Overview of supported virtual appliances

A virtual appliance provides the same visibility and function in your virtual network infrastructure that QRadar appliances provide in your physical environment.

The following virtual appliances are available:
  • QRadar SIEM All-in-One (QRadar Console) Virtual 3199
  • QRadar SIEM Event and Flow Processor Virtual 1899
  • QRadar SIEM Flow Processor Virtual 1799
  • QRadar SIEM Event Processor Virtual 1699
  • QRadar Event Collector Virtual 1599
  • QRadar Data Node Virtual 1400
  • QRadar Flow Virtual 1299
  • QRadar Risk Manager 700
  • QRadar Vulnerability Manager Processor 600
  • QRadar Vulnerability Manager Scanner 610
  • QRadar App Host 4000
  • QRadar Incident Forensics
  • QRadar Log Manager Virtual 8099
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).

QRadar SIEM All-in-One (QRadar Console) Virtual 3199

This virtual appliance is a QRadar SIEM system that profiles network behavior and identifies network security threats. The QRadar SIEM All-in-One (QRadar Console) Virtual 3199 virtual appliance includes an onboard Event Collector, a combined Event Processor and Flow Processor, and internal storage for events.

The QRadar SIEM All-in-One (QRadar Console) Virtual 3199 virtual appliance supports the following items:
  • Up to 1,000 network objects
  • 1,200,000 flows per interval, depending on your license
  • 30,000 Events Per Second (EPS), depending on your license
  • External flow data sources for NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files
  • QRadar Flow Collector and Layer 7 network activity monitoring

To expand the capacity of the QRadar SIEM All-in-One (QRadar Console) Virtual 3199 beyond the license-based upgrade options, you can add one or more of the QRadar SIEM Event Processor Virtual 1699 or QRadar SIEM Flow Processor Virtual 1799 virtual appliances.

QRadar SIEM Event and Flow Processor Virtual 1899

This virtual appliance is deployed with any QRadar Console. The virtual appliance is used to increase storage and includes a combined Event Processor and Flow Processor and internal storage for events and flows.

QRadar SIEM Event and Flow Processor Virtual 1899 appliance supports the following items:
  • 1,200,000 flows per interval, depending on traffic types
  • 30,000 Events Per Second (EPS), depending on your license
  • 2 TB or larger dedicated flow storage
  • 1,000 network objects
  • QRadar Flow Collector and Layer 7 network activity monitoring

You can add QRadar SIEM Event and Flow Processor Virtual 1899 appliances to any QRadar Console to increase the storage and performance of your deployment.

QRadar SIEM Flow Processor Virtual 1799

This virtual appliance is a dedicated Flow Processor that you can use to scale your QRadar SIEM deployment to manage higher flows per interval rates. The QRadar SIEM Flow Processor Virtual 1799 includes an onboard Flow Processor and internal storage for flows.

The QRadar SIEM Flow Processor Virtual 1799 appliance supports the following items:
  • 3,600,000 flows per interval, depending on traffic types
  • 2 TB or larger dedicated flow storage
  • 1,000 network objects
  • QRadar Flow Collector and Layer 7 network activity monitoring

The QRadar SIEM Flow Processor Virtual 1799 appliance is a distributed Flow Processor appliance and requires a connection to any QRadar SIEM 31XX series appliance.

QRadar SIEM Event Processor Virtual 1699

This virtual appliance is a dedicated Event Processor that you can use to scale your QRadar SIEM deployment to manage higher EPS rates. The QRadar SIEM Event Processor Virtual 1699 includes an onboard Event Collector, Event Processor, and internal storage for events.

The QRadar SIEM Event Processor Virtual 1699 appliance supports the following items:
  • Up to 80,000 events per second
  • 2 TB or larger dedicated event storage

The QRadar SIEM Event Processor Virtual 1699 virtual appliance is a distributed Event Processor appliance and requires a connection to any QRadar SIEM 31XX series appliance.

