IBM QRadar Network Insights Version Installation and Configuration Guide IBM

Transcription

1 IBM QRadar Network Insights Version Installation and Configuration Guide IBM

2 Note Before you use this information and the product that it supports, read the information in Notices on page 27. Product information This document applies to IBM QRadar Security Intelligence Platform V7.3.1 and subsequent releases unless superseded by an updated version of this document. Copyright IBM Corporation US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

3 Contents Introduction to installing QRadar Network Insights v 1 Real-time threat investigations with QRadar Network Insights What's new in QRadar Network Insights V QRadar Network Insights appliances QRadar Network Insights QRadar Network Insights QRadar Network Insights 1920-C Upgrading QRadar Network Insights Installing QRadar Network Insights QRadar Network Insights configuration Configuring QFlow Collector format Configuring DTLS communications protocol Installing the QRadar Network Insights content extension Flow inspection levels Performance impacts Configuring the flow inspection level Stacking QRadar Network Insights appliances Appliance cabling Creating a stack Adding an appliance to a stack Removing an appliance from a stack Notices Trademarks Terms and conditions for product documentation IBM Online Privacy Statement Copyright IBM Corp iii

4 iv QRadar Network Insights Installation and Configuration Guide

5 Introduction to installing QRadar Network Insights This guide contains information about analyzing network data in real-time by using IBM QRadar Network Insights. Intended audience Investigators extract information from the network traffic and focus on security incidents, and threat indicators. Technical documentation To find IBM Security QRadar product documentation on the web, including all translated documentation, access the IBM Knowledge Center ( For information about how to access more technical documentation in the QRadar products library, see Accessing IBM Security Documentation Technical Note ( &uid=swg ). Contacting customer support For information about contacting customer support, see the Support and Download Technical Note ( Statement of good security practices IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Please Note: Use of this Program may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage. IBM Security QRadar may be used only for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumes all responsibility for complying with, applicable laws, regulations and policies. Licensee represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBM Security QRadar. Copyright IBM Corp v

6 vi QRadar Network Insights Installation and Configuration Guide

7 1 Real-time threat investigations with QRadar Network Insights IBM QRadar Network Insights is a network threat analytics solution that provides visibility into deep application-level content to better detect insider threats, data exfiltration, and malware activity, and provides real-time analysis of network data and an advanced level of threat detection and analysis. Integration with IBM Security QRadar Incident Forensics QRadar Network Insights provides QRadar with deep visibility into application activities, extracts artifacts, and identifies assets, applications, and users that participate in network communications. It is tightly integrated with IBM Security QRadar Incident Forensics for post incident investigations and threat hunting activities. QRadar Incident Forensics and IBM QRadar Network Packet Capture captures, reconstructs, and replays the entire conversation, but QRadar Network Insights provides the incident detection, and informs you whether suspect items or topics of interest were discussed at any time during the conversation. Suspect content can originate from a wide variety of sources, such as malware, non-standard ports, regex, or Yara rules. For more information about suspect content, see Advanced inspection level attributes in the QRadar Network Insights User Guide. What's new in QRadar Network Insights V7.3.1 IBM QRadar Network Insights V7.3.1 simplifies the configuration, deployment, and stacking of IBM QRadar Network Insights appliances. Stack appliances by using the user interface QRadar Network Insights V7.3.1 makes it easier to configure up to four appliances in a stack to distribute data across multiple CPUs and Napatech cards. Stacking appliances helps you increase your data throughput at higher inspection levels. For more information about stacking appliances, see the IBM QRadar Network Insights Installation Guide. Copyright IBM Corp

8 2 QRadar Network Insights Installation and Configuration Guide

9 2 QRadar Network Insights appliances The IBM QRadar Network Insights appliance is a managed host that you attach to the QRadar console. QRadar Network Insights appliances connect to network TAPs, SPAN, or Mirror ports to access full packet data for real-time analysis. All QRadar Network Insights appliances provide detailed analysis of network flows to extend the threat detection capabilities of QRadar. Table 1. QRadar Network Insights appliances QRadar Network Insights appliance QRadar Network Insights QRadar Network Insights 1920 and 1920-C 6200 Appliance ID Related concepts: Performance impacts on page 18 Flow inspection levels are cumulative, and each level collects more data than the level before it. To improve performance, you must configure the flow inspection level to suit the flow rate that you want to achieve. QRadar Network Insights 1901 The QRadar Network Insights 1901 appliance has four 1G capture ports on a Napatech card, for connectivity to a 1G network. Copyright IBM Corp

