Installing a QRadar data gateway on Microsoft Azure Government Cloud

You connect to IBM® QRadar® on Cloud through a data gateway. You can install the data gateway in Microsoft Azure Government Cloud.

Before you begin

Ensure that your appliance meets the data gateway system requirements. See System requirements for data gateways.

Schedule a maintenance window for this task and ensure that users do not deploy changes while the data gateway is being added to your deployment.

Ensure that you have the full host name of the Console that you connect to through your gateway appliance.

About this task

For any issues with QRadar software, engage IBM Support. If you experience any problems with Microsoft Azure infrastructure, refer to Microsoft Azure Support documentation. If IBM Support determines that your issue is caused by the Microsoft Azure infrastructure, you must contact Microsoft for support to resolve the underlying issue with the Microsoft Azure infrastructure.

You must use static private and public IP addresses.

Data gateways must be installed one at a time. If you are installing more than one data gateway, wait until you complete installation of one before you install the next one.

Procedure

  1. Go to the Microsoft Azure Government Cloud Marketplace (https://portal.azure.us/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/) and search for QRadar.
  2. Select QRadar SIEM (BYOL).
  3. Click Create to create an instance for the data gateway.
  4. Configure VM settings.
    1. Enter a name.
      Note: The VM name must be eight characters or fewer.
    2. Click Change size and ensure that your VM meets the minimum system requirements.
      For more information, see QRadar on Cloud onboarding.
    3. Enter an ssh user name.
    4. Choose a SSH public key or Password.

    For more information on how to create and use an SSH public-private key pair for Linux® VMs in Azure, see Microsoft documentation.

  5. Configure the Azure networking firewall rules to allow access only from your internal infrastructure CIDR ranges.
    1. Click Settings > Choose network security group > Create network security group.
    2. Click Advanced.
    3. Select the network security group that you created in the previous step.
    4. Click the default-allow-ssh rule.
    5. In the edit pane, select IP addresses from the Source list.
    6. In the Source IP addresses/CIDR ranges field, enter the address range of the IP addresses that are allowed to access the VM.
    7. Enter ports 22 and 443 in the Destination port ranges field.
    8. Click Save.
    9. Click OK.
    10. On the Settings tab, click OK.
  6. Click Review + Create.
  7. Click Create to deploy the instance.
  8. When your VM is deployed in Azure, set the private and public IP addresses to static:
    1. Click Go to resource.
    2. Click the public IP address.
    3. Set the Assignment to Static.
    4. Click Save.
    5. Click Overview.
    6. Click the Associated to link.
    7. Click IP configurations.
    8. In the list of IP configurations, click the configuration row where the Type is set to Primary.
    9. Set the Private IP address assignment to Static.
    10. Click Save.
  9. To display the SSH connection information for the public IP address of the virtual appliance:
    1. Click Virtual Macines > <virtual_machine_name>.
    2. Click Connect.
  10. Log in to your virtual machine.
    • To log in using SSH and your key pair, type the following command: 
      ssh -i <key.pem> user@<public_IP_address>
    • To log in using SSH and your password, type the following command: 
      ssh user@<public_IP_address>
  11. Type the following command: 
    sudo /root/setup_mh 7000
  12. Upgrade the data gateway to the same version of QRadar as your Console.
    1. Log in to the Console.
    2. To find the version of QRadar that the Console is at, click the navigation menu (), and then click About.
    3. Download the SFS file for the version of QRadar that the Console is at from Fix Central (https://www.ibm.com/support/fixcentral).
    4. Copy the software update SFS file to your data gateway.
    5. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    6. On your data gateway, move the SFS file to the /storetmp directory by typing the following command: 
      sudo mv <version_number>_QRadar_patchupdate-<full_version_number>.sfs /storetmp
    7. Open the superuser shell by typing the following command: 
      sudo su -
    8. Create the /media/updates directory by typing the following command: 
      mkdir /media/updates
    9. Mount the SFS file by typing the following command: 
      mount -o loop -t squashfs /storetmp/<version_number>_QRadar_patchupdate-<full_version_number>.sfs /media/updates
    10. Run the software update installer by typing the following command: 
      /media/updates/installer
  13. Use the QRadar on Cloud Self Serve app to generate a token for your data gateway and allowlist the data gateway's IP address. For more information, see Access management to the console.
  14. After you receive your token:
    1. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    2. Because the appliance restarted after the previous step, open the superuser shell again by typing the following command: 
      sudo su -
    3. To mitigate a known issue with an intermittent connection, type the following command on the newly added data gateway: 
      mkdir /etc/systemd/system/tunnel-monitor.service.d/; printf "[Service]\nExecStart=\nExecStart=/bin/true\n" > /etc/systemd/system/tunnel-monitor.service.d/override.conf; chmod 644 /etc/systemd/system/tunnel-monitor.service.d/override.conf; systemctl daemon-reload
    4. To finish the initial data gateway setup, type the following command: 
      /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
  15. Exit the superuser shell by typing the following command: 
    exit

What to do next

Editing a target processor for your data gateway