Configure an IBM
QRadar App Host on a Google Cloud Platform (GCP) instance by using the provided image.
Before you begin
Important:
The following procedure is for the configuration of an IBM
QRadar 7.3.2 App Host image,
which has reached its End of Support. An IBM
QRadar 7.5.0 App Host image
is not yet available. Once the image is installed, it should be upgraded to ensure that support is
available. For information about upgrading to 7.5.0, see Upgrading QRadar SIEM.
Important:
Installations using the 7.3.2 image have a disk limitation of 1TB.
You must acquire entitlement to a QRadar Software Node for any
QRadar instance that is
deployed from a third-party cloud marketplace. Entitlement to the software node should be in place
before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact
your QRadar Sales
Representative.
For any issues with QRadar software, engage IBM® Support. If you experience any
problems with GCP infrastructure, refer to GCP documentation. If IBM Support determines that your issue is caused by the GCP infrastructure, you must contact
GCP for support to resolve the underlying issue with the GCP infrastructure.
You must use static IP addresses.
You cannot have more than two DNS entries. QRadar installation fails if
you have more than two DNS entries in the /etc/resolv.conf file.
If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in Google
Cloud Platform
(https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_hosted_gcp_image.html).
- Create a project name that allows for a fully qualified domain name (FQDN) to be no more than 63
characters long. The FQDN consists of the deployment name followed by
-vm
, the zone, the
region, the project name, and .internal
.For example, if your project
name is abc-stq-xyz, the appliance deployment name is
qr-con, the zone is us-east4-c, and the region is
c, the FQDN is
qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and
25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be
split between your project name and your deployment name.
- In the project that you created in step 1, configure your network interface.
- Click .
©2019 Google LLC, used with
permission. Google and the Google logo are registered trademarks of Google LLC.
- Click CREATE VPC NETWORK.
- Give your network a name, and configure the settings as needed. Set DNS server
policy to No server policy.
- Click Create.
- Add an SSH key to the project if you haven't already done so. The key must be created for a user
called cloud-user.
- Click .
©2019 Google LLC, used with permission. Google and
the Google logo are registered trademarks of Google LLC.
- Click SSH Keys.
- Click Edit.
- Click Add item.
- Enter an SSH key, followed by cloud-user.
- Click Save.
Procedure
- Download the image file from the IBM Fix Central website: https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.3.2P1-CMP-GoogleCloud-APPHOST-QRADAR-20230621154221&includeSupersedes=0&source=fc
- Download the image and the .sig files. The image download can
take several hours.
- Use the .sig file to verify the integrity of the image file. For
more information, see How to validate downloads from IBM Fix Central are trusted and code
signed.
-
Go to QRadar Security Intelligence Platform Console v7.5.0.
-
Click LAUNCH.
-
Set a deployment name for the appliance that allows for a fully qualified domain name (FQDN) to
be no more than 63 characters long. The FQDN consists of the deployment name, the zone, the project
name, and .internal.
For example, if your project name is abc-stq-xyz, the appliance deployment
name is qr-con, the zone is us-east4-c, and the region
is c, the FQDN is
qr-con-vm.us-east4-c.c.abc-stq-xyz.internal. The zone can be between 10 and
25 characters long. Depending on the zone, this leaves somewhere between 25 and 40 characters to be
split between your project name and your deployment name.
-
Select the zone that your project is in.
-
Select a Machine Type that meets the system requirements. For more
information, see System requirements
for virtual appliances.
- Select the required Boot Disk Type and set the Boot
Disk Size as 98 GB.
-
Select the network interface that you created.
-
Set the firewall rules for your appliance that allow ports 22 and 443 only from trusted IP
addresses to create an allowlist of IP addresses that can access your QRadar deployment.
In a
QRadar
deployment with multiple appliances, other ports might also be allowed between managed hosts. For
more information about what ports might need to be allowed in your deployment, see
Common ports and servers used by QRadar.
-
If prompted, check the I accept the GCP Marketplace Terms of Service
field.
-
Click Deploy.
-
Set the Firewalls and Additional Disks
fields.
-
Click .
-
Select your appliance from the list.
-
Click Edit.
- In the Firewalls section, check Allow HTTP
traffic and Allow HTTPS traffic.
-
Set the Additional disks.
- In the Additional disks section, click ADD NEW
DISK.
- In the Disk settings section, select proper Disk
type.
- Estimate your storage needs and then enter a size in GiB. The minimum size is 250 GiB.
- In the Deletion rule field, check Delete
disk.
- Click SAVE.
-
Click SAVE in the main edit page.
-
When the instance is ready, log in by using SSH and your key pair by typing
the following command:
ssh -i <key.pem> cloud-user@<public_IP_address>
-
Type the following command to check the length of your FQDN:
If the command returns a value greater than 63, the installation process fails. Restart
this procedure with a shorter deployment name.
-
Verify that there are no more than 2 DNS entries for the instance by typing the following
command:
grep nameserver /etc/resolv.conf | wc -l
If the command returns 3 or more entries, edit /etc/resolv.conf to
remove all but two of the entries before you proceed to the next step. You can add the entries back
after installation is complete.
- To install the App Host type the following command:
- The system prompts you to set the root password. Set a strong
password that meets the following criteria.
- Contains at least 5 characters
- Contains no spaces
- Can include the following special characters: @, #, ^, and *.
- Type the following command to restart the host and complete the
installation:
- Add the host to your deployment in QRadar.
- On
the navigation menu (
), click
Admin.
- In the System Configuration section, click System
and License Management.
- In the Display list, select
Systems.
- On the Deployment Actions menu, click Add
Host.
- Configure the settings for the managed host by providing a static IP address, and the
root password to access the operating system shell on the appliance.
- Click Add.
- Optional: Use the menu to see visualizations of your deployment. You can download a
PNG image or a Microsoft Visio
(2010) VDX file of your deployment visualization.
- On the Admin tab, click .
Important: QRadar continues to collect events
when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it
automatically. A message displays that gives you the option to cancel the deployment and restart the
service at a more convenient time.
- Change where your apps are run in QRadar.
- On the System and License Management screen, click the
Click to change where apps are run link.
- Click App Host to transfer apps to the App Host.
Note: The more apps and app data you have, the longer the transfer takes.
What to do next
If you removed any DNS entries in /etc/resolv.conf, restore them.
Important: IBM QRadar 7.3.2 has reached End of Support. To ensure that support is
available, an upgrade must be performed. For information about upgrading to 7.4.3, see
t_qradar_up_ugrad_sys.html.