IBM Support

QRadar: Troubleshooting Flow Forwarding

Question & Answer


Question

If I do not see flows forwarded, what do I need to consider to properly forward flows?

Cause

Bad group of settings results in no flows being forwarded.

Answer

This technote provides you with detailed information to consider when forwarding flows. If you are not seeing flows being forwarded, a group of bad settings under Routing Rules or Flow Source Configuration might be related.

Basically there are two ways to forward flows in QRadar. First, is by using Routing Rules and second is by using Flow Source Configuration.

Forwarding Flows Using Routing Rules.

By using this option, you are able to forward flows in Normalized or JSON format to another QRadar system. To use this option, you need to follow these steps:

    1. Create a Forwarding Destination under Admin Tab > Forwarding Destinations > Add the appropriate information. The Event Format needs to be either JSON or Normalized as the Payload option is only good to forward events.


    2. Click Save.
    3. Create a Routing Rule selecting Flows as Data Source, adding the proper filters and the Destination in Routing Options you added in step (1).

Forwarding Flows Using Flow Source Configuration

By using this option, you are able to forward flows as the incoming format. For example, if you are receiving Netflow, the forwarding format will also be Netflow. 

There are two different modes to forward flows on this type, Spoofing and Non-Spoofing.


In both modes, the data is correct and unaltered. The source of the flow will be the IP address of QRadar Console in the Non-Spoofing scenario. The original Log Source IP address is the flow source in the Spoofing scenario.

  • Spoofing
    This process will forward flows as if they are from the original source, you have to choose a specific interface (for example eth0, eth1, ens1), but the destination has to be on the same subnet as the QRadar appliance forwarding the Flows. This is because when QRadar is spoofing it tries to send the packet as the original source IP address. Typically that IP address isn't on the same subnet as QRadar. This means if QRadar tried to send it to another host, it has to be on the same subnet as the first hop router between QRadar or the new destination could reject that packet since its source is wrong for the subnet. To send it QRadar ARP's spoofs the original IP address as its source IP and then ARP's to get the MAC address of the forwarding destination.
    1. Admin Tab > Flow Sources > Edit Selected Flow Source.

    2. Select a specific Monitoring Interface (It can't be ANY).

    3. Select the Enable Flow Forwarding > Forwarding Port.

    4. Select Add button under Forwarding Destinations and add the new destination (Same subnet)

  • Non-Spoofing
    This process will forward flows as the source QRadar Appliance, but it will allow you to forward to destinations on a different subnet. This will allow forwarding to work with routers that would be blocking a spoofed IP address.
    1. Admin Tab > Flow Sources > Edit Selected Flow Source.
    2. Select Monitoring Interface ANY.
    3. Select the Enable Flow Forwarding > Forwarding Port.
    4. Select Add button under Forwarding Destinations and add the new destination (Different Subnet).

    Results: You can now successfully forward flows.



    Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Flows","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21978147

Page Feedback