IBM Support

(Updated) QRadar Automatic Updates Fail to Download on Networks That Use IP-based Firewall Rules

Flashes (Alerts)


Abstract

The IP address for qmmunity.q1labs.com has changed to a new server address. Administrators who block communication based on the IP address associated to qmmunity.q1labs.com will not get auto updates until they update the firewall rules to reference the new IP address.

Content

Quick links



About changes to the auto update server

Recently, customers might have experienced an issue where they are not downloading daily or weekly updates from the QRadar automatic update server. This issue is caused by specifically creating an accept rule to the IP address of the auto update server. A feature rollout to provide better automatic update service has changed the IP address of the default auto update server. If an administrator is using IP-based firewall rules, the automatic update might have issues connecting to the correct server and the log will display the following error message:


    Procedure
    1. Log in to the QRadar Console as an administrative user.
    2. Click the Admin tab.
    3. Click the Auto Update icon.
    4. Click View Log to view a detailed summary.



      Figure 1:
      Auto update connection error message (click to enlarge image)


Firewall rules and important future updates

Customers who have IP-based firewall rules to allow automatic updates between the QRadar Console and the Internet need to update their firewall configuration with the following IP addresses or hostnames:

DescriptionHostnameIP AddressLocationStatus
Automatic Update Server 1qmmunity.q1labs.com69.20.113.167United StatesActive hostname and IP address for US-based administrators.
Automatic Update Server 2qmmunity-eu.q1labs.com212.64.156.13EuropeActive hostname and IP address for EU-based administrators.
Old auto update server (deprecated)
69.20.5.88 (deprecated IP)United States This IP address is no longer in use.

Important: We recommend that firewall rules reference hostnames and not specific IP addresses to ensure that automatic updates are not interrupted if a server IP address is changed. However, if customers can only use IP addresses in their firewall configuration, they should add both addresses for the US server 69.20.113.167 and the Europe server 212.64.156.13. Both addresses should be added to the corporate firewall configuration because in a future release QRadar will have a speed test, along with the option to failover to another auto update server. At run time for an auto update, the Console will start a speed test to download a test file from both server locations. The fastest connection to the Console will be used to download daily and weekly automatic updates. Administrators should ensure that their firewall rules allow for traffic to both hostnames to accommodate for this functionality.



Configure QRadar to use the European automatic update server

A new automatic update server was activated for QRadar users in Europe. Administrators who want to leverage this server need to update the proxy settings in QRadar to use the address: https://qmmunity-eu.q1labs.com/

Procedure

  1. Log in to the QRadar Console as an administrative user.
  2. Click the Admin tab.
  3. Click the Auto Update icon.
  4. Click Change Settings.
  5. Click the Advanced tab.
  6. In the Web Server field, type https://qmmunity-eu.q1labs.com/

    Figure 2:
    How to update the QRadar auto update server address (click to enlarge image)

  7. Click Save. A Deploy Changes is not required.
  8. Administrators must update their firewall rules to allow external connections from their network before they can test the server connection. The next section outlines how to test the automatic update connection.



How to test your auto update connection

After administrators have updated their firewall rules, they should manually retrieve a QRadar automatic update to ensure that the connection is successful.


    Procedure
    1. Log in to the QRadar Console as an administrative user.
    2. Click the Admin tab.
    3. Click the Auto Update icon.
    4. Click Get New Updates.
    5. Wait for the connection and updates to complete. A dashboard system notification is generated when updates are successfully downloaded or when errors occur.

      Figure 3: Auto update connection success message (click to enlarge image)
    6. Optional. Click View Log to view a detailed summary.
      • If the update fails, a connection error message is displayed.

        Figure 5: Example of an auto update connection failure message (click to enlarge image)
      • If the update is successful, the log will provide a success message and display the lastest updates as "already installed".

        Figure 4: Example of an auto update connection success message (click to enlarge image)
    7. If the test fails, either try the test again or verify that any corporate firewall/proxy settings have been enabled to allow external connections.

-----


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21958881