10 QRadar Network Insights 1901 appliance 4 Capture ports External time synchronization LED Management Interface Port (RJ-45 1GbE) Figure 1. Back panel of the QRadar Network Insights 1901 appliance The QRadar Network Insights 1901 appliance has the following hardware specifications: Note: Only the Napatech Network Adapter can be used for capturing network packet data. Table 2. QRadar Network Insights 1901 overview Description Interfaces Value One Napatech Network Adapter for fiber, providing four 1 Gbps SFP+ 2x SX (short range) and 2x TX (copper/rj-45) network interfaces Three 10/100/1000 Base-T network management interfaces One 10/100/1000 Base-T QRadar management interface Memory Storage Power supply Dimensions One 10/100 Base-T integrated remote system management interface 64 GB, 4 x16 GB truddr4 2133MHz Memory 2 x 200 GB SSD Dual redundant 750 W AC 28.9 inches deep x 17.1 inches wide x 1.7 inches high For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) ( index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html) 4 QRadar Network Insights Installation and Configuration Guide

11 QRadar Network Insights 1920 The QRadar Network Insights 1920 appliance has two Napatech cards, each with four ports. By default, the four ports on the first Napatech card are configured for inbound traffic from the network tap. If the appliance is included in a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cabling stacked appliances, see Appliance cabling on page 21. The second Napatech card is cabled internally for load balancing and cannot not be used. If you use these ports when you cable the appliance, you do not get any data. QRadar Network Insights 1920 appliance External time synchronization LED Activity LED for Port 3 Activity LED for Port 2 Activity LED for Port 1 Activity LED for Port 0 System LED 4 capture ports Do not use these ports Management Interface Port (RJ-45 1GbE) Figure 2. QRadar Network Insights 1920 appliance back panel. The QRadar Network Insights 1920 appliance has the following hardware specifications: Note: Only the Napatech Network Adapter can be used for capturing network packet data. 2 QRadar Network Insights appliances 5

12 Table 3. QRadar Network Insights 1920 overview Description Interfaces Memory Value Two Napatech Network Adapter for fiber, providing four 10 Gbps SFP+ LR (long range) and SR (short range) network interfaces Three 10/100/1000 Base-T network management interfaces One 10/100/1000 Base-T QRadar management interface One 10/100 Base-T integrated remote system management interface 128 GB, 8 x16 GB truddr4 2133MHz Memory Storage 2 x 200 GB SSD (RAID 1) Power supply Dimensions Dual redundant 900 W AC 31.5 inches deep x 17.5 inches wide (19 inches with EIA) x 3.4 inches high For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) ( com.lenovo.sysx.8871.doc/t_removing_system_battery.html) For more information about the front panel, see Front view ( systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html). For more information about the back panel, see Rear view ( systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html). For more information, you can also see System x3650 M5 ( QRadar Network Insights 1920-C The QRadar Network Insights 1920-C appliance has two Napatech cards, each with four ports. By default, the four ports on the first Napatech card are configured for inbound traffic from the network tap. If the appliance is included in a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cabling stacked appliances, see Appliance cabling on page 21. The second Napatech card is cabled internally for load balancing and cannot not be used. If you use these ports when you cable the appliance, you do not get any data. 6 QRadar Network Insights Installation and Configuration Guide

13 QRadar Network Insights 1920-C appliance External time synchronization LED Activity LED for Port 3 Activity LED for Port 2 Activity LED for Port 1 Activity LED for Port 0 System LED 4 capture ports Do not use these ports Figure 3. Back panel of the QRadar Network Insights 1920-C appliance The QRadar Network Insights 1920-C appliance has the following hardware specifications: Note: Only the Napatech Network Adapter can be used for capturing network packet data. Table 4. QRadar Network Insights 1920-C Description Value Interfaces Two Napatech Network Adapters for fiber, providing four 10 GbE SFP+, 1GbE SFP SR SFP+ Transceivers SX SFP Transceivers TX SFP Transceivers Three 10/100/1000 Base-T network monitoring interfaces One 10/100/1000 Base-T QRadar management interface One 10/100 Base-T integrated remote system management interface Two 10 GbE SFP+ ports Memory 128 GB, 8 x16 GB 2133 MT/s DDR4 RDIMM Storage 2 x 200 GB SSD (RAID 1) Power supply Dual redundant 750 W AC Dimensions 2U, inches deep x inches wide x 3.44 inches high 2 QRadar Network Insights appliances 7

