Diagnosing The Problem
- Click Risk tab.
- Click Connection.
- View Connection Graph.
- SSH to the Console as the root user.
- SSH to QRM host.
- Display the contents of the simArc directory by using the command.
Resolving The Problem
Note: Connections are built only for the default domain. The Connections graph for Multi-tenant is unsupported.
Connections Graph is blank
If you have no data, then nothing is created for the connections graph. The Connections screen displays simArc data, built from the flows and firewall events generated at the event processor. These simArcs connections represent bidirectional flows (local at either src or dst), which are aggregated based on src, dst, protocol destination Port, and allowDeny. The later allowDeny field is true for an arc constructed from a flow, but arcs can also be constructed from firewall events, to indicate a denied connection attempt. If arcs are based on events, the device ID and event count are also appended.
Flows not translating to arcs
If you find that flows are not being translated to arcs, you need to check that the flows are bidirectional and meet the criteria of either originating or destined for the customer network or both - Local to Local (L2L). You need to ensure the flows refer to open ports on known assets.
No Data in the simArc directory
If there is no data in the simArc directory on QRM, the issue is usually related to where the data is being sent. You might need to SSH to the firewall event's event processor and also check the same directory by using the command:
Check whether there is data in the local simarc directory. If there is no data, then it is not a QRM-related issue. Event Processors /store/ariel/simarc gets copied to QRM's /store/ariel/simarc. If there is data in the QRM simarc directory, uses it to create connection views, and the Connections graph displays results.
Was this topic helpful?
06 January 2021