How To
Summary
The purpose of this article is to help administrators to configure QRadar® NAT Groups when the Console is in a different NAT Group, and a managed host is reachable only through a Private IP.
Environment
To configure this integration, the administrator must have:
- A QRadar® Console configured on its own NAT Group.
- Managed hosts configured on a different NAT Group than the Console.
- A managed host reachable to be added without the need for a Public IP.
IMPORTANT: This technical note assumes that all the managed hosts in the deployment have encryption enabled. If any of the managed hosts don't have encryption enabled, the firewall devices must grant the connection to all the ports from the Console's Public IP.
Steps
Note: The following IPs are only meant to illustrate the configuration. All of them are considered "Private IPs" by the RFC 1918. The administrator must change the IPs to match its deployment accordingly.
Deployment Overview and considerations
Note: This technote assumes the existing deployment is working without connectivity issues and encryption is enabled. In this technote example, the managed host without a Public IP is the Event Collector (EC).
Console Private IP = 10.11.12.254
Console Public IP = 172.16.12.100
Console NAT Group (Location) = Main Office
Event Processor (EP) Private IP = 192.168.12.101
Event Processor (EP )Public IP = 172.16.12.101
Event Processor (EP) NAT Group (Location) = Branch1
Event Collector (EC) Private IP = 172.16.12.102
Event Collector (EC) Public IP = <None>
Event Collector (EC) NAT Group (Location) = Branch1
The following scenarios can help administrators to determine which NAT Group must be selected for the EC:
- The EC will be connected to the Console.
The NAT Group to be selected is the same as the Console so that the EC and the Console can connect using their private IPs. If the EC needs to be connected to the EP in the future, the EC will expect the connection to come from the EP's Public IP.
- The EC will be connected to the EP.
The NAT Group to be selected is the same as the EP so that the EC and the EP can connect using their private IPs. The EC expects the connections from the Console's Public IP.
This technote provides the steps to configure scenario #2.
QRadar® Configuration
- Navigate to the "Add Managed Host" menu.
- Log into QRadar Console as the admin user.
- On the QRadar® WebUI, click the Admin Tab.
- In the System Configuration section, click System and License Management.
- In the Display list, select Systems.
- Click on the Deployment Actions menu, click Add Host.
- Configure the Managed Host
- Type the Host IP and Host Password.
Note: The Host IP is the Private IP. - Select the Encrypt Host Connections check box.
- Select the Network Address Translation check box
- In the NAT Group list, select the NAT Group. In this technote example, "Branch1".
- In the Public IP field, type the private IP address, and then click Add.
Note: When configuring NAT Groups, the Public IP field cannot be empty. Therefore the same private IP is used.
- Type the Host IP and Host Password.
- Deploy the changes.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
07 May 2021
UID
ibm16419487