IBM Support

Configuring a QRadar Console to Accept Port 37 (RDATE) Traffic from QRadar Packet Capture Appliances

Question & Answer


Question

How do I configure IPtables on my QRadar Console to accept time synchronization (rdate) information requests from my QRadar Packet Capture appliances on port 37?

Answer

All QRadar appliances need to synchronize with the Console appliance to ensure that the deployment has consistent time settings. Consistent time values are required for searches and other data-related functions to operate properly on QRadar appliances. After a Packet Capture is installed in your deployment, administrators can update IPtables on their Console to allow time synchronization to occur.

Before you begin

To properly time synchronize with the QRadar Console, the following steps are required:
 

  1. The QRadar Packet Capture appliance must have software version 7.2.2_1_0_3_208 Patch 2 installed. For information on this update, see: QRadar Packet Capture.
  2. The administrator must enable rdate on the QRadar Packet capture appliance.
  3. The administrator must update IPtables on the Console to accept rdate requests from the QRadar Packet Capture appliance.
 

Note: If you are unfamiliar with editing files in the command-line, editing crontab, or Linux IPtables files, you can contact IBM Security QRadar Customer Support for assistance.


 

1. How to enable rdate on QRadar Packet Capture Appliances

Before you can configure rdate on your QRadar Packet Capture Appliance, you must know the IP address or hostname of your QRadar Console. If you use a hostname, the Console's hostname must be resolve correctly by using nslookup.

Procedure

  1. Using SSH, log in to the QRadar Packet Capture appliance as the root user.
  2. To turn off the NTP service, type service ntpd stop.
  3. To turn off check configuration for NTP, type chkconfig ntpd off.
  4. To edit crontab, type crontab -e.
  5. To configure the appliance to synchronize with the Console every 10 minutes, type the following command: */10 * * * * rdate -s IP_address.

    Where IP_address is either an IP address or hostname of the QRadar Console appliance.

    Examples:
    */10 * * * * rdate -s 8.8.8.8
    or
    */10 * * * * rdate -s QRadarConsole.company.com

     
  6. To save your configuration changes, press ESC, then :wq and press Enter.

    You are now ready to edit IPtables on the Console to accept rdate communication on port 37.
 


 

2. How to update IPtables on the QRadar Console to accept rdate traffic from QRadar Packet Capture Appliances

Procedure

  1. Using SSH, log in to the QRadar Console appliance as the root user.
  2. To edit IPtables, type the following command: vim /opt/qradar/conf/iptables.pre.
  3. Type the following command to allow the Console to accept rdate communication on port 37: -A INPUT -p tcp -s <IP Address> --dport 37 -j ACCEPT.

    Where <IP address> is the IP address of your QRadar Packet Capture appliance. If you have multiple QRadar Packet Capture appliances, you can add each IP address as a single line.


    For example,
    -A INPUT -p tcp -s 192.168.1.10 --dport 37 -j ACCEPT
    -A INPUT -p tcp -s 192.168.1.11 --dport 37 -j ACCEPT
    -A INPUT -p tcp -s 192.168.1.12 --dport 37 -j ACCEPT

     
  4. To save your IPtables configuration on the iptables.pre file, press ESC, then type :wq and press Enter.
  5. To update IPtables on the Console, type the following command: ./opt/qradar/bin/iptables_update.pl.
  6. The Console is updated to accept rdate communication on port 37 from the QRadar Packet Capture appliances.
 

[{"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Configuration","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
20 September 2022

UID

swg21682057