IBM Support

QRadar: How to update iptables configuration for off-site sources in QRadar 7.5.0 UP4 (APAR IJ46782)

Question & Answer


Question

How to I apply the workaround to update my Off-site target appliance to add communication for port 32004 as described in APAR IJ46782?

Cause

An issue exists in QRadar 7.5.0 Update Package 4 where the Console cannot communicate to the Off-site hosts due to an iptables configuration issue. It is expected that the Off-site target has both ports TCP 32004 and TCP 22 enabled. However, an issue exists in APAR IJ46782 where the port is not opened correctly for port 32004 on the managed host. 

To verify this issue
  1. Click the Admin tab.
  2. Click the System and License Management icon.
  3. Select Deployment Actions > Manage Off-site Sources.
  4. Click Add and select the Receive events check box.
  5. Click Manage Connections and add the Console and managed host.
    image-20230516145621-1
  6. Click Close.
  7. From the Admin tab, click Deploy Changes.
  8. Use SSH to log in to the Console as the root user.
  9. Open an SSH session to the managed host.
  10. To confirm the iptables configuration, type the following command:
    iptables -S | grep <offsite-source-IP>
    For example, if the Off-site source configured in QRadar is 10.1.1.1, type:
    iptables -S | grep 10.1.1.1
    Results
    Review the output to confirm whether port 32004 is listed in the iptables rules on the managed host.
    • Correct: The Console reports that port 32004 is open on the managed host for the Off-site Source IP address. For example,
      -A QChain -s 10.1.1.1/32 -p tcp -m state --state NEW -m tcp --dport 32004 -j ACCEPT
    • Incorrect: The managed host does not list an iptables rule for port 32004 and lists TCP port 22 as the only port accepting connections. When port 32004 is missing, it indicates that you are experiencing APAR IJ46782. For example,
      -A QChain -s 10.1.1.1/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      

Answer

To resolve this issue, administrators can manually add an iptables rule for tcp port 32004 to the managed host. If you are unfamiliar with modifying iptables rules, do not attempt this procedure on your own. 

Procedure
  1. Using SSH, log in to the QRadar Console as the root user.
  2. Open an SSH session to the managed host with an off-site target configured.
  3. Type the following command to edit the iptables file:
    vim /opt/qradar/conf/iptables.pre
  4. Add a line to accept data from the off-site target on port 32004.
    -A QChain -s <Off-site-Source-IP>/32 -p tcp -m state --state NEW -m tcp --dport 32004 -j ACCEPT
    
    For example, if the Off-site Source configured in QRadar is 10.1.1.1, add the following line to iptables:
    -A QChain -s 10.1.1.1/32 -p tcp -m state --state NEW -m tcp --dport 32004 -j ACCEPT
    
  5. Press Esc, then type :wq to save the changes and exit the text editor.
  6. To update iptables on the managed host, type:
    /opt/qradar/bin/iptables_update.pl
  7. To verify the new iptables rule is added, type:
    iptables -S | grep <offsite-source-IP>
  8. Confirm port 32004 is listed in iptables on the managed host.
    -A QChain -s 10.1.1.1/32 -p tcp -m state --state NEW -m tcp --dport 32004 -j ACCEPT
    Results
    The iptables rule is applied to allow the managed host to receive data. To verify data is received, administrators can look for real-time streaming events on the target host or use tcpdump to confirm events are incoming from the QRadar appliance. If you continue to experience issues with APAR IJ46782, contact QRadar Support for assistance. 


 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;7.5.0"}]

Document Information

Modified date:
22 May 2023

UID

ibm16993029