IBM Support

QRadar Risk Manager: Adobe Flash end of life and changes to Configuration Source Management (CSM)

News


Abstract

Administrators with QRadar Risk Manager appliances in their deployment are being alerted to changes in Configuration Source Manager due to the approaching end of life of Adobe Flash. Due to removal of Adobe Flash, the Configuration Source Management (CSM) functionality is integrated in to the Configuration Monitor. The updated Configuration Monitor interface is available to administrators who upgrade their QRadar deployment in upcoming fix pack releases.

Content

About

QRadar Risk Manager administrators are being alerted to an upcoming user interface change to the Configuration Source Management (CSM) component. Due to the End of Life (EOL) announcement for Adobe Flash, QRadar Risk Manager has deprecated the default Configuration Source Management interface and integrated device backup and configuration functionality in to the Configuration Monitor. The Configuration Monitor interface includes the same device backup functionality, but was developed without Adobe Flash to ensure that administrators can comply with Adobe's 31 December 2020 end of life announcement. Administrators who are in corporate environments who are required to remove Adobe Flash can discuss upgrades to a QRadar version that includes the updates to the Configuration Monitor. All created schedules (Scheduled Discovery, jobs) are automatically moved from the legacy Admin tab Configuration Source Management interface to the Configuration Monitor on the Risks tab after you upgrade.

Product versions

The following versions integrate scheduling and device configurations on the Risks tab in to the Configuration Monitor:

How to identify the issue

A notice is displayed in the Configuration Source Management component to advise administrators that the Configuration Source Management is deprecated. Administrators who see this information message can upgrade to a QRadar version that includes the Configuration Monitor to avoid interruptions with device configurations after 31 December 2020 due to Adobe Flash end of life (EOL) issues.

image 5858
Figure 1: Legacy Configuration Source Management user interface for Adobe Flash.

image 5883
Figure 2: Browsers which block Adobe Flash by default do not display the Configuration Source Management user interface.


 

Locating the Configuration Monitor

QRadar 7.4.1 fix pack 1 and QRadar 7.3.3 fix pack 5 updates move the functionality of discovery, backups, credentials and scheduled to the Risks tab. Administrators can use the Configuration Monitor to make changes to their devices after an upgrade to the QRadar deployment. The functionality between Configuration Source Manager and the Configuration Monitor is identical and the Configuration Monitor does not include dependencies on Adobe Flash.

Procedure
  1. Log in to QRadar.
  2. Click the Risks tab.
  3. In the Risk Manager pane, click Configuration Monitor.
    image 5884
    Figure 3: Location of the Configuration Monitor on the Risks tab.
  4. Use the Configuration Monitor to manage your devices.

Schedules and device backups

Schedules Configuration for QRadar Risk Manager allows administrators to define backup jobs or device discovery in the Configuration Monitor. Schedules are now setup using the Configuration Monitor. Devices can be added to the schedule and a trigger defines the time and recurrence for the backup or device discovery, which can occur either once, daily, weekly, monthly, or defined as a cron job expression.
image 5888Figure 4: Schedules are now defined in the Configuration Monitor for the Risk Manager versions defined in this technical note.

Procedure
  1. Click the Risks tab.
  2. Expand the Configuration Monitor and select Schedules.
  3. On the Scheduled page, click Add to create a new schedule or select and existing schedule and click Edit.
  4. Type a unique Name for the schedule.
  5. Select a Group from the drop-down list or type a new Group name.
  6. Select a schedule type:
    Select a schedule type to either backup or discover new devices
    Option Description
    Backup Backup schedules allow users to collect device configuration changes from discovered network devices.
    Discovery
    Updates the telemetry (neighbor) information for devices and adds newly discovered network devices.
    Note: If a discovery schedule exists, you must select Backup. You cannot change the Type of an existing schedule.
  7. If you are creating a discovery schedule and want to add newly discovered devices to a product, select Crawl.
  8. If you are creating a backup schedule, click Edit and add or remove devices to be targeted for backup. Then perform one of the following actions
  9. Use the arrows to move devices from the Available Devices list to the Selected Devices list.
  10. Select Search to configure a search to dynamically target devices based on IP address, operating system, model, or hostname.
    Tip: You can search for Admin or Interface IP addresses with a comma-separated list of IP addresses or CIDR ranges.
  11. Select a Trigger to specify the frequency you want the schedule to run.
    • Once
    • Daily
    • Weekly
    • Monthly
    • Cron

      image 6055
      Note: Cron expressions that repeat more than once per hour are not accepted.
  12. Click Save.

