IBM Support

QRadar: Changing the network settings of a QRadar High Availability Cluster

Question & Answer


Question

What extra steps need to be addressed when a change in the IP or any other network settings for an appliance that belongs to a High Availability (HA) environment?

Answer

Before any necessary networking changes by using supported methods, it is necessary to first remove both the required host (primary or secondary) from the deployment. The removal causes host reboots, services affectation, and functionalities while the host is down. The administrators are advised to schedule a maintenance window to run the steps in this technote.
Administrators are encouraged to read the QRadar High Availability guideQRadar: High Availability FAQ and other available documentation to familiarize themselves with these deployments.
Note: For systems running QRadar 7.4.1 and older, the qchange_netsetup might report an error.  For more details and remediations, refer to IJ31239: A CRITICAL ISSUE HAS BEEN IDENTIFIED IN /OPT/QRADAR/BIN/QCHANGE_NETSETUP.

Change network settings on a QRadar Console in High Availability

Administrators must choose between the following procedures depending on which host requires the network settings update.

  • Change network settings on the Console's primary host

    Note: This procedure causes full affectation in the deployment as all the managed hosts must be removed from the deployment before qchange_netsetup is run and the services in the Console are affected while qchange_netsetup runs. The administrators are advised to schedule a maintenance window to run the following steps.
    1. Log in to QRadar Console WebUI as an administrator user.
    2. On the navigation menu ( Navigation menu icon ), click Admin.
    3. On the navigation menu, click System Configuration.
    4. Click the System and License Management icon.
    5. In the Display drop-down menu, select Systems.
    6. Remove all managed hosts one by one in the deployment.
      1. Remove all HA hosts in the deployment (including the Console's HA host when exists). Follow the steps in the "Change network settings on a High Availability Secondary host" section in this technote.
        Note: This procedure reboots the primary node to revert the changes done by the HA Setup and takes some time to complete.
      2. Remove all stand-alone managed hosts in the deployment. Follow the steps in the "Change network settings on a stand-alone (primary) Managed host" section in this technote.
      3. On the navigation menu ( Navigation menu icon ), click Admin, and deploy changes.
      4. Repeat from step to step for each managed host in the deployment until the Console is the only host in the deployment.
    Result
    The Console is ready to run qchange_netsetup to change the required network settings. Follow the steps in the "Procedure to run qchange_netsetup" section in this technote.

  • Change network settings on the Console's HA (Secondary) host

    Follow the steps in the "Change network settings on a High Availability Secondary host" section in this technote.

Change network settings on a High Availability Secondary host

Note: This procedure reboots the primary node to revert the changes done by the HA Setup and takes some time to complete.
  1. Log in to QRadar Console WebUI as an administrator user.
  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. On the navigation menu, click System Configuration.
  4. Click the System and License Management icon.
  5. In the Display drop-down menu, select Systems.
  6. Select the HA Cluster with the host that requires the change.
  7. Ensure the primary host is Active and the secondary is on Standby.
    Note: If they are not, refer to Troubleshooting QRadar® HA deployments
  8. From the toolbar, select High Availability, then Remove HA Host.


     
  9. Wait until the previous primary node reports back as Active in the System and License Management menu.
Results
The HA host is ready to run qchange_netsetup to change the required network settings. Follow the steps in the "Procedure to run qchange_netsetup" section in this technote.

Change network settings on a stand-alone (primary) Managed host

  1. Log in to QRadar Console WebUI as an administrator user.
  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. On the navigation menu, click System Configuration.
  4. Click the System and License Management icon.
  5. In the Display drop-down menu, select Systems.
  6. Select the HA Cluster with the host that requires the change.
  7. Remove the HA Host from the HA Cluster. Follow the steps in the "Change network settings on a High Availability Secondary host" section in this technote.
  8. From the toolbar, select Deployment Actions, then click Remove Host.
  9. Click OK.
  10. On the navigation menu ( Navigation menu icon ), click Admin, and Deploy changes.


     
  11. Wait until the deploy changes process completes.
Result 
The appliance is removed from the environment and becomes an unmanaged host ready to run qchange_netsetup to change the required network settings. Follow the steps in the "Procedure to run qchange_netsetup" section in this technote.

Procedure to run qchange_netsetup

  1. Connect directly to the appliance as the root user and start a console connection.
    1. Out-of-band management approach. Log in to the IMM or XCC WebUI or equivalent (KVM, iDRAC, etc) and click Remote Control.
      Note: Integrated Management Module (IMM) is present only on QRadar® M3, M4, and M5 appliances. QRadar® M6 appliances use XClarity Controller (XCC) instead. 
    2. Local approach. Connect a local monitor keyboard and mouse to the appliance.
  2. Run qchange_netsetup from the command prompt.
  3. Follow the prompts on the screen to change all required network settings.
  4. Wait until the process finishes.
Result 
Required network settings are updated.

Add managed hosts back to the deployment

  1. Log in to QRadar Console WebUI as an administrator user.
  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. On the navigation menu, click System Configuration.
  4. Click the System and License Management icon.
  5. In the Display drop-down menu, select Systems.
  6. From the toolbar, select Deployment Actions, then click Add Host.
  7. Add the required information.
  8. Click OK.
  9. On the navigation menu ( Navigation menu icon ), click Admin, and Deploy changes.
Result 
After the action completes successfully, the add host is back to the deployment and contributes to the deployment with its capabilities.

Add HA host back to the deployment

Note: This procedure reboots the primary node to enable the changes done by the HA Setup and takes some time to complete.
  1. Log in to QRadar Console WebUI as an administrator user.
  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. On the navigation menu, click System Configuration.
  4. Click the System and License Management icon.
  5. In the Display drop-down menu, select Systems.
  6. From the toolbar, select High Availability, then Add HA Host.
  7. Add the required information.
  8. Click Finish.
Result 
After the action completes successfully, which will take some time, the host is added back to the deployment with HA and starts the synchronization process.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtXAAQ","label":"High Availability"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
14 April 2022

UID

swg21989204

Page Feedback