Overview of supported virtual appliances
A virtual appliance provides the same visibility and function in your virtual network infrastructure that QRadar appliances provide in your physical environment.
- QRadar SIEM All-in-One (QRadar Console) Virtual 3199
- QRadar SIEM Event and Flow Processor Virtual 1899
- QRadar SIEM Flow Processor Virtual 1799
- QRadar SIEM Event Processor Virtual 1699
- QRadar Event Collector Virtual 1599
- QRadar Data Node Virtual 1400
- QRadar Flow Virtual 1299
- QRadar Risk Manager 700
- QRadar Vulnerability Manager Processor 600
- QRadar Vulnerability Manager Scanner 610
- QRadar App Host 4000
- QRadar Incident Forensics
- QRadar Log Manager Virtual 8099
QRadar SIEM All-in-One (QRadar Console) Virtual 3199
This virtual appliance is a QRadar SIEM system that profiles network behavior and identifies network security threats. The QRadar SIEM All-in-One (QRadar Console) Virtual 3199 virtual appliance includes an onboard Event Collector, a combined Event Processor and Flow Processor, and internal storage for events.
- Up to 1,000 network objects
- 1,200,000 flows per interval, depending on your license
- 30,000 Events Per Second (EPS), depending on your license
- External flow data sources for NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files
- QRadar Flow Collector and Layer 7 network activity monitoring
To expand the capacity of the QRadar SIEM All-in-One (QRadar Console) Virtual 3199 beyond the license-based upgrade options, you can add one or more of the QRadar SIEM Event Processor Virtual 1699 or QRadar SIEM Flow Processor Virtual 1799 virtual appliances.
QRadar SIEM Event and Flow Processor Virtual 1899
This virtual appliance is deployed with any QRadar Console. The virtual appliance is used to increase storage and includes a combined Event Processor and Flow Processor and internal storage for events and flows.
- 1,200,000 flows per interval, depending on traffic types
- 30,000 Events Per Second (EPS), depending on your license
- 2 TB or larger dedicated flow storage
- 1,000 network objects
- QRadar Flow Collector and Layer 7 network activity monitoring
You can add QRadar SIEM Event and Flow Processor Virtual 1899 appliances to any QRadar Console to increase the storage and performance of your deployment.
QRadar SIEM Flow Processor Virtual 1799
This virtual appliance is a dedicated Flow Processor that you can use to scale your QRadar SIEM deployment to manage higher flows per interval rates. The QRadar SIEM Flow Processor Virtual 1799 includes an onboard Flow Processor and internal storage for flows.
- 3,600,000 flows per interval, depending on traffic types
- 2 TB or larger dedicated flow storage
- 1,000 network objects
- QRadar Flow Collector and Layer 7 network activity monitoring
The QRadar SIEM Flow Processor Virtual 1799 appliance is a distributed Flow Processor appliance and requires a connection to any QRadar SIEM 31XX series appliance.
QRadar SIEM Event Processor Virtual 1699
This virtual appliance is a dedicated Event Processor that you can use to scale your QRadar SIEM deployment to manage higher EPS rates. The QRadar SIEM Event Processor Virtual 1699 includes an onboard Event Collector, Event Processor, and internal storage for events.
- Up to 80,000 events per second
- 2 TB or larger dedicated event storage
The QRadar SIEM Event Processor Virtual 1699 virtual appliance is a distributed Event Processor appliance and requires a connection to any QRadar SIEM 31XX series appliance.
QRadar Event Collector Virtual 1599
This virtual appliance is a dedicated Event Collector that you can use to scale your QRadar SIEM deployment to manage higher EPS rates. The QRadar Event Collector Virtual 1599 includes an onboard Event Collector.
- Up to 80,000 events per second
- 2 TB or larger dedicated event storage
The QRadar Event Collector Virtual 1599 virtual appliance is a distributed Event Collector appliance and requires a connection to any QRadar SIEM 16XX, 18XX, or 31XX series appliance.
QRadar Data Node Virtual 1400
This virtual appliance provides retention and storage for events and flows. The virtual appliance expands the available data storage of Event Processors and Flow Processors, and also improves search performance.
- Port 32006 between Data Nodes and the Event Processor appliance
- Port 32011 between Data Nodes and the Console's Event Processor
Size your QRadar Data Node Virtual 1400 appliance based on the EPS rate and data retention rules of the deployment.
Data retention policies are applied to a QRadar Data Node Virtual 1400 appliance in the same way that they are applied to stand-alone Event Processors and Flow Processors. The data retention policies are evaluated on a node-by-node basis. Criteria, such as free space, is based on the individual QRadar Data Node Virtual 1400 appliance and not the cluster as a whole.
- Event Processor (16XX)
- Flow Processor (17XX)
- Event/Flow Processor (18XX)
- All-In-One (Console) (2100 and 31XX)
To enable all features included in the QRadar Data Node Virtual 1400 appliance, install it by using the Data Node 1400 appliance type.
QRadar Flow Virtual 1299
This virtual appliance provides the same visibility and function in your virtual network infrastructure that a QRadar Flow Collector offers in your physical environment. The QRadar Flow Collector virtual appliance analyzes network behavior and provides Layer 7 visibility within your virtual infrastructure. Network visibility is derived from a direct connection to the virtual switch.
- Maximum throughput of 1 Gbps
If the hardware and software specifications are the same, a virtual appliance can deliver throughput levels that are comparable to IBM-supplied appliances. For more information about the specifications for IBM-supplied appliances, see the IBM QRadar Hardware Guide.
- FIPS installation only 10,000 flows per minute
- Three virtual switches, with one more switch that is designated as the management interface.
QRadar Vulnerability Manager Processor
This appliance is used to process vulnerabilities within the applications, systems, and devices on your network or within your DMZ. The vulnerability processor provides a scanning component by default. If required, you can deploy more scanners, either on dedicated QRadar Vulnerability Manager managed host scanner appliances or QRadar managed hosts. For example, you can deploy a vulnerability scanner on an Event Collector or QRadar Flow Collector.
QRadar Vulnerability Manager Scanner
This appliance is used to scan for vulnerabilities within the applications, systems, and devices on your network or within your DMZ.
QRadar Risk Manager
This appliance is used for monitoring device configurations, simulating changes to your network environment, and prioritizing risks and vulnerabilities in your network.
QRadar App Host 4000
This appliance is a managed host that is dedicated to running apps. App Hosts provide extra storage, memory, and CPU resources for your apps without impacting the processing capacity of your QRadar Console. Apps such as User Behavior Analytics with Machine Learning Analytics require more resources than are currently available on the Console.
QRadar Incident Forensics
QRadar Incident Forensics is installed from a separate ISO than other QRadar appliances. For more information about installing QRadar Incident Forensics as a virtual appliance, see Virtual appliance installations for QRadar Incident Forensics.
QRadar Log Manager Virtual 8099
Functions as a Log Manager AIO/Console.