Configuring IPtables

Before you configure your Verdasys Digital Guardian to forward events, you must configure IPtables in IBM QRadar to allow ICMP requests from Verdasys Digital Guardian.

Procedure

  1. Use an SSH to log in to QRadar as the root user.

    Login: root

    Password: <password>

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  3. Type the following commands to allow QRadar to accept ICMP requests from Verdasys Digital Guardian:

    -I QChain 1 -m icmp -p icmp --icmp-type 8 --src <IP address> -j ACCEPT
    -I QChain 1 -m icmp -p icmp --icmp-type 0 --src <IP address> -j ACCEPT

    Where <IP address> is the IP address of your Verdasys Digital Guardian appliance. For example,

    -I QChain 1 -m icmp -p icmp --icmp-type 8 --src <Source_IP_address> -j ACCEPT
    -I QChain 1 -m icmp -p icmp --icmp-type 0 --src <Source_IP_address> -j ACCEPT

    Note: Make sure that you specify "--icmp-type" in the commands to avoid failures when you're upgrading the IPTables.
  4. Save your IPtables configuration.
  5. Type the following command to update IPtables in QRadar:

    /opt/qradar/bin/iptables_update.pl

  6. To verify that QRadar accepts ICMP traffic from your Verdasys Digital Guardian, type the following command:
    iptables --list --line-numbers

    The following output is displayed:

    [root@Qradar bin]# iptables --list --line-numbers 
    Chain QChain (1 references)
    num  target  prot         opt              source      destination
    1    ACCEPT  icmp   --    <IP address>   anywhere    icmp echo-reply
    2    ACCEPT  icmp   --    <IP address>   anywhere    icmp echo-request
    3    ACCEPT  tcp    --    anywhere         anywhere    state NEW tcp dpt:https
    4    ACCEPT  tcp    --    anywhere         anywhere    state NEW tcp dpt:http

    The IPtables configuration for QRadar is complete.