IPv6 addressing in QRadar deployments

IPv4 and IPv6 addressing is supported for network connectivity and management of IBM® QRadar® software and appliances. When you install QRadar, you are prompted to specify whether your Internet Protocol is IPv4 or IPv6.

QRadar components that support IPv6 addressing

The following QRadar components support IPv6 addressing.
Network Activity tab

Because IPv6 Source Address and IPv6 Destination Address are not default columns, they are not automatically displayed. To display these columns, you must select them when you configure your search parameters (column definition).

To save space and indexing in an IPv4 or IPv6 source environment, extra IP address fields are not stored or displayed. In a mixed IPv4 and IPv6 environment, a flow record contains both IPv4 and IPv6 addresses.

IPv6 addresses are supported for both packet data, including sFlow, and NetFlow V9 data. However, older versions of NetFlow might not support IPv6.

Log Activity tab

Because IPv6 Source Address and IPv6 Destination Address are not default columns, they are not automatically displayed. To display these columns, you must select them when you configure your search parameters (column definition).

DSMs can parse IPv6 addresses from the event payload. If any DSM cannot parse IPv6 addresses, a log source extension can parse the addresses. For more information about log source extensions, see the DSM Configuration Guide.

Searching, grouping, and reporting on IPv6 fields

You can search events and flows by using IPv6 parameters in the search criteria.

You can also group and sort event and flow records that are based on IPv6 parameters.

You can create reports that are based on data from IPv6-based searches.

Custom rules

In custom rules and building blocks, IP parameters support IPv4 and IPv6 addresses unless the parameters are labeled as one or the other (for example, SRC IPv6 supports only IPv6 addresses).

Device support modules (DSMs)

DSMs can parse IPv6 source and destination address from event payloads.

Deploying QRadar in IPv6 or mixed environments

To log in to QRadar in an IPv6 or mixed environment, wrap the IP address in square brackets. For example, https://[<IP Address>]

Both IPv4 and IPv6 environments can use a hosts file for address translation. In an IPv6 or mixed environment, the client resolves the Console address by its host name. You must add the IP address of the IPv6 console to the /etc/hosts file on the client.

Flow sources, such as NetFlow and sFlow, are accepted from IPv4 and IPv6 addresses. Event sources, such as syslog and SNMP, are accepted from IPv4 and IPv6 addresses. You can disable superflows and flow bundling in an IPv6 environment.

Restriction: By default, you cannot add an IPv4-only managed host to an IPv6 and IPv4 mixed-mode console. You must run a script to enable an IPv4-only managed host.

IPv6 addressing limitations

When QRadar is deployed in an IPv6 environment, the following limitations are known:
  • Some parts of the QRadar deployment do not take advantage of the IPv6-enabled network hierarchy, including surveillance, searching, and analysis.
  • No host profile test in custom rules for IPv6 addresses.
  • No specialized indexing or optimization of IPv6 addresses.