Access to the QRadar network services is controlled first on hosts with iptables. The iptables rules are adjusted and
configured based on the requirements of the deployment. Ports for Ariel searching, streaming, and
times when you are using encryption (tunneling) can update various iptables rules.
About this task
You can configure and check iptables rules for IPv4 and IPv6. The following procedure
indicates how you can tune your iptables manually.
Procedure
-
Log in to QRadar as the
root user by using SSH.
Login: <root>
Password: <password>
-
Type the following command to edit the pre rules iptables file:
IPv4:
vi /opt/qradar/conf/iptables.pre
IPv6:
vi /opt/qradar/conf/ip6tables.pre
The iptables.pre configuration file is displayed.
-
Type the following command to edit the post rules iptables file:
IPv4:
vi /opt/qradar/conf/iptables.post
IPv6:
vi /opt/qradar/conf/ip6tables.post
The iptables.post configuration file is displayed.
-
Add the following rule for QRadar to access a specific port
number, where portnumber is the port number:
To accept UDP traffic for a specific port input:
-A INPUT -m udp -p udp --dport <portnumber> -j
ACCEPT
To accept TCP traffic for a specific port input:
-A INPUT -m state --state NEW -m tcp -p tcp --dport <portnumber>
-j ACCEPT
-
Save your iptables configuration.
-
Run the following script to propagate the changes:
/opt/qradar/bin/iptables_update.pl
-
Type the following commands to check for existing iptables:
IPv4:
iptables -L -n -v
IPv6:
ip6tables -L -n -v