Troubleshooting QRadar Network Insights on Amazon Web Services
- Unable to connect to a managed host due to unprotected private key file
You receive the following warning when you try to connect to a managed host by using a private key file.
WARNING: UNPROTECTED PRIVATE KEY FILE!
You might receive this message when the .pem key file is publicly readable. To resolve this problem, change the permissions on your .pem key file to 600 by typing this command:
chmod 600 <key_file>
- Connection refused when trying to connect to the QRadar Network Insights host
When you try to connect to your disconnected QRadar Network Insights host by using a private key, you receive this message:
The security profile that is attached to the QRadar Network Insights managed host instance does not allow incoming SSH connections from the source IP address.
To resolve this problem, add an incoming rule to the security profile that is attached to the QRadar Network Insights instance. Configure the rule to allow SSH connections from the source IP address.
For more information, see Security profiles on the AWS Documentation portal.
- A public IP address is not assigned to the QRadar Network Insights instance
This problem might occur under the following conditions:
- The instance was not configured to have a public IP address assigned automatically when it is launched.
- Multiple network interfaces are attached to the instance and it was restarted.
To resolve this issue, associate an Elastic IP to the management interface. Alternatively, you can use SSH from either the QRadar Console or another instance on the same subnet to connect to the private IP address of the QRadar Network Insights instance.
- QRadar Network Insights does not see extra NIC card
You added an extra network interface card (NIC) to the QRadar Network Insights instance, but it is not recognized. More configuration is required for the operating system on the QRadar Network Insights instance to recognize the new network interface.
For more information, see Adding another traffic monitoring interface to the QRadar Network Insights instance.
- Unable to connect to the QRadar Network Insights managed host by using SSH from the QRadar Console
When a QRadar Network Insights host is managed by a console, the iptables rules are updated to restrict direct SSH access. You must connect to the managed host by first connecting to the QRadar Console. Since AWS instances do not have a console connection option, there is no way to connect to the managed host if the QRadar Console is unable to use SSH to log in.
To resolve this problem, use SSH to connect to the QRadar Console. Then, use SSH from the QRadar Console to the managed hosts management interface (eth0) as root user.
If the QRadar Console can't connect to the managed host, you should re-create the QRadar Network Insights instance.
To avoid locking yourself out of QRadar, configure the firewall on the managed host to allow SSH connections from trusted sources. For more information, see the Managing IPtables firewall ports Technical Note on the IBM Support website.
- Monitored traffic doesn't show up on the Network Activity tab
- Monitored traffic does not show up on the Network Activity tab, but the
tcpdumpcommand indicates that the monitoring interface is receiving it.
When you add a QRadar Network Insights host, a flow source is created but it is disabled by default.
To resolve this problem, verify that the flow source for the network interface exists for both the QRadar Network Insights appliance and the monitoring instance. Ensure that there are no changes to be deployed. If the flow source does not exist, create it and enable it.
For more information, see Adding a flow source and Enabling a flow source.
- Mirrored traffic is not received by multiple mirror targets
Traffic mirroring can send individual packets to only a single target interface. To split traffic between targets, you must set up multiple mirror sessions. The mirror filters for each session must be specific enough to ensure that the traffic is mirrored to only a single target interface.
To see an example of how to split traffic between targets, see Example: Mirror inbound TCP and UDP traffic to two different appliances on the AWS Documentation portal.
- The QRadar Network Insights monitoring interface does not receive mirrored traffic
- By default, AWS enables filtering based on source and destination checks on the network
Disabling the source and destination checks allows an instance to handle network traffic that isn't destined for the instance. For example, instances that run services such as network address translation, routing, or a firewall should disable the source and destination check attributes.To disable the source and destination check attributes, follow these steps:
- In the left navigation pane of the AWS Dashboard, click Network interfaces.
- Right-click on the instance and click Change Source/Dest Check.
- Click Disabled and click Change.
- Repeat the steps for each network interface.
For more information, review Elastic Network interface (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) on the AWS Documentation portal.
- Mirrored traffic is incomplete
The following traffic types cannot be mirrored:
For more information, see the following pages on the AWS Documentation Portal.
- Instance metadata service
- Windows activation
- What is Traffic Mirroring? (https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html)
- Traffic Mirroring quotas and considerations (https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-considerations.html)
- QRadar Network Insights instance fails the AWS system status check
Jumbo frames can sometimes cause the QRadar Network Insights instance to restart, resulting in an AWS system status check failure.To resolve this problem, set the Maximum Transmission Unit (MTU) for the monitoring interface to 9001.
- To change the MTU temporarily, type this command:
sudo ip link set dev eth<#> mtu 9001
- To set the MTU permanently, edit the
/etc/sysconfig/network-scripts/ifcfg-eth<#> script for the interface, and
edit the MTU line to
For more information, see Network maximum transmission unit (MTU) for your EC2 instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html) on the AWS Documentation portal.
- To change the MTU temporarily, type this command: