Troubleshooting
Problem
Some configurations in certain applications such as the Threat Intelligence app, require connection to specific external endpoints outside of the deployment. Sometimes, when the network devices such as firewalls and proxies, do not grant the connection from the App Host, the application is not able to save the configuration.
This article instructs administrators on how to connect to an application's container, check connectivity to the specific endpoint by using the curl command, when the applications run on the App Host.
Symptom
Attempt to configure a setting in an application that requires external endpoints such as TAXII Feeds for Threat Intelligence App, and save the setting. An error message about connectivity is prompted.
The following screen capture shows an example of the Thread Intelligence requesting feeds from the TAXII endpoint, "https://api.xforce.ibmcloud.com/taxii" and the error is "There is a problem connecting to the TAXII Server. Verify that the TAXII server is available".
Cause
Applications in QRadar use the appliance's management IP address for external connectivity. When applications are set to run on the App Host, the applications use the App Host's management IP address for connectivity to the DNS server or external endpoint URL. When the network has proxy or firewall exclusions that allow the Console's IP address only, the applications fail to connect to any external destination when they run on the App Host.
Diagnosing The Problem
Administrators can log in to the application container and run network tests by using the curl command.
- Log in to the QRadar user interface as the admin user.
- On the navigation menu (
), click Admin. - Verify the application fails to connect to an external endpoint URL.
Resolving The Problem
Administrators can log in to the conflicting application container and run network tests by using the curl command to obtain information and report it to the pertinent networking team to grant the connection. Review the steps in the "Diagnosing the Problem" section to ensure the applications run on the App Host.
- Log in to the QRadar command-line interface (CLI) as the root user.
- Connect to the App Host by using the ssh command.
ssh <App Host IP> - Run the qappmanager utility to obtain the ID of the conflicting application.
Note: In this article, Threat Intelligence is used as example and its ID is 1253. Administrators must use the conflicting application ID on their systems.
Output Example/opt/qradar/support/qappmanagerAPP DEFINITIONS (SIO=Single Instance Only, MTS=Multi-tenancy Safe): ID | Name | Version | Status | Installed | Memory | Instances | SIO | MTS | Errors 1253 | Threat Intelligence | 2.4.1 | COMPLETED | 2022-06-29 15:53 | 800 | 1 | t | t | APP INSTANCES (IID=Instance ID, DID=Definition ID, MHN=Managed Host Name, AHT=Application Host Type, SP=Security Profile): IID | DID | Name | Status | Task Status | Installed | MHN | AHT | Memory | SP | Errors 1253 | 1253 | Threat Intelligence | RUNNING | RUNNING | 2022-06-29 15:53 | <App Host> | LOCAL | 800 | | - Use the recon command to connect to the application container.
Output Example/opt/qradar/support/recon connect 1253
Note: When connected to the container, the shell prompt looks like sh-4.4$ or similar.[root@qradar-apphost01]# /opt/qradar/support/recon connect 1253 sh-4.4$ - Inside the application container, use the curl command to test the connectivity to the endpoint URL required.
Note: In this article, the "https://api.xforce.ibmcloud.com" is used as example.curl -v https://api.xforce.ibmcloud.com- When the connection succeeds, the output shows a line with a "Connected to <URL>" string.
* Rebuilt URL to: https://api.xforce.ibmcloud.com/ * Trying X.X.X.X... * TCP_NODELAY set * Connected to api.xforce.ibmcloud.com (X.X.X.X) port 443 (#0) - When the connection does not succeed because of DNS resolution issues or no connectivity at all, the output shows the error "Could not resolve host".
curl -v https://https://api.xforce.ibmcloud.com * Could not resolve host: https; Unknown error * Closing connection 0 curl: (6) Could not resolve host: https; Unknown error
Result
Administrator now has network tests output to request a modification in the network to grant the connection from the App Host to external endpoint URLs. When the network is configured to allow the App Host's management IP address, the application settings that require external communication must succeed. If the curl command succeeds, but the configuration settings in the conflicting application still report errors, contact QRadar Support for assistance.
- When the connection succeeds, the output shows a line with a "Connected to <URL>" string.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
05 July 2022
UID
ibm16594693