Updating X-Force data in a proxy server

IBM® QRadar® uses a reverse proxy lookup through an Apache server to collect data directly from IBM Security X-Force® Threat Intelligence servers on the Internet.

About this task

All QRadar appliances in a deployment contact the Apache server to send cached requests. After the data is received by the IBM QRadar Console, the result is cached and replayed for all other managed hosts that make a request for new IP reputation data.

If a proxy is configured in your network, you must update the configuration to receive the X-Force data.

Restriction: NTLM authentication is not supported.

Procedure

  1. Use SSH to log in to the QRadar Console.
  2. Open the /etc/httpd/conf.d/ssl.conf file in a text editor.
  3. Add the following lines before </VirtualHost>:

    ProxyRemote https://license.xforce-security.com/ http://PROXY_IP:PROXY_PORT

    ProxyRemote https://update.xforce-security.com/ http://PROXY_IP:PROXY_PORT

  4. Update the IP address and port of the corporate proxy server to allow an anonymous connection to the X-Force security servers.
  5. Save the changes to the ssl.conf file.
  6. Restart the Apache server by typing the following command:

    apachectl restart

    Restarting the Apache server on the QRadar Console logs out all users and the managed hosts might produce error messages. Restart the Apache server during scheduled maintenance windows.