Troubleshooting
Problem
Source and Destination IP addresses are sometimes viewed as reversed on the Network Activity tab. This article helps you understand the cause, and helps you correct the source and destination IP addresses. This article is related to all flow types.
Symptom
From the Network Activity tab in QRadar, the flow directions of certain flows display in the wrong direction.
Cause
The logic of flow direction is based on the mechanics of the concept of Common Destination Port. For more information on how the direction mechanism works, see technote: QRadar: Reverse Flow Direction (QFlow and NetFlow)
Diagnosing The Problem
Check your setting in Admin> System and License Management> select your managed host> Deployment Actions> Edit Host> Component Management icon> Use Common Destination Port.
When the "Use Common Destination Port" is set to Yes, the QFlow process reverses the direction of flow information, based on commonly used ports.
When Source or Destination ports meet the following conditions, the flow direction is displayed reversed:
- If the destination port IS NOT a common destination port then reverse the flow direction if:
- The source port is a common destination port OR
- The source port is less than 1024 AND the destination port is greater than 1024
OR:
- If the destination port IS a common destination port then reverse the flow direction if:
- The source port is a common destination port AND
- The source port is less than 1024 AND the destination port is greater than 1024
Example:
Source IP: 111.206.250.197 Source Port: 33939 Destination IP: 84.38.197.83 Destination Port: 113
As source port 33939 is listed in common destination ports, it matches the condition and reverses direction.
Resolving The Problem
Radar 7.4.3 introduces a new API endpoint for specifying which ports are considered as common destination ports. This list can be viewed from endpoint:
/api/config/flow/common_destination_ports/active_configurations.
For QRadar versions 7.4.3 and newer, the appid_map.conf file does not exist anymore.
/api/config/flow/common_destination_ports/active_configurations.
For QRadar versions 7.4.3 and newer, the appid_map.conf file does not exist anymore.
- To query for information and port numbers, use GET - /config/flow/common_destination_ports/active_configurations.
Example curl query:curl -S -X GET -u admin -H 'Range: items=0-49' -H 'Version: 18.0' -H 'Accept: application/json' 'https://<Console IP>/api/config/flow/common_destination_ports/active_configurations'
- If you need to add a port, you can add it from the POST - /config/flow/common_destination_ports/active_configurations tab with an example body:
{ "app_detection_enabled": true, "application_id": 51333, "content_capture_size": 42, "flow_direction_enabled": true, "port": 55555, }
Where:application_id = Use an existing application or create a new one.port = Common destination port to be added.
Example curl query:curl -S -X POST -u admin -H 'Content-Type: application/json' -H 'Version: 18.0' -H 'Accept: application/json' --data-binary '{ "app_detection_enabled": true, "application_id": 51333, "content_capture_size": 42, "flow_direction_enabled": true, "port": 55555, }' 'https://<Console IP>/api/config/flow/common_destination_ports/active_configurations'
-
To delete a previously added port, use the endpoint DELETE - /config/flow/common_destination_ports/active_configurations/{id}. You need the ID value of the port for the query. To get the ID, run first a GET query for to identify the port number.
Example curl query for port 33939:curl -S -X GET -u admin -H 'Range: items=0-49' -H 'Version: 18.0' -H 'Accept: application/json' 'https://<Console IP>/api/config/flow/common_destination_ports/active_configurations?filter=port%3D33939'
Response body:[ { "app_detection_enabled": true, "port": 33939, "content_capture_size": 0, "id": 108, "application_id": 1011, "uuid": "13410cd5-1e6c-4175-a71b-b5dd51684eae", "application_name": "My Application", "last_update_time": 1641319451542, "flow_direction_enabled": true } ]
From this output, you can see that the ID value is 108. Therefore, you would use that value for a Delete query.
For QRadar versions 7.4.2 and older
In order to resolve the issue, you can choose to perform either option 1 or 2.
- If the port is listed in the /opt/qradar/conf/appid_map.conf file:
cat /opt/qradar/conf/appid_map.conf | grep 32000 32000,51333,1,1,QRadar Flow Collector 32000-33999,1023,1,1,InnerSystem
- Adding the Destination port to the Common Destination port list. Important: If you upgrade QRadar, the change is not persistent, so this fix must be applied after every upgrade.
- Open a CLI session on the QRadar Console with user root.
- Check whether "appid_map.conf" file is present under /store/configservices/staging/globalconfig/.
ls -ls /store/configservices/staging/globalconfig/appid_map.conf
cp -vp /opt/qradar/conf/appid_map.conf /store/configservices/staging/globalconfig/
- Open /store/configservices/staging/globalconfig/appid_map.conf in an editor and add the entries for common destination port. If it is a new entry, the format must be as:
<Port #>,<App ID>,1,1,<Description>
- Use an app ID of an existing application (check in file /opt/qradar/conf/apps.conf) or create a new one by following the instructions here: IBM QRadar Security Intelligence Platform> 7.4> Defining new applications
The new application ID must be inserted in alphabetical order maintaining both the first (Authentication) and the second field (EAP).
Authentication#EAP####536870958 - Perform deploy.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsuAAA","label":"Flow Source"}],"ARM Case Number":"TS003594357","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
29 June 2022
UID
ibm16574823