Alternative to dual-stack deployments

If the network infrastructure allows, an alternative approach of using dual-stack deployments is to avoid dual-stack management interfaces completely and deploy all hosts by using the same IP protocol.

By completely avoiding dual-stack management interfaces, you can preserve High Availability (HA) function and all intra-deployment traffic can use the primary IP protocol. To provide connectivity on the alternative IP protocol, you can configure secondary nonmanagement interfaces and enable users access to the console on the alternative protocol or event and flow collection.

Limitation of configuring dual-stack deployments

If the IBM QRadar host is a physical appliance, configuring more nonmanagement interfaces on it might require extra network switch ports.

Use cases for dual-stack deployments

The following list provides three primary use cases that need dual-stack deployments in IBM QRadar and involve external interactions:
  • User access to the console
  • External system access to the API
  • Event collection of log sources

Routing for secondary interfaces

You can configure secondary interfaces in IBM QRadar hosts through the System Configuration>System and license Management window in the Admin tab. However, no user interface is there to manage routes for the secondary interfaces. Therefore, to add an IPv4 interface to an IPv6 host, you must configure the IPv4 default route through the command line. However, do not configure the IPv4 interface through the command line because IBM QRadar needs to manage the IPv4 interface for HA purposes.

Add a default route for an additional interface on the IBM QRadar host by providing the interface name (from the UI) and the gateway or next-hop address for the IPv4 subnet. You can add the default route by using the following command:

echo "default via <gateway> dev <interface_name>" \
> /etc/sysconfig/network-scripts/route-<interface_name>

For example, if the subnet for the interface is 192.0.2.0/24, the gateway address is 192.0.2.1, and the interface device name is ens192, you can use the following command:

echo "default via 192.0.2.1 dev ens192" \
> /etc/sysconfig/network-scripts/route-ens192

Secondary interfaces and HA

When you configure an additional interface of a managed host that is part of an HA, you can select Apply this interface configuration and IP address to the active HA (selected by default) in the System Configuration>System and License Management window of the Admin tab. During failover, this configuration allows you to transfer the interface configuration to the active host.

This configuration checks that the address of the additional interface is available even during an outage of the primary host. You can expect a brief outage.

Network architecture of dual-stack deployments

Networks might have IPv4-only subnets, IPv6-only subnet, or dual-stack subnets. Hence, an IPv4-only managed host, such as IPv4 collector, might be needed. Though adding an IPv4 collector to a dual-stack deployment is supported, it can disrupt HA. Therefore, to prevent any HA disruption, configure a Disconnected Log Collector (DLC) into the IPv4 network and connect it to an event processor or to an event collector that has a secondary IPv4 interface. This network configuration can also work where the IBM QRadar console has primarily IPv4 interfaces and collection is required in a IPv6-only network.