14 8 QRadar Network Insights Installation and Configuration Guide

15 3 Upgrading QRadar Network Insights You must upgrade all of your IBM Security QRadar products in your deployment to the same version. Restriction: Resizing logical volumes by using a logical volume manager (LVM) is not supported. Procedure 1. Download the <QRadar_patchupdate>.sfs file from IBM Fix Central ( fixcentral). 2. Use SSH to log in to your system as the root user. 3. Copy the patch file to the /tmp directory or to another location that has sufficient disk space. 4. To create the /media/updates directory, type the following command: mkdir -p /media/updates 5. Change to the directory where you copied the patch file. 6. To mount the patch file to the /media/updates directory, type the following command: mount -o loop -t squashfs <QRadar_patchupdate>.sfs /media/updates/ 7. To run the upgrade installer, type the following command: /media/updates/installer The first time that you run the patch installer script, there might be a delay before the first patch installer menu is displayed. 8. Provide answers to the pre-patch questions based on your deployment. 9. Use the upgrade installer to upgrade all hosts in your deployment. Note: If you do not select Patch All, you must upgrade systems in the following order: v QRadar Console v QRadar Incident Forensics If your SSH session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the installation resumes. 10. After the upgrade is complete, type the following command to unmount the software update: umount /media/updates Copyright IBM Corp

16 10 QRadar Network Insights Installation and Configuration Guide

17 4 Installing QRadar Network Insights IBM QRadar Network Insights is already installed when you purchase a QRadar Network Insights appliance. However, you might need to reinstall the software if, for example, you have a hardware failure. Before you begin Before you install QRadar Network Insights, ensure that the following requirements are met: v The appliance hardware is installed. v A keyboard and monitor are connected by using the VGA connection. v The activation key is available. About this task Install the QRadar Console on one appliance, and the QRadar Network Insights managed host on another appliance. Restriction: Software versions for all appliances in a deployment must be the same version and fix level. Deployments that use different versions of software are not supported. Resizing logical volumes by using a logical volume manager (LVM) is not supported. You install QRadar Network Insights using the QRadar ISO. QRadar Network Insights requires only a connection to the QRadar console. You can deploy QRadar Network Insights separately from the IBM Security QRadar Incident Forensics Processor deployment. Procedure 1. For installations on your own hardware or on virtual machines, copy the QRadar ISO to the root directory. a. Create the /media/dvd directory by typing the following command: mkdir /media/dvd b. Mount the QRadar ISO by using the following command: mount -o loop <QRadar.iso>/media/dvd 2. Use the setup script to start the installation. a. Change the working directory by typing the command: cd /media/dvd b. Start the setup script by typing the command: setup.sh 3. Follow the instructions in the installation wizard. On the Select the Appliance ID page, choose the IBM QRadar Network Insights component to install. 4. Apply your license key. a. Log in to QRadar: The default user name is admin. The password is the password of the root user account. b. Click the login. c. On the navigation menu ( ), click Admin to open the admin tab. d. In the navigation pane, click System Configuration. e. Click the System and License Management icon. f. From the Display list, select Licenses, and upload you license key. Copyright IBM Corp

18 g. Select the unallocated license and click Allocate System to License. h. From the list of licenses, select and license, and click Allocate License to System. For a QRadar Network Insights deployment, only the 6200 managed host requires a license. The QRadar console does not need a QRadar Network Insights license. What to do next Configure your QRadar Network Insights appliance. For more information, see 5, QRadar Network Insights configuration, on page QRadar Network Insights Installation and Configuration Guide

