QRadar: Managing IPtables firewall ports using the User Interface

Before you begin

• After you enable this feature, only the default ports are opened.
• Ports opened during log source configuration are opened
• Only preferred management hosts have access to the QRadar.
• All other hosts and ports are locked out of the system or deployment.
• When using this feature, it is important to do planning so as not to lock yourself out of the system.
• If you configure this wrong, you also can lose events from nondefault ports.

When to use IPtables rules to block traffic

When is it best to use IPtables to block traffic?

• Restrict access to the Console by Subnets, CIDR range.
• Limiting Console assess to specific management hosts.
• Opening ports that are not within the default port range.

How to prevent lockouts

To prevent yourself from being locked out of QRadar, you need access to an IMM or iDRAC to update firewall rules.
QRadar: Modifying iptables rules in QRadar

Procedure

The procedure below allows access to specific Managed Hosts with specific ports and protocols from the UI in QRadar Version 7.3.3 and beyond.

1. After logging into the UI, click the Admin tab > System and License Management icon.
2. Highlight a system to add a firewall rule to.
   
   
3. From the top Menu Bar click Actions > View and Manage System.
   
   
4. Click the Firewall tab.
   
   
5. Add the rule for any IP or CIDR range. Protocol ANY, TCP or UDP, and any Port or Range of Ports then click  .
6. Click Save.
7. To remove a rule, click Remove or Remove All to remove all rules.
   
   
8. Click Save.