IBM Support

QRadar: Let's talk about increasing the default number of 'Network Objects'

Question & Answer


Question

How do I increase the Network Objects limit from the default value of 1000 in QRadar?

Cause

In QRadar 7.2, the Network Objects limit is no longer controlled by the license key and might require manual adjustment by administrators or by QRadar Support. A procedure on how to increase the network object limit is provided below.


Before you continue, it might be helpful to provide some information on what is a network object. In QRadar, there is a Network Hierarchy, which is intended to define local networks from remote networks based on CIDR addresses. Each network defined in the Network Hierarchy is a container if CIDR addresses. Each container/network you define is considered a "Network Object". In QRadar 7.2 and above, the limit was set to 1,000 objects. There is no limit to the number of CIDR addresses that can be in a network object.


There are two main reasons that customers might need to increase the network object limit on the Console.

  1. Large networks might require more than 1,000 network objects. In these cases, customers can increase their network object limit from the command line.
  2. Customers who have recently upgraded to QRadar 7.2 might receive license notifications or errors due to exceeding their network object limit.

    After an upgrade to QRadar 7.2, the system can default back to the 1,000 network object limit, which generates license errors after the upgrade completes. This issue can occur event if QRadar support had previously configured your system to increase your network object limit due to the license changes in QRadar 7.2.

Answer

In QRadar 7.2, the network object limit is set to a default value of 1000 network objects. Customers who are at QRadar 7.2 or above can increase the number of network objects manually through the command line interface.

Before you begin
This procedure requires a Deploy Full Configuration from the Admin tab to update the network object limit values. During a deploy full configuration services are restarted on appliances, which stops event and flow collection until services restart. If an administrator needs to update their network object limits, they can complete this procedure during a scheduled maintenance window.

Procedure

  1. Using SSH, log in to your QRadar Console appliance as a root user.
  2. Edit the following file: /store/configservices/staging/globalconfig/nva.conf.
  3. In the NETWORK_OBJECT_LIMIT= field, update the value of network objects. If the field does not contain a value, your system will be limited to 1,000 network objects.

    For example, NETWORK_OBJECT_LIMIT=3000

  4. After the change is complete, save the file and type exit to close the SSH session.
  5. Log in to the user interface of the QRadar Console.
  6. Click the Admin tab.
  7. Click Advanced > Deploy Full Configuration.
    After services restart, the network object limit is updated to the value you defined in nva.conf.


Where do you find more information?


[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Licensing","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

QRadar;SIEM

Document Information

Modified date:
21 June 2018

UID

swg21681220

Page Feedback