How to Enable Ping response On IBM QRadar SIEM

|
Last Updated:
|
|

In this tutorial, we are going to learn how to enable ping response on IBM QRadar SIEM. So you have installed IBM QRadar SIEM and trying to verify its aliveness using ping command but you realized that ping icmp requests are being dropped? Well, this happens because by default QRadar SIEM drops all ICMP traffic received on the management interfaces.

How to Enable Ping response On IBM QRadar SIEM

As already mentioned, QRadar SIEM drops all ICMP traffic received on the management interfaces and will not respond to these requests. See example ping below.

ping 192.168.43.3
PING 192.168.43.3 (192.168.43.3) 56(84) bytes of data.
^C
--- 192.168.43.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7069ms

Thus, to allow ICMP ping response on IBM QRadar SIEM, you have to adjust firewall rules to accept and respond to ICMP ping requests as described in the procedure below.

1. Login to QRadar VM

Login to Qradar VM via SSH;

ssh [email protected]

2. Backup Firewall iptables Configurations

Make a backup of the existing firewall rules before you can make changes

cp /opt/qradar/conf/iptables.pre{,.bak}

3. Enable Ping response On IBM QRadar SIEM

Get you management interface using IP command;

ip a

Open the firewall rules configuration file

vim /opt/qradar/conf/iptables.pre

Add the following lines to allow ICMP response for all hosts. Replace the enp0s17 with your management interface.

# Allow ICMP replies
-A INPUT -i enp0s17 -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -i enp0s17 -p icmp --icmp-type 0 -j ACCEPT

where enp0s17 is the QRadar management interface.

To allow ping responses from specific hosts, specify the hosts IP with -s option for instance:

-A INPUT -i {interface} -p icmp --icmp-type 8 -s host/cidr -j ACCEPT
-A INPUT -i {interface} -p icmp --icmp-type 0 -s host/cidr -j ACCEPT

Save and exit the file when do making changes.

4. Reload IPtables to Update the changes

Once the changes are  made, reload the rules so that changes can take effect.

/opt/qradar/bin/iptables_update.pl

PID=5611
>>> Shutting down existing firewall...
/tmp/iptables.5611
/tmp/ip6tables.5611
>>> Beginning update...
 Writing out rules for web access...
>>> IPTables update complete. Restarting firewall...
>>> Done!
>>> IP6Tables update complete. Restarting firewall...
Finished starting ipv6

>>> Done!
Done iptables update.

5. Confirm IBM Qradar Ping Response

Ping your QRadar to verify that icmp responses

ping 192.168.43.3 -c 3

PING 192.168.43.3 (192.168.43.3) 56(84) bytes of data.
64 bytes from 192.168.43.3: icmp_seq=1 ttl=64 time=0.370 ms
64 bytes from 192.168.43.3: icmp_seq=2 ttl=64 time=0.265 ms
64 bytes from 192.168.43.3: icmp_seq=3 ttl=64 time=0.599 ms

--- 192.168.43.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.265/0.411/0.599/0.140 ms

Conclusion

There you go, you can now be able to ping QRadar VM and can verify its reachability from the hosts or networks defined in the iptables. Stay connected for more tutorials on QRadar SIEM.

That concludes our guide on how to enable ping response on IBM QRadar SIEM.

Other Tutorials

How to Install IBM QRadar Community Edition SIEM on VirtualBox

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment