IBM Support

QRadar: QRadar 7.3.0 NFS Mount issue after reboot



After Upgrading a QRadar Deployment to 7.3.0 you discover that the NFS mounts are no longer working. You determine the mount point is correct, but you are not able to connect to the NFS server.


The backups were not being remotely stored on the backup server after the upgrade.


The interfaces changed from eth to en for predictable network interfacing naming, but the custom firewall rules still reference the old interface naming convention. To determine this do these commands

Type route -n shows interface ens3 as the network subnet were the NFS backup server is on.
[root@QRada73 ~]# route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface UG 0 0 0 ens3 U 0 0 0 docker0 U 0 0 0 dockerApps U 0 0 0 appProxy U 0 0 0 ens4 U 0 0 0 ens3

Type cat /opt/qradar/conf/iptables.pre which shows Interface eth0 associated with the subnet.

[root@QRada73 ~]# cat /opt/qradar/conf/iptables.pre

-I INPUT -p tcp --dport 10101 -j ACCEPT
-I INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -i eth0 -s -j ACCEPT

Resolving The Problem

Upgrading to QRadar 7.3.0 will cause the interfaces to change from eth to a value of en. This is to account for the change to predictable Network Interface device naming. Prefix's are applied after en to represent hardware which use either o or p. A virtual machine will use prefix s
Example en<s>3 where

o = on-board device

s = hotplug slot

p = PCI location.

If your iptables custom firewall rule in /opt/qradar/conf/iptables.pre is referencing an interface prior to the upgrade you need to update it with the correct interface name.

Example if your firewall rule before you upgraded was something like this

-A INPUT -i eth0 -s -j ACCEPT
You will need to update it to include the new interface.
-A INPUT -i ens3 -s -j ACCEPT

Steps to resolve the issue.
  1. Using an SSH session log in to the QRadar Console.
  2. Type ifconfig to determine the interface that is associated with the subnet for the backup server.
    [root@QRada73 ~]# ifconfig

    ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet netmask broadcast
    inet6 fe80::5054:ff:fef0:a86 prefixlen 64 scopeid 0x20<link>
    ether 52:54:00:f0:0a:86 txqueuelen 1000 (Ethernet)
    RX packets 109 bytes 17491 (17.0 KiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 84 bytes 10626 (10.3 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet netmask broadcast
    inet6 fe80::5054:ff:fe0e:c022 prefixlen 64 scopeid 0x20<link>
    ether 52:54:00:0e:c0:22 txqueuelen 1000 (Ethernet)
    RX packets 3 bytes 210 (210.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 8 bytes 850 (850.0 B)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
  3. Using vi editor open /opt/qradar/conf/iptables.pre
    vi /opt/qradar/conf/iptables.pre
  4. Change the entry for the interface from eth to the one listed in the output of the ifconfig command that corresponds to the one for the subnet were the backup server.
  5. Save the changes by typing esc :wq
  6. Update the iptables configuration using the command
  7. restart the NFS services using these commands
    systemctl restart rpcbind
    systemctl restart nfs-server

You now connect to your NFS Backup Server.

For more information on Configuring NFS shares for backups, look at this Knowledge Center article.
Moving backups to an NFS

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018