Amazon AWS Network Firewall

The IBM® QRadar® DSM for Amazon AWS Network Firewall collects events from an Amazon AWS Network Firewall device by using the Amazon AWS REST API protocol.

Amazon AWS Network Firewall is a stateful network firewall that allows users to filter traffic at the perimeter of their Amazon Virtual Private Cloud (VPC) service.

To integrate Amazon AWS Network Firewall with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM support website. Download and install the most recent version of the following RPMs on your QRadar Console:
    • Protocol Common RPM
    • AWS S3 REST API PROTOCOL RPM
    • Amazon AWS Network Firewall DSM RPM
  2. Configure your Amazon AWS Network Firewall device to publish alert or flow logs to an S3 bucket. For more information, see your Amazon AWS documentation.
  3. Create the SQS queue that is used to receive notifications ObjectCreated from the S3 bucket that you used is Step 2. For more information, see Create an SQS queue and configure S3 ObjectCreated notifications.
  4. Configure security credentials for your AWS user account. For more information, see Configuring security credentials for your AWS user account.
  5. Add an Amazon AWS Network Firewall log source on the QRadar Console by using the Amazon AWS REST API protocol. For more information, see Amazon AWS REST API log source parameters for Amazon AWS Network Firewall.
    Important: To receive flow logs in QRadar, a QRadar Flow Processor must be available and licensed. Unlike other log sources, AWS Network flow logs are not sent to the Log Activity tab. They are sent to the Network Activity tab.