Device discovery

Device Discovery is now located in the Configuration Monitor on the Risks tab for the QRadar Risk Manager versions discussed in this technical note. Device Discovery streamlines adding network devices through network management appliances, such as Check Point Management Servers, Palo Alto Panorama, Juniper NSM, or by crawling the network with SNMP for discoverable IP addresses. The Device Discovery functions in QRadar Risk Manager allow users to set up multiple networks and run discovery to automatically add new firewalls, IPS, and other network devices so they can be backed up and added to the Topology.  It is important that administrators do not add overlapping address ranges or CIDR addresses when discovering devices to prevent duplicates.
image 5885Figure 5: Device Discovery in the Configuration Monitor displays the status or logs for added devices.

Credentials

Device credentials can be added to access and download the configuration of devices such as firewalls, routers, switches, or IPSs in the Configuration Monitor on the Risks tab. Administrators can add credentials for individual devices or for multiple network devices that use the same credentials and prioritize the credential order QRadar Risk Manager uses to back up network device configurations.
image 5887
Figure 6: Device credentials can be added in the Configuration Monitor.

Configuring protocols

QRadar Risk Manager users can define the protocol, port, and other details required to communicate to a set of network devices. You can assign devices to network groups, which allows you to group together protocol sets and address sets for your devices.

Procedure
  1. On the Risk tab, click Configuration Monitor.
  2. In the navigation menu, click Protocols.
  3. Select Add from the toolbar.
  4. Type a Name for the protocol set.
  5. In the Address Sets section, click Add.
  6. In the Add Address field, type the IP address or CIDR range that you want to apply to the network group, then click OK.
    Tip: You can use IP4 or IP6 address or CIDR ranges.
  7. Select the check box for each protocol you want to enable.
    Tip: Select a protocol and click Increase Priority or Decrease Priority to adjust the order you want the protocols to be used.
  8. Select a protocol to configure its relevant properties. You can configure the following values for the protocol parameters:
    Table 1. Protocol parameters
    Protocol Parameter description
    SSH

    Configure the following parameters:

    • Port- Type the port on which you want the SSH protocol to use when communicating with and backing up network devices. The default SSH protocol port is 22.
    • Version- Select the version of SSH that you want this network group to use when communicating with network devices. The available options are as follows:
    • Auto- This option automatically detects the SSH version to use when communicating with network devices.
      1 - Use SSH-1 when communicating with network devices.
      2 - Use SSH-2 when communicating with network devices.
    Telnet

    Type the port number you want the Telnet protocol to use when communicating with and backing up network devices. The default Telnet protocol port is 23.

    HTTPS

    Type the port number you want the HTTPS protocol to use when communicating with and backing up network devices. The default HTTPS protocol port is 443

    HTTP Type the port number you want the HTTP protocol to use when communicating with and backing up network devices. The default HTTP protocol port is 80.
    SCP
    Type the port number you want the SCP protocol to use when communicating with and backing up network devices. The default SCP protocol port is 22.
    SFTP Type the port number you want the SFTP protocol to use when communicating with and backing up network devices. The default SFTP protocol port is 22.
    FTP Type the port number you want the FTP protocol to use when communicating with and backing up network devices. The default SFTP protocol port is 22.
    TFTP The TFTP protocol does not have any configurable options.
    SNMP

    Configure the following parameters:

    • Port - Type the port number you want the SNMP protocol to use when communicate with and backing up network devices.
    • Timeout(ms) - Select the amount of time, in milliseconds, that you want to use to determine a communication timeout.
    • Retries - Select the number of times you want to attempt to retry communications to a device.
    • Version - Select the version of SNMP you want to use for communications. The options are v1, v2, or v3.
      • V3 Authentication - Select the algorithm you want to use to authenticate SNMP traps.
      • V3 Encryption - Select the protocol you want to use to decrypt SNMP traps.
  9. Click Save.
    Tip: After you create your protocol sets, select a protocol set and click Increase Priority or Decrease Priority to adjust the order you want the protocol sets to be checked.

Notice: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQQU","label":"IBM Security QRadar Risk Manager"},"ARM Category":[{"code":"a8m0z000000cwtKAAQ","label":"QRadar Risk and Vulnerability Manager"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.1"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtKAAQ","label":"QRadar Risk and Vulnerability Manager"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.1"}]

Document Information

Modified date:
08 October 2020

UID

ibm16326009