IBM Support

QRadar: Re-establishing an SSH Tunnel from QRadar Managed Host to console if Firewall IP address changed

Troubleshooting


Problem

A QRadar Console may not be able to communicate with a Managed Host in a DMZ if the firewall IP address has changed.

Cause

If changes are made to a firewall between the QRadar Console and a Managed Host (such as the Firewall device moved and IP address changed), existing SSH tunnels from the Managed Host to the Console will no longer work until hostcontext is restarted.

Resolving The Problem

The hostcontext service needs to be restarted on the affected Managed Host(s). That can be done using one of the following methods:

Below are the solution options for QRadar versions 7.1 through 7.2.5

  1. Physically access the Managed Hosts to restart context (such as using KVM, IMM, or DRAC).

  2. Access WebMin (System Administration interface) on the Managed Host:




    Then from the Local Firewall drop down create a rule to allow access to port 22 from user's workstation. Open a SSH session to the host from your desktop and restart hostcontext:
    service hostcontext restart

  3. Access WebMin on the Managed Host and make a configuration change (to Mail Server configuration). This will automatically restart hostcontext on the Managed Host.

Below are the solution options for QRadar versions 7.2.6 and above

  1. Physically access the Managed Hosts to restart context (such as using KVM, IMM, or DRAC).

  2. Create a firewall rule from your workstation to the Managed Host. To do this click the Admin tab > System and License Management > Highlight a System to manage > Actions > View and Manage System. Click the Firewall tab and add a rule to access to port from the users workstation. Open a SSH session to the host and restart hostcontext.



  3. Use the procedure from step 2 above. This time Access the the Email Setting by clicking on the Email Server tab. Make a configuration change (to Mail Server configuration). This will automatically restart hostcontext on the Managed Host.




Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21687879