19 5 QRadar Network Insights configuration After your IBM QRadar Network Insights appliance is installed and attached to the QRadar Console as a managed host, you must configure the appliance before you can use it for investigating threats on your network. After the appliance is configured, it reads the raw packets from the network tap or span port and then generates IPFIX packets. The IPFIX packets are sent to flow processes in the deployment. Configuring QFlow Collector format You can choose the format that your QRadar QFlow Collectors use to export data to the QFlow processor: TLV (type-length-value) or Payload. The TLV format stores the content metadata properties in the flow record, and can be searched without extra configuration in QRadar. The payload format stores the content metadata properties in the payload field of the flow record. To run searches on the data, you must use custom properties to extract the data from the payload. Before you begin Before you configure the QRadar QFlow Collector format, ensure that you complete the following tasks: v v Install a QRadar Console with a QRadar Network Insights appliance attached as a managed host. Perform a full deployment after you attach the IBM QRadar Network Insights appliance as a managed host. Important: Content extension v1.3.0 introduced support for TLV fields, which supersedes earlier content extensions that were based on custom properties. If you are using content extension v1.3.0 or later, you must set the QFlow format setting to TLV; otherwise the rules in the content pack don't work. Procedure 1. Log in to QRadar: The default user name is admin. The password is the password of the root user account. 2. On the navigation menu ( ), click Admin to open the admin tab. 3. In the navigation pane, click System Settings. 4. Click the QFlow Settings menu, and choose the QFlow format. Table 5. QFlow format options QFlow format TLV Description Default QFlow format setting. Choose TLV (type-length-value) for new installations, or for upgrades that don't have a QRadar Network Insights appliance as part of their deployment. QRadar Network Insights V7.3.0 or later supports only TLV for content flows. Payload Choose Payload for upgrades that have a QRadar Network Insights appliance as part of their deployment. 5. Click Save. Copyright IBM Corp

20 6. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm your changes. 7. Refresh your web browser to view the Forensics tab. Configuring DTLS communications protocol To prevent eavesdropping and tampering, you must set up Datagram Transport Layer Security (DTLS) on a QRadar Network Insights managed host. About this task You must configure the flow source before you run the DTLS setup script. If you change the QRadar Flow Collector or flow source of any QRadar Network Insights managed hosts in your deployment, you must run the DTLS setup script again. Procedure 1. Add QRadar Network Insights as a managed host: a. On the navigation menu ( ), click Admin to open the admin tab. b. In the System Configuration section, click System and License Management. c. Select the QRadar Network Insights managed host. The appliance type is d. On the Deployment Actions menu, click Add Host. e. Provide the information for the QRadar Network Insights managed host and click Add. 2. Complete the following steps to configure a flow source: a. Log in to QRadar as an administrator. b. On the navigation menu ( ), click Admin to open the admin tab. c. In the Flows section, click Flow Sources. d. Click the Add icon. e. In the Flow Source Name field, type a descriptive name. f. In the Target Flow Collector field, select a flow collector or accept the value provided. g. In the Flow Source Type list, select Netflow v.1/v.5/v.7/v.9/ipfix. h. In the Monitoring Port field, select a port or accept the value provided. i. In the Linking Protocol list, select DTLS. j. Click Save. k. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm changes. l. Refresh your web browser. 3. Complete the following steps to configure DTLS communication: a. On the Admin tab, in the System Configuration section, click System and License Management. b. Select the managed host, and on the Deployment Actions menu, click Edit Host Connection. c. On the Modify Flow Collector Connection page, select the QRadar Flow Collector and flow source. d. Click the Save. e. Close the System and License Management page. f. On the Admin tab, click the Deploy Changes icon. g. Use SSH to log in as the root user on the QRadar Console. h. Run this command to set up the DTLS certificate: python /opt/qradar/bin/qflow_dtls_cert_setup.py i. Log in to QRadar as an administrator. j. On the Admin tab, select Advanced > Deploy Full Configuration. Related tasks: 14 QRadar Network Insights Installation and Configuration Guide

21 Configuring the flow inspection level on page 18 Each flow inspection level provides deeper visibility and extracts more content than the preceding levels. The flow inspection level is global and applies to all appliances in your deployment. Installing the QRadar Network Insights content extension QRadar Network Insights content extensions include extra content, such as rules, reports, searches, and custom properties, that can be used to provide in-depth analysis, alerts, and reports in QRadar Network Insights deployments. Before you begin Download the QRadar Network Insights v7.3.0 content extension to your local computer from the IBM Security App Exchange ( 5faf57a cbc4db41bd74f4). Procedure 1. Log in to the QRadar Console as an administrator. 2. On the navigation menu ( ), click Admin to open the admin tab. 3. Click Extension Management. 4. To upload an extension and install it immediately, follow these steps: a. Click Add and select the extension to upload. b. To install the extension immediately, select the Install immediately check box, and then click Add. 5. To preview the contents of an extension before you install it, follow these steps: a. Select the extension from the list, and click More Details. The content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data. b. Select Replace existing items. This setting ensures that existing custom properties are updated when the extension is installed. c. Click Install. d. Review the installation summary, and click OK. Results After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment. 5 QRadar Network Insights configuration 15

