB (minimum)
Storage

QRadar Network Insights requires two EBS General Purpose SSD volumes:

  • 1 x 98 GiB (OS and Software)
  • 1 x 250 GiB (Data)
Networking

QRadar Network Insights requires a minimum of two network interfaces:

  • One management interface (nic0)
  • One monitoring interface (nic1)

The 98 GiB volume for the OS and software configures automatically by the QRadar Image. You need to manually configure the additional 250 GiB volume for data.

Warning: It is not possible to increase storage after installation or add more network interfaces post instance creation.

For larger compute-optimized (CPU) machine types, you can deploy the instance with additional monitoring interfaces.

Important: The primary internal IPv4 address for management and monitoring must be static internal IPV4 addresses (nonshared).

External IPv4 addresses are not required.

Google Cloud Platform requires any additional network interfaces to be located in separate VPC networks with nonlapping subnet IP ranges. For more information, see Multiple network interfaces (https://cloud.google.com/vpc/docs/multiple-interfaces-concepts).

Set the Maximum transmission unit (MTU) setting on the monitoring interface of the VPC network to the largest value of 8896.

Enable packet mirroring in Google Cloud Platform to forward network traffic to the IBM QRadar Network Insights instance. Configure packet mirroring to send traffic to nondefault interfaces of the QRadar Network Insights VM instance. For example, nic1 or nic2. For more information, see Use packet mirroring (https://cloud.google.com/vpc/docs/using-packet-mirroring).

VPC Firewall Rules

The VPC assigned to the management interface must have firewall rules to allow inbound SSH, outbound NetFlow, and messaging connections between the QRadar Network Insights host and the QRadar Console and any additional flow collectors or processors.

The VPC Firewall policy assigned to the monitoring interfaces must have the correct rules to allow the mirrored traffic from the source networks. For more information, see Use packet mirroring (https://cloud.google.com/vpc/docs/using-packet-mirroring).

Deployment architecture

The following image shows the traffic flow in a deployment that includes two QRadar Network Insights mirror targets. One QRadar Network Insights instance is used as a flow source for a Flow Processor, while the other instance sends network traffic directly to the QRadar Console.

Figure 1. Example of a QRadar Network Insights deployment on Google Cloud Platform

Installation reference

The following screenshot shows the Advanced options section of the Create an instance page from the Google Cloud Console where the Network performance configuration and Disks sections are located.

Figure 2. Create an instance page on the Google Cloud Console

Configuring a QRadar 7.5.0 UP7 virtual appliance on Google Cloud Platform

Configure an IBM QRadar SIEM virtual appliance on a Google Cloud Platform (GCP) instance by using the provided image.

Before you begin

Acquire entitlement to a QRadar Software Node for any QRadar instance that is deployed from a third-party cloud marketplace. Entitlement to the software node must be in place before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM® Support. If you experience any problems with GCP infrastructure, refer to GCP documentation. If IBM Support determines that the GCP infrastructure is causing your issue, you must contact GCP for support to resolve the underlying issue with the GCP infrastructure.

Important: You must use static IP addresses.
Important: You cannot have more than two DNS entries. If you have more than two DNS entries in the /etc/resolv.conf file, the QRadar installation fails.

If you are installing a data gateway for QRadar on Cloud, see Installing a QRadar data gateway in Google Cloud Platform (https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_hosted_gcp_image.html).

  1. Create a project name that allows for a fully qualified domain name (FQDN) to be no more than 63 characters long. The FQDN consists of the deployment name followed by -vm, the zone, the region, the project name, and .internal.

    For example, if your project name is abc-stq-xyz, the appliance deployment name is qr-con, the zone is us-east4-c, and the region is c, the FQDN is qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and 25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be split between your project name and your deployment name.

  2. In the project that you created in step 1, configure your network interface.
    1. Click Google Cloud Platform > VPC network > VPC networks.
      ©2019 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.
    2. Click the CREATE VPC NETWORK option.
    3. Give your network a name, and configure the settings as needed. Set the DNS server policy field to No server policy.
    4. Click Create.
  3. Add an SSH key to the project. The key must be created for a user called cloud-user.
    1. Click Google Cloud Platform > Compute Engine > Metadata.
      ©2019 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.
    2. Click SSH Keys.
    3. Click Edit.
    4. Click Add item.
    5. Enter an SSH key, followed by cloud-user.
    6. Click Save.

