Question & Answer
Question
How can you allow users from specific IP addresses or CIDR ranges to access QRadar hosts on specific ports or protocols, such as ICMP or SSH?
Answer
By default, access to QRadar hosts is limited to what is needed for the operation of QRadar. If you would like to allow communications beyond that, you need to modify the underlying iptables firewall rules. For example, to be able to monitor the state of your system by using ICMP, you need to allow traffic that uses the ICMP protocol for a specific IP address or range of IP addresses. To achieve this and other similar goals, there are three options available:
- Per host Access Management via the User Interface
On QRadar version 7.2.5 and later, it is possible to add or remove access rules on per host basis directly from the User Interface (UI). This functionality is located on the UI panel:
Admin > System and License Management > Display: Systems > Actions > View and Manage System > Firewall
Technote 1987489: QRadar: Adding iptables access from the User Interface discusses how to update the firewall rules in further detail.
- Global Iptables Settings via the User Interface
You can make access changes to all hosts from the UI panel:
Admin tab > System Settings > Advanced > System Settings > Global Iptables Access
To enable access globally from various IP addresses, enter them in a comma-separated format at the field that is shown in the figure and then click Save:
Once you make the changes and click the Save button, you will be prompted to perform a Deploy Full Configuration for these changes to take effect.
Note: A Deploy Full Configuration has a brief impact on services on all QRadar hosts.
- Modifying iptables settings from the command line
If you are using a version of QRadar that does not support the per host configuration described, or you are looking to accomplish a more specific task, you can add iptables command parameters to the QRadar iptables configuration file:
/opt/qradar/conf/iptables.pre
More information about the correct formatting of these commands is available in Red Hat Enterprise Linux documentation.
Once the additions have been made, the changes will take effect after running the following command:
/opt/qradar/bin/iptables_update.pl
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
22 June 2018
UID
swg21988385