22 16 QRadar Network Insights Installation and Configuration Guide

23 6 Flow inspection levels The flow inspection level determines how much data is analyzed and extracted from the network flows. The setting is global and applies to all appliances in your deployment. Basic inspection level Basic flows is the lowest level of inspection. Basic flows are detected by 5-tuple, and the number of bytes and packets that are flowing in each direction are counted. This kind of information is similar to what you get out of a router or network switch that does not perform deep packet inspection. This level supports the highest bandwidth, but generates the least amount of flow information. The attributes that QRadar Network Insights generates using the basic flows inspection level are: 5-tuple values, a flow ID, packet and octet counts in each direction, and flow start and end times. Enriched inspection level With the enriched inspection level, each flow is identified and inspected by one of the protocol or domain inspectors, and many kinds of attributes can be generated from that inspection. The following list describes the attributes that QRadar Network Insights generates by using the Enriched flow inspection level are: v HTTP metadata values - including categorization of URLs v Application ID and action v File information (name, size, hash) v Originating and recipient user names v Limited suspect content values Advanced inspection level Advanced is the default setting and the highest level of inspection. It contains all the attributes that the enriched flows level does and it also scans and inspects the content of the files that it finds. This results in a more accurate content-type determination, and can yield more suspect content values that result from the inspection of the file contents. The following list describes the attributes that QRadar Network Insights generates by using the Advanced flow inspection level: v Personal information v Confidential data v Embedded scripts v Redirects v Configurable content-based suspect content Copyright IBM Corp

24 Performance impacts Flow inspection levels are cumulative, and each level collects more data than the level before it. To improve performance, you must configure the flow inspection level to suit the flow rate that you want to achieve. Table 6. Performance impacts Flow Inspection Level Setting Basic Enriched Advanced Performance 10 Gbps Approximately 10 Gbps. Performance varies depending on the inspection level setting, search, extraction criteria, and network data. Approximately 3.5 Gbps. 10 Gbps performance is achievable with multiple appliances. To achieve higher flow rates at the Advanced inspection level, create an appliance stack to distribute the data processing across multiple Napatech cards and CPUs. For more information about stacked appliances, see 7, Stacking QRadar Network Insights appliances, on page 21. Related concepts: 2, QRadar Network Insights appliances, on page 3 The IBM QRadar Network Insights appliance is a managed host that you attach to the QRadar console. Configuring the flow inspection level Each flow inspection level provides deeper visibility and extracts more content than the preceding levels. The flow inspection level is global and applies to all appliances in your deployment. Procedure 1. Log in to QRadar as an administrator. 2. On the navigation menu ( ), click Admin to open the admin tab. 3. Click System Settings, and then click Network Insights Settings. 4. From the Flow Inspection Level, select the flow rate that is required. The following table explains the difference between each inspection level: Table 7. Flow inspection levels Flow Inspection Level Basic Enriched Advanced Description Lowest level of inspection. Flows are detected by 5-tuple, and the number of bytes and packets that are flowing in each direction are counted. Each flow is identified and inspected by one of the protocol or domain inspectors, and many kinds of attributes can be generated from that inspection. The default setting. The highest level of inspection. It does everything that the Enriched level does, but it also scans and inspects the content of the files that it finds. 5. Click Save. 6. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration. 7. Refresh your web browser. What to do next Deploy the QRadar Network Insights Processor. Related tasks: 18 QRadar Network Insights Installation and Configuration Guide

25 Configuring DTLS communications protocol on page 14 To prevent eavesdropping and tampering, you must set up Datagram Transport Layer Security (DTLS) on a QRadar Network Insights managed host. 6 Flow inspection levels 19

