IBM Support

QRadar Automatic updates fail to download on networks that use IP-based firewall rules

Flashes (Alerts)


Abstract

Administrators who block communication based on the IP address associated to https://auto-update.qradar.ibmcloud.com/ can experience issues where the auto update times out or cannot complete as expected. The server location for QRadar auto updates has recently changes. If you not get daily or weekly auto updates, sure you update your firewall rules to reference both the new IP address and hostname at https://auto-update.qradar.ibmcloud.com/.

Content


Important: For the latest information about QRadar auto update servers, see: Required auto update server changes for administrators (https://www.ibm.com/support/pages/node/6333083).
 

About changes to the auto update server

Recently, customers might have experienced an issue where they are not downloading daily or weekly updates from the QRadar automatic update server. This issue is caused by specifically creating an accept rule to the IP address of the auto update server. A feature rollout to provide better automatic update service has changed the IP address of the default auto update server. If an administrator is using IP-based firewall rules, the automatic update might have issues connecting to the correct server and the log will display the following error message: Cannot download one or more update files.

Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the Auto Update icon.
  4. Click View Log to view a detailed summary.
    image 6937
    Figure 1: Auto update connection error message.

Firewall rules and important future updates

Customers who have IP-based firewall rules to allow automatic updates between the QRadar Console and the Internet need to update their firewall configuration with the following IP addresses or hostnames:

Server changes Hostname Static IP address Location Description
New server cluster https://auto-update.qradar.ibmcloud.com/ 169.47.251.244 Global New server active on 27 July 2020
Legacy server https://qmmunity.q1labs.com/ 69.20.113.167 United States Active until 30 November 2020
Legacy server https://qmmunity-eu.q1labs.com/ 212.64.156.13 Europe Active until 30 November 2020


Important: QRadar support recommends that firewall rules reference the host name and the IP addresses to ensure that automatic updates are not interrupted if a server IP address is changed. The new IP address 169.47.251.244 is static and should be added to corporate firewall rules.

How to test your auto update connection

After administrators update their firewall rules, it is recommended to test the server connection.

Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the Auto Update icon.
  4. Click Get New Updates.
  5. Wait for the connection and updates to complete. A dashboard system notification is generated when updates are successfully downloaded or when errors occur.
    image 6932
    Figure 2: Auto update connection success message (click to enlarge image)
  6. Optional. Click View Log to view a detailed summary.
    • If the update is unsccessful, a connection error message is displayed.image 6936
      Figure 3: Example of an auto update connection failure message.
    • If successful, the log will provide a success message and display the latest updates as "already installed".image 6935
      Figure 4: Example of an auto update connection success message.
  7. If the test fails, verify that any corporate firewall or proxy settings have been enabled to allow external connections to https://auto-update.qradar.ibmcloud.com or 169.47.251.244.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtDAAQ","label":"Auto Update"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
25 September 2022

UID

swg21958881