IBM Support

QRadar: How to tune proxy configurations for app containers

Troubleshooting


Problem

Administrators who upgrade to QRadar versions 7.3.2 & above might experience issues where the global proxy configuration is pushed to all apps in the application framework. This can lead to issues where the container proxy settings are overridden, which causes the application to stop working as expected. This technical note outlines how users can set an application container to ignore the global proxy configuration and leverage the local proxy settings.

Symptom

After the administrator upgrades to QRadar versions 7.3.2 & above, applications could stop functioning due to proxy settings being propagated from QRadar configuration to the application container. This issue only impacts customers who have setup the proxy configuration inside QRadar.

Cause

The container cannot use the global proxy configuration provided by the application framework in QRadar versions 7.3.2 & above and the configuration must be updated to allow the local proxy on the application to make tunneled connections.

Environment

QRadar deployments upgraded to versions 7.3.2 & above with applications that have internal proxy configurations, such as the IBM Resilient QRadar Integration app.

Diagnosing The Problem

Before you begin
Administrators must have QRadar auto updates enabled to get the recon utility in QRadar versions 7.3.2 & above. If you do not have the recon utility in /opt/qradar/support, then you need to complete a QRadar Weekly Auto Update. It is recommended by QRadar Support that users verify they have the recon utility installed by the auto update server for troubleshooting purposes. The qapp_utils730.py utility no longer functions in QRadar versions 7.3.2 & above.

Note: The qapp_utils730.py might still exist on your QRadar version but it no longer functions.

Procedure
  1. Use SSH to log in to the QRadar Console as the root user.
  2. To locate the application ID for your app, type: /opt/qradar/support/recon ps

    A list of applications and their App-ID values are output to the screen. Administrators can use this list to connect to the app container and review the app.log.
    # /opt/qradar/support/recon ps
    App-ID  Name                         Managed Host ID   Workload ID    Service Name   AB    Container Name
    1002    App Authorization Manager    53                apps           qapp-1002      ++    qapp-1002
    1005    Resilient                    53                apps           qapp-1005      ++    qapp-1111
    1112    QRadar Assistant             53                apps           qapp-1112      ++    qapp-1112
    1109    Cloud Visibility             53                apps           qapp-1109      ++    qapp-1109
    1106    Deployment Intelligence      53                apps           qapp-1106      ++    qapp-1106
  3. To connect to the app container, type: /opt/qradar/support/recon connect 1005
    NOTE: The App-ID for your QRadar Console will be a unique numeric value. The information shown in Step 3 is an example of a user connecting to the Resilient application container.
  4. To review app.log for connection errors, type: less app.log | grep -i httpsconnectionpool
  5. The error output string will inform the administrator that the application cannot proxy to the defined host.

    App.log example of the error message when a container cannot connect via proxy settings:
    Mar 13 14:43:01 127.0.0.1 [APP_ID/1302][NOT:0000003000][ERROR] Connection Verification Error HTTPSConnectionPool(host='example-host.net', port=443): Max retries exceeded with url: /rest/session (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 503 Service Unavailable',)))

Resolving The Problem

Administrators who experience this issue must configure a no proxy settings for each container. To complete this workaround must have both root command-line access and access to the Admin tab of the QRadar Console.

Procedure
  1. Use SSH to log in to QRadar as the root user.
    IMPORTANT: Administrators must backup your existing nva.conf before you attempt to make any changes. It is typically recommended that administrators create a folder for save files before a change. For example, administrators can use the mkdir command to create /store/IBM or /store/ibmsupport for temporary files before you apply a configuration change.
  2. To backup your nva.conf file, type: cp /opt/qradar/conf/nva.conf /store/IBM/nva.conf
  3. Navigate to /store/configservices/staging/globalconfig/nva.conf.
  4. Edit /store/configservices/staging/globalconfig/nva.conf and add the following line:
    APP_PROXY_NO_PROXY_LIST=<hostnames or IP addresses>

    Based on the error message in app.log, the following change should be applied:
    APP_PROXY_NO_PROXY_LIST=example-host.net

    NOTE: If you have multiple addresses or a backup proxy, you can use commas to separate values between multiple hosts. For example:
    APP_PROXY_NO_PROXY_LIST=example-host.net,example-host2.net
  5. Log in to the QRadar Console user interface.
  6. Open the Admin tab and select Advanced > Deploy Full Configuration.
  7. Wait for the full deploy to complete.
    NOTE: The web server restart (Tomcat restart) defined below will log out users from the interface and stop any Log Activity exports or reports in progress. Scheduled reports that are in-progress will need to be manually restarted by users. 
  8. From the Admin tab, select Advanced > Restart Web Server.
  9. Returned to the command-line interface and navigate to the /opt/qradar/conf/ directory.
  10. To verify the file is updated, type: less nva.conf | grep -i app_proxy_no*
  11. The admin should see an output from nva.conf with the APP_PROXY_NO_PROXY_LIST value updated with the hostname or IP address.

    Results
    The no proxy list for the hostname (example-host.net) is added. The change allows an application to use the local proxy values to connect to an outside server. Administrators who want to verify that the app container is updated can run the printenv command inside the app container. The printenv command will output a QRADAR_NO_PROXY variable from the app container with the IP address or hostname provided in nva.conf. For information on how to connect to an app container to run the printenv command, see the Diagnosing the Problem section above. 

    If you have further questions about this article or need assistance with any of the steps, contact QRadar Support for assistance. The issue described in this article is an application framework issue after an upgrade to QRadar versions 7.3.2 & above and can be handled by QRadar Support representatives or by the end user themselves using the resolution described in this article.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"App;proxy","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 November 2023

UID

ibm10876948