IBM Support

QRadar: Flow source requirements for Network Activity

Question & Answer


Question

Should I add new flow sources for every new external flow source sent to QRadar?

Cause

If you navigate to the Admin tab and click the Flow Sources icon, there should be one default_Netflow out of the box for Console, but then new flow sources are created as you add flow collection products such as  Flow Collector 12xx, Flow Collector 13xx, Flow Processor 17xx, Flow Processor 18xx. 

QNI 19xx series Appliances are an exemption as they utilize external flow sources such as default_Netflow.

Answer

A Flow Source should only reflect the way your QRadar environment listens to flow traffic over specific ports or interfaces. You do not need to add a new flow source for every flow source you are sending to QRadar. For example, if you are sending only sending NetFlows to an onboard copper Ethernet interface on the Console over port 2055 and a fiber interface on a Flow over port 2056, then your flow source configuration should only have these two flow sources Enabled. You can disable all the rest of the interfaces out of box. Flow sources configurations allows QRadar flow collectors to open firewalls to accept flows over the specific interface or ports to ingest your external flow data.

As you continue to send new flow sources to QRadar, new flow source aliases will be autodetected and created in flow source aliases. These will also appear in the Flow Interface column on the Network Activity screen. To verify the new flow sources.

  1. From the Admin page click the  Network Activity tab
  2. Click Add Filter
  3. Choose a Flow Interface to look for the new flow data that is being ingested by QRadar.
Note: For all external flow sources including QNI appliances, QRadar will auto-create Flow Source Aliases based on reverse DNS lookup of the IP address sending the flows.


To see traffic being sent to QNI use this procedure.

  1. Click Network Activity tab
  2. Click Add Filter
  3. Choose a QNI Flow Interface.
    Your interface should be flow_processor_component_hostname:qni_hostname. For example if your flow processor hostname is qfp1 and your QNI hostname is qni1, then your flow interface would be qfp1:qni1
     


Where do you find more information?


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"QFlow 12xx;QFlow 13xx;Flow processor 17xx;Flow processor 18xx","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"Component":"QNI 19xx or appliancetype 6x00 series","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
06 February 2019

UID

ibm10744507

Page Feedback