Question & Answer
Question
How can you use IPtables in QRadar® to stop an event source that is putting my appliance over its EPS limit?
Answer
How to add a firewall rule on a QRadar appliance to stop an event source
Before you begin
For security reasons, QRadar prevents direct connections to the Managed Hosts except from the Console. It is OK in limited ways when required to open ports such as SSH to the Managed Hosts.
Procedure
- Using SSH, log in to the QRadar Console as the root user.
- Optional. Open an SSH session to the managed host that is receiving the data you want to block. (If not the Console appliance)
- Type the following command to edit the iptables file:
Note: You can use VI, VIM, or any editor you choose. The iptables configuration file is displayed.vi /opt/qradar/conf/iptables.pre# BEGIN /opt/qradar/conf/iptables.pre FILE # Add any commands you wish to be inserted in the iptables rules # prior to other rules in this file. This file will be included # as-is directly in the /etc/sysconfig/iptables file at the # line indicated. -A iptables -s <IP address> -p udp --dport <port> -j REJECT # END /opt/qradar/conf/iptables.pre FILE - Enter your IPtables command: |
To reject an IP address
To accept a connection to an IP address-A INPUT -s <IP address> -p udp --dport <port> -j REJECT-A INPUT -p tcp -m tcp --dport <port> -j ACCEPT -s <IP address> - Save your IPtables configuration, type the Esc key then :wq to save the changes and exit the editor.
- To update IPtables in QRadar, type the following command:
/opt/qradar/bin/iptables_update.pl - To verify whether your new rules written in the /opt/qradar/conf/iptables.pre file are taken into account, you can perform the following command:
Verify that the host you want to block or accept is listed in the IPtables rules.# iptables -L -n - Verify the IPtables service is running by using the command:
systemctl status iptables
Note: Be careful when adding IPtables rules. An incorrect rule could lock you out of the appliance you are adding the IPtables rule to.
Another use of IPtables in QRadar
- IPtables can be used to redirect traffic from one port to another.
For example, if you have an appliance that can send only Syslog to a customized port, such as 4444. You can use IPtables to redirect traffic coming to port 4444 to the QRadar standard Syslog port, which is TCP or UDP 514. Some Cisco appliances do not allow Syslog traffic less than port 2000. - Never use iptables to block web access to the QRadar Console. There is a firewall interface in QRadar that can specify what hosts can communicate to the QRadar Console by an allowlist. This is found in the System and License Management user interface. Never add a firewall rule without one or more redundant backup addresses. This prevents administrators from locking themselves out of their appliance.
- By default, QRadar appliances to do not ping (ICMP) responses between appliances. This is configured by default in IPtables for security purposes. Administrators who want to enable ping, can view the following article: QRadar: Enabling ping response on appliances.
- Administrators can also update iptables from the UI. For more information about managing IPtables from the UI see,
QRadar: Managing IPtables firewall ports using the User Interface
Results
If you updated IPtables to block an event source, click Log Activity, and add a search filter to confirm if any new events from the firewall rule change are displayed. If you edited IP tables to open SSH between hosts, you can confirm SSH sessions can be established to the managed host.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
15 November 2022
UID
swg21986412