IBM Support

QRadar: Enabling ping response on appliances

Question & Answer


Question

How is the ICMP ping response enabled in QRadar?

Cause

A common tool used by network operations staff is to use a ping monitoring service to ensure the availability of critical network resources. By default, QRadar systems drop all ICMP traffic received on the management interfaces and do not respond to these requests. Thus, the appliances display as offline.

Answer

To enable ICMP ping responses in QRadar, the local host firewall rules have to be enabled to accept and respond to ICMP ping requests.
Note: The changes outlined in this procedure to allow ICMP traffic are maintained after a reboot and also survive QRadar upgrades.
Steps to enable ICMP ping responses:
  1. SSH into the QRadar console or managed host as the root user.
  2. Create a backup folder in case it doesn't exist. 
    mkdir -p /store/IBM_Support/
  3. Make a backup copy of the existing firewall customizations: 
    cp /opt/qradar/conf/iptables.pre /store/IBM_Support/
  4. Update the file /opt/qradar/conf/iptables.pre to add allowances for ICMP to work for all hosts, add a line per interface. 
    -A INPUT -i {interface} -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -i {interface} -p icmp --icmp-type 0 -j ACCEPT
    The interface names can be different depending on your Red Hat version that is installed with QRadar:
    For example, in QRadar 7.4.x and 7.5.x (Red Hat Enterprise 7): 
    -A INPUT -i ens192 -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -i ens192 -p icmp --icmp-type 0 -j ACCEPT
    Alternately, the option "-s" can be used to indicate an IP source for the ping: 
    -A INPUT -i {interface} -p icmp --icmp-type 8 -s 10.100.33.12/32 -j ACCEPT
-A INPUT -i {interface} -p icmp --icmp-type 0 -s 10.100.33.12/32 -j ACCEPT
  5. Reload the iptables rules with the following command: 
    /opt/qradar/bin/iptables_update.pl
  6. Verify that the QRadar system accepts the ping requests.
    The next examples show an active ping with ICMP being denied, then ICMP traffic allowed.
    Blocked ICMP Traffic 
    [root@unix ~]# ping qradar
PING qradar.q1labs.com (10.10.10.1) 56(84) bytes of data.
From qradar.q1labs.com (10.10.10.1) icmp_seq=1 Destination Host Prohibited
From qradar.q1labs.com (10.10.10.1) icmp_seq=2 Destination Host Prohibited
From qradar.q1labs.com (10.10.10.1) icmp_seq=3 Destination Host Prohibited
    Accepted ICMP Traffic 
    [root@unix ~]# ping qradar
64 bytes from qradar.q1labs.com (10.10.10.1): icmp_seq=4 ttl=64 time=0.169 ms
64 bytes from qradar.q1labs.com (10.10.10.1): icmp_seq=5 ttl=64 time=0.172 ms
64 bytes from qradar.q1labs.com (10.10.10.1): icmp_seq=6 ttl=64 time=0.155 ms
--- qradar.q1labs.com ping statistics ---
3 packets transmitted, 3 received, 0 errors, 0% packet loss, time 5004ms rtt min/avg/max/mdev = 0.155/0.165/0.172/0.012 ms

    Result
    QRadar environment accepts the ICMP requests. Pings are accepted.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtJAAQ","label":"QRadar Network Insights"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.5.0"}]

Document Information

Modified date:
11 November 2022

UID

swg21634882

Page Feedback