26 20 QRadar Network Insights Installation and Configuration Guide

27 7 Stacking QRadar Network Insights appliances QRadar Network Insights stacking allows you to load balance network packet data across multiple Napatech cards. By distributing the data processing and analysis across multiple appliances, stacking can help you handle higher data volumes and improve flow throughput performance at the highest inspection levels. Appliance cabling You can stack the QRadar Network Insights 1920 appliances (type 6200) only. Each stack can have a maximum of four appliances, but you can have more than one stack in a deployment. You cannot stack the QRadar Network Insights 1901 appliance. Each QRadar Network Insights 1920 appliance is configured with 2 Napatech cards. The port configuration on the first Napatech card changes, depending on whether the appliance is part of a standalone configuration or a stacked configuration. Standalone configuration In a standalone configuration, the four ports on the first Napatech card are configured to accept inbound traffic from the network tap. The second Napatech card is a load balancer that is configured internally. Do not use the ports on this card; if you use them, you do not get any data. Stacked configuration In a stacked configuration, the four ports on the first Napatech card are reconfigured, two ports for inbound traffic and two ports for outbound traffic. The ports are configured as linked pairs, so the data that comes in on port 0 goes out on port 2, and the data that comes in on port 1 goes out on port 3. Similar to a standalone configuration, the second Napatech card cannot be used in a stacked configuration. Single incoming TAP line When your deployment has incoming data on one network tap only, the stacked appliances must be cabled like this: Copyright IBM Corp

28 Single network tap appliance stacking Primary appliance Network tap on Port 0 Second appliance Third appliance Fourth appliance Figure 4. Cabling for stacked 1920 appliances with single network TAP Dual incoming TAP lines When your deployment has incoming data on two network taps, the stacked appliances must be cabled like this: 22 QRadar Network Insights Installation and Configuration Guide

29 Dual network tap appliance stacking Primary appliance Network tap on Port 0 Network tap on Port 1 Second appliance Third appliance Fourth appliance Figure 5. Cabling for stacked 1920 appliances with dual network TAP Creating a stack Create a stack to improve performance at higher inspection levels by load balancing network packet data across multiple QRadar Network Insights appliances. Before you begin Ensure that all appliances that you want to include in the stack are racked and cabled. For more information about how to cable appliances for use in a stacked configuration, see Appliance cabling on page 21. Ensure that the appliance and the QRadar Console used to manage it are at the same QRadar version and fix pack level. Procedure 1. Add the QRadar Network Insights appliance to your deployment as a managed host. a. On the navigation menu ( ), click Admin to open the admin tab. b. In the System Configuration section, click System and License Management. c. In the Display list, select Systems. d. On the Deployment Actions menu, click Add Host. 7 Stacking QRadar Network Insights appliances 23

30 e. Configure the settings for the managed host by providing the fixed IP address and the root password for the appliance. f. Click Add. The managed host is added and the new configuration is ready to deploy. g. On the Admin tab, click Advanced > Deploy Full Configuration. QRadar V7.3.1 continues to collect events when you deploy the full configuration. In earlier versions of QRadar, event collection stops while the new configuration is deployed. 2. Edit the host connection information for the managed host to configure it as part of a QRadar Network Insights stack. a. On the Admin tab, click System and License Management. b. In the Display list, select Systems. c. Select the QRadar Network Insights managed host, and on the Deployment Actions menu, click Edit Host Connection. d. On the Modify QRadar Network Insights Connection page, select the QRadar Flow Collector and the NetFlow source. By default, the flow collector is the IP address of the QRadar Console. e. Click Save. The console recognizes that the managed host is a 6200 appliance that can be configured as part of a stack. f. Select Stacked, and then select Create new stack and type a descriptive name. g. Select Next. The Configure QNI Ports window shows that the ports are now reconfigured from four inbound ports to two ports for inbound traffic and two ports for outbound traffic. h. Click Save. The System and License Management window now shows the new QRadar Network Insights stack with one QRadar Network Insights appliance. What to do next You must deploy the changes for the new configuration to take effect. Adding an appliance to a stack You can have up to four appliances in a QRadar Network Insights stack. Before you begin Ensure that the appliance that you want to add to the stack is deployed into your QRadar environment. For more information about cabling appliances for use in a stacked configuration, see Appliance cabling on page 21. All appliances in the stack must be at the same QRadar version and fix pack level as the QRadar Console that manages them. Procedure 1. On the Admin tab, click System and License Management. 2. In the Display list, select Systems. 3. Select the QRadar Network Insights managed host, and on the Deployment Actions menu, click Edit Host Connection. 4. In the Modify QRadar Network Insights Connection window, click Save. Do not change the flow connection information. 5. Select Stacked, and then select Add to Existing Stack. 24 QRadar Network Insights Installation and Configuration Guide

