How To
Summary
The purpose of this article is to help administrators to configure QRadar® NAT Groups to add a managed host reachable through NAT.
Environment
To configure this integration, the administrator must have:
Note: In this technote, the managed host is added by using encryption. Encryption tunnels the traffic through SSH by using port 22.
- A NAT device in between translating the Public IP to the Private IP of the remote host bi-directionally.
- Bi-directional connectivity between the Console to the managed host.
- The firewall must allow port 22 between both hosts ensuring no brute-force policy is enabled for this connection.
- The Console must reach the remote host through the Public IP.
- The remote host must reach the Console Private IP.
Steps
Note: The following IP addresses are only meant to illustrate the configuration.All of the example IP addresses are considered "Private network IP addresses" by RFC 1918. The administrator must change the IP addresses to match its deployment accordingly.
Deployment Overview
Console Private IP = 10.11.12.254
Console NAT Group (Location) = Main Office
Event Processor (EP) Private IP = 192.168.12.101
Event Processor (EP ) Public IP = 172.16.12.101
Event Processor (EP ) NAT Group (Location) = Branch1
Connectivity Verification.- Open an SSH session to the QRadar® Console.
- Test against the remote host (Event Processor) Public IP.
Note: If strict host checking is enabled, follow the technote: QRadar: SSH to host fails with error "No ECDSA host key is known for <Remote Host IP> and you have requested strict checking"
# ssh <Remote Host Public IP>
If the connection test does not connect to the Remote Host, the administrator must reach out to their Network Team to check a Static 1:1 NAT is configured.
QRadar® Configuration.
- Navigate to the "Add Managed Host" menu.
- Log in to the QRadar Console as an admin user.
- Click the Admin Tab.
- Click System and License Management.
- In the Display list, select Systems.
- Click Deployment Actions > Add Host.
- Create the NAT Group.
- Select the Network Address Translation check box.
- Click the settings icon (
) to create a new NAT group. - Click Add and create the NAT Group.
- Give the NAT Group a name, click Save.
- Click Close to go back to the Add Managed Host menu.
- Configure the Managed Host
- Type the Host IP and Host Password.
Note: The Host IP is the Private IP. - Select the Encrypt Host Connections check box.
- Select the Network Address Translation check box
- In the NAT Group list, select the NAT Group created.
- In the Public IP field, type the public IP address of the Event Processor, and then click Add.
Important: Deploy Changes might result in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
- Type the Host IP and Host Password.
- Click Deploy Changes.
Result:
The Console sees the Event Processor Private IP and uses the Event Processor Public IP to connect to it.
The Console expects the connection from the Event Processor to come from the Event Processor Public IP.
Additional Information
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
07 May 2021
UID
ibm16416647