Question & Answer
For IBM Security QRadar SIEM, how do you configure the Windows Firewall on Microsoft Windows Server 2008 to allow the Windows Event Log Protocol (WMI) to connect to a Microsoft Windows Server 2008?
When trying to use the Windows Event Log Protocol (WMI) to connect to a Microsoft Windows 2008 server with the Windows Firewall enabled, the firewall blocks incoming connections over port TCP/135 and dynamic port ranges.
You must configure rules on Windows Firewall to allow:
- TCP/135 - the MSC DCE RPC Locator Service
- A dynamic port range that DCOM uses when communicating to a QRadar SIEM appliance.
Configuring the Windows Firewall to allow a QRadar SIEM IP Address to connect by using Windows Event Log Protocol
Step 1 - Log in to the Windows Server with local Administrator privileges.
Step 2 - On the Windows Server, open the Administrative Tools and launch the Server Manager.
Step 3 - Select Configuration, Windows Firewall and Advanced Security, and then select Inbound Rule. Right-click the Inbound Rule to create a new Inbound rule. Under the rule wizard choose the following options:
- For Rule Type, select Customer Rule
- Allow the rule to apply to All Programs
- For Protocol type, select TCP
- For Local Ports, select All Ports
- For Remote Ports, select All Ports
- For "Which local IP addresses does this rule apply to", select Any IP Address
- For "Which remote IP addresses does this rule apply to", select These IP addresses and add the IP address of the QRadar collector
- Select Allow the connection
- Ensure that the rule is applied to Domain, Private, and Public network connections
- Give the rule an appropriate Name and Description and save the rules
For additional information, check the DCOM Configuration section of the QRadar DSM Guide for IBM QRadar SIEM
Was this topic helpful?
16 June 2018