QRadar Network Packet Capture M7 appliance

QRadar Network Packet Capture (MTM 4723-P1A) offers an optional appliance to store and manage data that is used by QRadar Incident Forensics when no other network packet capture (Network PCAP) device is deployed. Any number of these appliances can be installed as a tap on a network or subnetwork to collect the raw packet data. QRadar Network Packet Capture is based on the Lenovo System SR650 V2 (2U). Each appliance can support up to eight QRadar Network Packet Capture Direct Attached Storage (4563-D1S) units. For more information about direct attached storage, see QRadar Network Packet Capture Direct Attached Storage .

The following table describes hardware information and requirements for the QRadar Network Packet Capture appliance:

Table 1. QRadar Network Packet Capture specifications
Description Value
CPU 2 x Gold 6354 18 C 3.0 GHz 205 W
Network capture transceivers

2 x SR 10 GbE SFP+

2 x TX 1 GbE SFP

2 x SX 1 GbE SFP

Use these transceivers with the network packet capture card, labeled as [6] in the appliance diagram.

Network management transceivers

Lenovo Dual Rate 10/25 GbE SFP28 Transceiver,

The transceivers has the following part numbers: AFBR-735ASMZ-LVX

Use these transceivers with the management ports, labeled as [4] in the appliance diagram

Ports

4 x 10/100/1000 Base-T Ethernet management ports

1 x RJ-45 10/100/1000 Mb Ethernet systems management (IMM) port

4 x Network capture ports (SFP/SFP+)

2 x 10/25 GbE SFP28 management ports

2 x Direct Attached Storage (DAS) ports

Memory 128 GB (8 x 16 GB)
Storage

88 TB: 12 x 8 TB 3.5" HDD RAID 5

Controller: RAID 940-16i 8 GB NV Cache

and

1 TB HDD: 2 x 1 TB 2.5" HDD RAID 1

Controller: RAID 940-8i 4 GB NV Cache

Power® supply Dual redundant 1100 W AC
Dimensions 30.1 inches deep x 17.5 inches wide x 3.4 inches high

The following image is of the QRadar Network Packet Capture appliance.

Figure 1. Front and rear panel of the QRadar Network Packet Capture appliance
Image showing the back and front panels of the QRadar Network Packet Capture appliance.
Table 2. Legend for use with the QRadar Network Packet Capture image
Label Description
1 Event data storage
2 Management ports (1 GbE TX)
3 IMM Port (1 GbE TX)
4 Management Ports (10/25 GbE SFP28)
5 External RAID DAS Ports
6 Network Packet Capture (SFP/SFP+)
7 QRadar Firmware Storage

For information about battery removal, see Removing the coin-cell battery (https://thinksystem.lenovofiles.com/help/index.jsp?topic=%2F7X05%2Fcmos_battery_replacement.html&cp=4_8_8_13&anchor=CMOS_battery_replacement).

QRadar Network Packet Capture Direct Attached Storage

As an option you can add the QRadar Network Packet Capture Direct Attached Storage (4563-D1S) appliance to the IBM QRadar Network Packet Capture appliance to increase the storage capacity. You can manage both the internal and external storage as a single interface. This helps reduce resource load on the system and enables easier navigation. The QRadar Network Packet Capture Direct Attached Storage appliance is based on the Lenovo D1212.

Important: You must use the Lenovo QRadar Network PCAP Direct Attached Storage appliance with the Lenovo QRadar Network Packet Capture appliance.
Table 3. QRadar Network PCAP Direct Attached Storage specifications
Description Value
Ports

3 x 12 Gb Mini-SAS

2 x 10/100 MbE management

Storage

12 x 8 TB 3.5” RAID 5 (88 TB)

Power supply 2 x 580 W AC
Dimensions 24.8 inches deep x 17.4 inches wide x 3.4 inches high

The following image is of the QRadar Network PCAP Direct Attached Storage appliance.

Figure 2. Front and rear panel of the QRadar Network PCAP Direct Attached Storage appliance
Image showing the back and front panels of the QRadar Network Packet Capture Direct Attached Storage appliance.

The QRadar Network Packet Capture appliance can have up to eight QRadar Network Packet Capture Direct Attached Storage (4563-D1S) storage units connected in a daisy chain configuration. The following image is of the QRadar Network Packet Capture appliance with a QRadar Network PCAP Direct Attached Storage appliance that is connected showing the wiring configuration.

Image showing back panels of the Network PCAP (4723_P1A) and the Network PCAP DAS (4563-D1S) connected.

The QRadar Network Packet Capture appliance can capture up to a rate of 10 Gbps. Adding QRadar Network PCAP Direct Attached Storage appliances to your Lenovo QRadar Network Packet Capture does not increase the capture rate.