QRadar Event Collector Virtual 1599

This virtual appliance is a dedicated Event Collector that you can use to scale your QRadar SIEM deployment to manage higher EPS rates. The QRadar Event Collector Virtual 1599 includes an onboard Event Collector.

The QRadar Event Collector Virtual 1599 appliance supports the following items:
  • Up to 80,000 events per second
  • 2 TB or larger dedicated event storage

The QRadar Event Collector Virtual 1599 virtual appliance is a distributed Event Collector appliance and requires a connection to any QRadar SIEM 16XX, 18XX, or 31XX series appliance.

QRadar Data Node Virtual 1400

This virtual appliance provides retention and storage for events and flows. The virtual appliance expands the available data storage of Event Processors and Flow Processors, and also improves search performance.

Note: Encrypted data transmission between Data Nodes and Event Processors is not supported. The following firewall ports must be opened for Data Node communication with the Event Processor:
  • Port 32006 between Data Nodes and the Event Processor appliance
  • Port 32011 between Data Nodes and the Console's Event Processor

Size your QRadar Data Node Virtual 1400 appliance based on the EPS rate and data retention rules of the deployment.

Data retention policies are applied to a QRadar Data Node Virtual 1400 appliance in the same way that they are applied to stand-alone Event Processors and Flow Processors. The data retention policies are evaluated on a node-by-node basis. Criteria, such as free space, is based on the individual QRadar Data Node Virtual 1400 appliance and not the cluster as a whole.

Data Nodes can be added to the following appliances:
  • Event Processor (16XX)
  • Flow Processor (17XX)
  • Event/Flow Processor (18XX)
  • All-In-One (Console) (2100 and 31XX)

To enable all features included in the QRadar Data Node Virtual 1400 appliance, install it by using the Data Node 1400 appliance type.

QRadar Flow Virtual 1299

This virtual appliance provides the same visibility and function in your virtual network infrastructure that a QRadar Flow Collector offers in your physical environment. The QRadar Flow Collector virtual appliance analyzes network behavior and provides Layer 7 visibility within your virtual infrastructure. Network visibility is derived from a direct connection to the virtual switch.

The QRadar Flow Virtual 1299 appliance supports the following capabilities:
  • Maximum throughput of 1 Gbps

    If the hardware and software specifications are the same, a virtual appliance can deliver throughput levels that are comparable to IBM-supplied appliances. For more information about the specifications for IBM-supplied appliances, see the IBM QRadar Hardware Guide.

  • FIPS installation only 10,000 flows per minute
  • Three virtual switches, with one more switch that is designated as the management interface.

QRadar Vulnerability Manager Processor

Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).

This appliance is used to process vulnerabilities within the applications, systems, and devices on your network or within your DMZ. The vulnerability processor provides a scanning component by default. If required, you can deploy more scanners, either on dedicated QRadar Vulnerability Manager managed host scanner appliances or QRadar managed hosts. For example, you can deploy a vulnerability scanner on an Event Collector or QRadar Flow Collector.

QRadar Vulnerability Manager Scanner

Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).

This appliance is used to scan for vulnerabilities within the applications, systems, and devices on your network or within your DMZ.

QRadar Risk Manager

This appliance is used for monitoring device configurations, simulating changes to your network environment, and prioritizing risks and vulnerabilities in your network.

QRadar App Host 4000

This appliance is a managed host that is dedicated to running apps. App Hosts provide extra storage, memory, and CPU resources for your apps without impacting the processing capacity of your QRadar Console. Apps such as User Behavior Analytics with Machine Learning Analytics require more resources than are currently available on the Console.

QRadar Incident Forensics

QRadar Incident Forensics is installed from a separate ISO than other QRadar appliances. For more information about installing QRadar Incident Forensics as a virtual appliance, see Virtual appliance installations for QRadar Incident Forensics.

QRadar Log Manager Virtual 8099

Functions as a Log Manager AIO/Console.