How to Enable Ping response On IBM QRadar SIEM

0
975

In this tutorial, we are going to learn how to enable the ICMP ping response on QRadar SIEM.

So you have installed IBM QRadar SIEM and trying to verify its connectivity using ping command but you realized that ping icmp requests are  being dropped? Well, this happens because by default, QRadar SIEM drops all ICMP traffic received on the management interfaces and will not respond to these requests. See example ping below.

# ping 192.168.43.3
PING 192.168.43.3 (192.168.43.3) 56(84) bytes of data.
^C
--- 192.168.43.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7069ms

To allow ICMP ping response on IBM QRadar, you have to adjust firewall rules to accept and respond to ICMP ping requests as described in the procedure below.

1. Login to QRadar via SSH.

# ssh [email protected]

2. Make a backup of the existing firewall rules before you can make changes

# cp /opt/qradar/conf/iptables.pre /opt/qradar/conf/iptables.pre.bak

3. Edit the firewall rules configuration file and add the following lines to allow ICMP response for all hosts.

# vim /opt/qradar/conf/iptables.pre
# Add these two lines
-A INPUT -i eth1 -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -p icmp --icmp-type 0 -j ACCEPT

where eth1 is the QRadar management interface.

To allow ping responses from specific hosts, specify the hosts IP with -s option for instance:

-A INPUT -i {interface} -p icmp --icmp-type 8 -s host/cidr -j ACCEPT
-A INPUT -i {interface} -p icmp --icmp-type 0 -s host/cidr -j ACCEPT

4. Once the changes are  made, reload the rules so that changes can take effect.

# /opt/qradar/bin/iptables_update.pl
PID=12069
>>> Shutting down existing firewall...

/tmp/iptables.12069/tmp/ip6tables.12069
>>> Beginning update...
Writing out rules for web access...

>>> IPTables update complete. Restarting firewall...

>>> Done!

>>> IP6Tables update complete. Restarting firewall...

Finished starting ipv6
>>> Done!

5. Ping your QRadar to verify that icmp responses

# ping 192.168.43.3 -c 3
PING 192.168.43.3 (192.168.43.3) 56(84) bytes of data.
64 bytes from 192.168.43.3: icmp_seq=1 ttl=64 time=0.370 ms
64 bytes from 192.168.43.3: icmp_seq=2 ttl=64 time=0.265 ms
64 bytes from 192.168.43.3: icmp_seq=3 ttl=64 time=0.599 ms

--- 192.168.43.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.265/0.411/0.599/0.140 ms

There you go, you can now ping QRadar and can verify its connectivity from all hosts.
Stay connected for more tutorials on QRadar SIEM

LEAVE A REPLY

Please enter your comment!
Please enter your name here