IBM Support

QRadar on Cloud: How to configure extra collection interfaces on Data Gateways

How To


Summary

Similar to QRadar appliances on-premises, Data Gateways (DG) support various roles in its network interfaces to support architectures like DMZ or when certain events cannot leave a particular subnet, requiring a multi-homing setup.

This technote provides the steps to achieve these configurations on a QRadar on Cloud deployment (QRoC).

Environment

Data Gateways that require a multi-homing configuration with a management interface and one or more extra interfaces for events or flows.

The administrators are advised to read in advance the QRadar on Cloud Support FAQ and the QRadar on Cloud documentation to familiarize themselves with these deployments to run the steps in this technote.

These steps are not meant to interact with the management interface. To change any network setting in the management interface, refer to  "QRadar: Changing the Network Configuration of a QRoC deployment Data Gateway".

Steps

  1. Edit the virtual machine to add the extra interface.
    1. Select the virtual machine of the Data Gateway. 
    2. Click Actions, then Edit Settings.
    3. Click "ADD NEW DEVICE", then Network adapter.

      Figure01

      Figure02
    4. Select the appropriate network.
      Note: Without this setting, the network interface doesn't have access to the network. This setting needs to be provided by the Hypervisor Administrator.
    5. Check the Connected box.

      Figure03
    6. Click OK.
       
  2. Verify the interface is listed in the operating system.
    1. Log in to the Data Gateway as the root user.
    2. Run the following command to obtain the summary list of the interfaces:
        
      ip -br a
    3. Verify that a new interface appears.
      Note: The interface name might vary depending on the hardware. See Red Hat's consistent network device naming for more details.

      Output Example. The recently added interface is ens224. 
      [root@qradar-datageway01 ~]# ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens192           UP            <Management Interface IP>/30 fe80::250:56ff:fe9e:660c/64
ens224           UP
  3. Create a QRadar on Cloud support ticket and provide the following information:
    1. The role or purpose of the network interface. The administrator must choose between:
      1. Regular: When the network interface is used for Data (events) collection. This role requires an IP address.
      2. Monitor: When the network interface is used for Packet (flows) collection.  This role does not require an IP address.
    2. The network information for the interface when the Regular role is required. The information must have:
      1. An IP address not in the range 192.168.x.x/16, nor in the same range as the management interface.
      2. Subnet Mask.
      3. A default gateway is not required.
         
  4. Wait until QRoC DevOps confirms the configuration is done.
     
  5. Verify the network interface now contains the network settings by running the command in Step 2.

    Output Example. The recently added interface is ens224. 
    [root@qradar-datageway01 ~]# ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens192           UP            <Management Interface IP>/30 fe80::250:56ff:fe9e:660c/64
ens224           UP            <Collection Interface IP>/30 fe80::250:56ff:fe9e:660c/64
Results
The multi-homing configuration is done and the Data gateway can use the recently configured interface for events or flows ingestion.

VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 March 2022

UID

ibm16561671

Page Feedback