In IBM
QRadar Risk Manager, you can
manage the efficiency of your network devices, investigate your network device configuration,
investigate firewall rules, and identify security risks that are created by invalid firewall
rules.
Important: You must delete a network device before you can assign its IP address to a
new network device. After you delete your network device, add and back up a new network device with
the same IP address.
Procedure
- Click the Risks tab.
- In the navigation pane, click Configuration Monitor.
-
To search your network devices, enter an IP address or hostname in the Device IP or
Name field.
- Double-click the device that you want to investigate.
The rule
Event Count column displays the firewall rule trigger frequency.
A zero event count rule is displayed for one of the following reasons:
- A rule is not triggered and might cause a security risk. You can investigate your firewall
device and remove any rules that are not triggered.
- A QRadar log source
mapping is not configured.
- To search the rules, on the Rules toolbar, click
.
- To investigate the device interfaces, click
Interfaces.
- To investigate access control list (ACL) device rules, click
ACLs.
Each access control list defines the interfaces that the devices on your network use to
communicate. When the ACL conditions are met, the rules that are associated with the ACL are
triggered. Each rule is tested to allow or deny communication between devices.
- To investigate network address translation (NAT) device rules, on the toolbar, click
NAT.
The Phase column specifies when to trigger the NAT rule, for example,
before or after routing.
- To investigate the history or compare device configurations, click
History.
You can view device rules in a normalized comparison view or the raw device configuration. The
normalized device configuration is a graphical comparison that shows added, deleted, or modified
rules between devices. The raw device configuration is an XML or plain text view of the device
file.