31 6. Select the stack that you want to add the appliance to. The list shows the names of the existing stacks and the number of appliances that are allocated to the stack. For example, StackName 1/4 Hosts indicates that you can add three more appliances to the stack. 7. Click Next. The Configure QNI Ports window shows that the ports are now reconfigured from four inbound ports to two ports for inbound traffic and two ports for outbound traffic. 8. Click Save. The System and License Management window now shows the newly added appliance in the stack. What to do next You must deploy the changes for the new configuration to take effect. Removing an appliance from a stack To remove an appliance from a QRadar Network Insights stack, edit the host connection to revert it back to a stand-alone appliance. Procedure 1. On the Admin tab, click System and License Management. 2. In the Display list, select Systems. 3. Select the QRadar Network Insights managed host, and on the Deployment Actions menu, click Edit Host Connection. 4. In the Modify QRadar Network Insights Connection window, click Save. Do not change the flow connection information. 5. Select Standalone to remove it from the stack, and then click Next. The port configuration is reverted back to four inbound ports. 6. Click Save. The System and License Management window now shows the managed host as a stand-alone appliance. What to do next You must deploy the changes for the new configuration to take effect. You must change the physical cabling for the appliance to remove it from the stack. 7 Stacking QRadar Network Insights appliances 25

32 26 QRadar Network Insights Installation and Configuration Guide

33 Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY U.S.A. For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd , Nihonbashi-Hakozakicho, Chuo-ku Tokyo , Japan INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: Copyright IBM Corp

34 IBM Director of Licensing IBM Corporation North Castle Drive, MD-NC119 Armonk, NY US Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions.. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to actual people or business enterprises is entirely coincidental. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at Terms and conditions for product documentation Permissions for the use of these publications are granted subject to the following terms and conditions. Applicability These terms and conditions are in addition to any terms of use for the IBM website. Personal use You may reproduce these publications for your personal, noncommercial use provided that all proprietary notices are preserved. You may not distribute, display or make derivative work of these publications, or any portion thereof, without the express consent of IBM. 28 QRadar Network Insights Installation and Configuration Guide

35 Commercial use You may reproduce, distribute and display these publications solely within your enterprise provided that all proprietary notices are preserved. You may not make derivative works of these publications, or reproduce, distribute or display these publications or any portion thereof outside your enterprise, without the express consent of IBM. Rights Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either express or implied, to the publications or any information, data, software or other intellectual property contained therein. IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of the publications is detrimental to its interest or, as determined by IBM, the above instructions are not being properly followed. You may not download, export or re-export this information except in full compliance with all applicable laws and regulations, including all United States export laws and regulations. IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. IBM Online Privacy Statement IBM Software products, including software as a service solutions, ( Software Offerings ) may use cookies or other technologies to collect product usage information, to help improve the end user experience, to tailor interactions with the end user or for other purposes. In many cases no personally identifiable information is collected by the Software Offerings. Some of our Software Offerings can help enable you to collect personally identifiable information. If this Software Offering uses cookies to collect personally identifiable information, specific information about this offering s use of cookies is set forth below. Depending upon the configurations deployed, this Software Offering may use session cookies that collect each user s session id for purposes of session management and authentication. These cookies can be disabled, but disabling them will also eliminate the functionality they enable. If the configurations deployed for this Software Offering provide you as customer the ability to collect personally identifiable information from end users via cookies and other technologies, you should seek your own legal advice about any laws applicable to such data collection, including any requirements for notice and consent. For more information about the use of various technologies, including cookies, for these purposes, See IBM s Privacy Policy at and IBM s Online Privacy Statement at the section entitled Cookies, Web Beacons and Other Technologies and the IBM Software Products and Software-as-a-Service Privacy Statement at Notices 29

36 30 QRadar Network Insights Installation and Configuration Guide

37

38 IBM Printed in USA