IBM Support

QRadar: Modifying iptables rules in QRadar

Question & Answer


Question

How can you allow users from specific IP addresses or CIDR ranges to access QRadar hosts on specific ports or protocols, such as ICMP or SSH?

Answer

By default, access to QRadar hosts is limited to what is needed for the operation of QRadar. If you would like to allow communications beyond that, you need to modify the underlying iptables firewall rules. For example, to be able to monitor the state of your system by using ICMP, you need to allow traffic that uses the ICMP protocol for a specific IP address or range of IP addresses. To achieve this and other similar goals, there are three options available:

  1. Per host Access Management via the User Interface

    On QRadar version 7.2.5 and later, it is possible to add or remove access rules on per host basis directly from the User Interface (UI). This functionality is located on the UI panel:

    Admin > System and License Management > Display: Systems > Actions > View and Manage System > Firewall

    Technote 1987489: QRadar: Adding iptables access from the User Interface discusses how to update the firewall rules in further detail.
  2. Global Iptables Settings via the User Interface

    You can make access changes to all hosts from the UI panel:

    Admin tab > System Settings > Advanced > System Settings > Global Iptables Access

    To enable access globally from various IP addresses, enter them in a comma-separated format at the field that is shown in the figure and then click Save:


    Once you make the changes and click the Save button, you will be prompted to perform a Deploy Full Configuration for these changes to take effect.

    Note: A Deploy Full Configuration has a brief impact on services on all QRadar hosts.
  3. Modifying iptables settings from the command line

    If you are using a version of QRadar that does not support the per host configuration described, or you are looking to accomplish a more specific task, you can add iptables command parameters to the QRadar iptables configuration file:

    /opt/qradar/conf/iptables.pre

    More information about the correct formatting of these commands is available in Red Hat Enterprise Linux documentation.
    Once the additions have been made, the changes will take effect after running the following command:

    /opt/qradar/bin/iptables_update.pl

    Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 June 2018

UID

swg21988385