Procedure

  1. Download the QRadar 7.5.0 UP7 virtual appliance image from the IBM Fix Central website: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+SIEM&fixids=7.5.0-UP7-CMP-GoogleCloud-SingleImage-QRADAR-202309270935&function=fixId&parent=IBM%20Security
    1. Download the image and the .sig files. The download can take a few hours.
    2. Use the .sig file to verify the integrity of the downloaded image. For more information, see How to validate downloads from IBM Fix Central are trusted and code signed.
  2. Go to Google Cloud and upload the image file to Google Cloud Storage. The upload can take up to an hour.
    Attention: Do not rename the image file. Renaming the image can cause the import to fail.
  3. Run the following command in Google Cloud Shell to import raw image to your GCP account. 
    gcloud compute images create <IMAGE NAME> --project=<GCP PROJECT NAME> --source-uri gs://<BUCKET NAME>/<RAW FILE PATH> --guest-os-features=MULTI_IP_SUBNET,UEFI_COMPATIBLE
    The import process can take up to an hour.
  4. Go to Navigation Menu > Computer Engine > Images, select the image that you imported, and then click Create Instance.
  5. Set a deployment name for the appliance that allows for a fully qualified domain name (FQDN) to be no more than 63 characters long. The FQDN consists of the deployment name, the zone, the project name, and .internal.

    For example, if your project name is abc-stq-xyz, the appliance deployment name is qr-con, the zone is us-east4-c, and the region is c, the FQDN is qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and 25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be split between your project name and your deployment name.

  6. Select the zone that your project is in.
  7. Select a Machine Type that meets the system requirements. For more information, see System requirements for virtual appliances.
  8. Select the required Boot Disk Type and set the Boot Disk Size as 98 GB.
  9. Select the network interface that you created.
  10. Set the firewall rules for your appliance that allow ports 22 and 443 only from trusted IP addresses to create an allowlist of IP addresses that can access your QRadar deployment.
    In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.
  11. If prompted, check the I accept the GCP Marketplace Terms of Service field.
  12. Click Deploy.
  13. Set the Firewalls and Additional Disks fields.
    1. Click Google Cloud Platform > Compute Engine > VM instances.
    2. Select your appliance from the list.
    3. Click Edit.
    4. In the Firewalls section, check Allow HTTP traffic and Allow HTTPS traffic.
    5. Set the Additional disks.
      • In the Additional disks section, click ADD NEW DISK.
      • In the Disk settings section, select proper Disk type.
      • Estimate your storage needs and then enter a size in GiB. The minimum size is 250 GiB.
      • In the Deletion rule field, check Delete disk.
      • Click SAVE.
    6. Click SAVE in the main edit page.
  14. When the instance is ready, log in by using SSH and your key pair by typing the following command: 
    ssh -i <key.pem> cloud-user@<public_IP_address>
  15. Type the following command to check the length of your FQDN: 
    hostname -f | wc -c
    If the command returns a value greater than 63, the installation process fails. Restart this procedure with a shorter deployment name.
  16. Verify that there are no more than 2 DNS entries for the instance by typing the following command: 
    grep nameserver /etc/resolv.conf | wc -l
    If the command returns 3 or more entries, edit /etc/resolv.conf to remove all but two of the entries before you proceed to the next step. You can add the entries back after installation is complete.
  17. To install the QRadar Console, type the following command: 
    sudo /root/setup <appliance_id>
    For example, to deploy an Event Collector, type the following command:
    sudo /root/setup 1599
    Appliance Type ID Appliance type
    1299 Flow Collector
    1400 Data Collector
    1599 Event Collector
    1699 Event Processor
    1799 Flow Processor
    1899 Event and Flow Processor
    3199 QRadar SIEM All-in-One (QRadar Console)
    4000 QRadar AppHost
    6500 QRadar Network Insights
    7000 Event collectors, flow collectors, and data gateways
  18. Enter a password for the admin account. Set a strong password that meets the following criteria.
    • Contains at least 5 characters
    • Contains no spaces
    • Can include the following special characters: @, #, ^, and *.

What to do next

If you removed any DNS entries in /etc/resolv.conf, restore them.

For QRadar SIEM All-in-One (QRadar Console) installations, the QRadar instance uses Coordinated Universal Time (UTC). You can change the time zone of the instance. For more information about changing the time zone, see Configuring system time.

This image does not receive automatic software upgrades. You need to manually upgrade your system to keep it up to date. To receive QRadar upgrade notifications, see Receiving QRadar update notifications.

For all managed host (except data gateways) installations, see Adding a managed host.

For more information about adding the virtual appliance as a managed host and configuring flow sources and traffic mirroring, see QRadar Network Insights installations on Google Cloud.