Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

- Where will the HA activation key be applied, Secondary or Primary?

The license key for the SIEM license is sufficient. We no longer use activation keys as of v7.3.0, so assuming you've installed the deployment on a version on v7.3.0 or higher, you can simply add the HA host(s) through the User Interface and this will set the host with a perpetual expiration date.

- If set up, when the primary fails, how does the VIP moves to the secondary? 

When you setup HA , 3 IPs are in use , :
Pairing a primary host, secondary high-availability (HA) host, and a virtual IP address creates an HA cluster.
When the primary fails the secondary HA host assumes the responsibilities of the primary HA host and displays the Active status in the process assuming the Virtual IP Address.  So the IP address  you use to access the console remains the same which is the cluster IP



------------------------------
Innocent Mapanga
------------------------------

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hello Benjamin,

Just a bit of a warning here.

HA support is between two appliances only. If physical appliances they need 100Mb LAN between them and RTT if not in the same rack is 2-5millisconds. Depending on the appliance, you will need OS bit-wise replication in place, which is usually a fibre connection (if you have physical appliances). For virtual appliances, the same SLAs apply.

HA of appliances between sites is not supported. If you try this, you are on your own without support.

Despite asking for this to be clearly documented by IBM over the last two years, HA is to support HA of the hardware only. It is not HA for the software - do ask your IBM rep to confirm this so you have an audit trail. 

Timings for HA ... if you do via the UI, HA takes between 2 and 5 minutes for active/standby to change state. For an HA appliance doing ingest, all traffic is dropped when fail-over happens. Uncontrolled fail-over (pulling the power on an active appliance) is a bit faster but still takes a few minutes.

In summary, HA-support it is not a great product and the problems with it are not public nor obvious.

If you need multi-site, look at the DR application and the data replication license would be needed. Although the DR app is a new product - caveat emptor.

There are some thoughts of using VMWare site-replication to provide more DR-like capability, but that is another topic and has different issues.

Kind regards,

------------------------------
Darren H.
------------------------------

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY
------------------------------

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah
------------------------------

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Original Message:
Sent: 12/14/2020 7:17:00 AM
From: benjamin Nworah
Subject: RE: HA Implementation between two sites

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah
------------------------------

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hello,

Yes two different DCs with different subnets.

------------------------------
benjamin Nworah
------------------------------

Original Message:
Sent: Mon December 14, 2020 07:47 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

Hi, is this two separate data centres with different subnets?

 

 

thanks,
Shane
 

Shane Lundy IBM QRadar: Offering Manager

E-mail: Shane.lundy1@ibm.com	IBM House, Level 2 Shelbourne Road Dublin 4, D04 NP20 Ireland

 

Original Message:
Sent: 12/14/2020 7:17:00 AM
From: benjamin Nworah
Subject: RE: HA Implementation between two sites

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hi, Benjamin, 

with two subnets you can unfortunately not do HA. With HA, the VIP switches between the two appliances. This only works if both appliances are in the same subnet.

By the way, the Data Sync App is unfortunately not yet fully developed. We are currently testing the app as part of a bachelor thesis. A major limitation that I do not understand is, for example, that you need one DR appliance per appliance in the deployment. That means for my event collector, which is located in another site, I also need a second DR appliance (no matter where).

If you just just have a All-in-One appliance it works quite well, but here too, event forwarding still has to be solved manually. For example, by changing the DNS entry for QRadar from the main appliance to the DR appliance.

The fail back also works with the All-In-One.

Never the less the Data Sync app already works, in my opinion, much better than QRadar DR currently does.

------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Mon December 14, 2020 08:07 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello,

Yes two different DCs with different subnets.

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 07:47 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

Hi, is this two separate data centres with different subnets?

 

 

thanks,
Shane
 

Shane Lundy IBM QRadar: Offering Manager

E-mail: Shane.lundy1@ibm.com	IBM House, Level 2 Shelbourne Road Dublin 4, D04 NP20 Ireland

 

Original Message:
Sent: 12/14/2020 7:17:00 AM
From: benjamin Nworah
Subject: RE: HA Implementation between two sites

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hello Oliver,

Thank you for the feedback. 

I was thinking setting up an IPSec tunnel or any WAN technologies to connect the two distinct subnets. The issue is that the distance between these two sites is 29.3km approximately.

I am thinking what will be the bandwidth and latency to allow an automatic fail-over between the Primary appliance and the secondary appliance.

Also, i want to setup a virtual appliance as the secondary node, what are the requirements to consider?. from the qradar_ha_guide i see that the storage has to be the same between appliances, the combined size of the /store and /transient partitions on the secondary host must be equal to or
larger than the /store partition on the primary host., the secondary host must use the same management interface as the primary HA host. If the primary HA host uses ens192, for example, as the management interface, the secondary HA host must also use ens192. and lastly the number of physical interfaces have to match between appliances.

Lastly does the secondary node require any license.? from the qradar_ha_guide_v7.3.2, i see the below lines. For my case i purchased  DIRSOLL (IBM QRadar High Availability Software Install License + SW Subscription & Support 12 Months), what does this license stands for, and where will it be applied (primary or secondary)?
:

------------------------------
benjamin Nworah
------------------------------

Original Message:
Sent: Tue December 15, 2020 03:36 AM
From: Oliver Braun
Subject: HA Implementation between two sites

Hi, Benjamin, 

with two subnets you can unfortunately not do HA. With HA, the VIP switches between the two appliances. This only works if both appliances are in the same subnet.

By the way, the Data Sync App is unfortunately not yet fully developed. We are currently testing the app as part of a bachelor thesis. A major limitation that I do not understand is, for example, that you need one DR appliance per appliance in the deployment. That means for my event collector, which is located in another site, I also need a second DR appliance (no matter where).

If you just just have a All-in-One appliance it works quite well, but here too, event forwarding still has to be solved manually. For example, by changing the DNS entry for QRadar from the main appliance to the DR appliance.

The fail back also works with the All-In-One.

Never the less the Data Sync app already works, in my opinion, much better than QRadar DR currently does.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Mon December 14, 2020 08:07 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello,

Yes two different DCs with different subnets.

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 07:47 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

Hi, is this two separate data centres with different subnets?

 

 

thanks,
Shane
 

Shane Lundy IBM QRadar: Offering Manager

E-mail: Shane.lundy1@ibm.com	IBM House, Level 2 Shelbourne Road Dublin 4, D04 NP20 Ireland

 

Original Message:
Sent: 12/14/2020 7:17:00 AM
From: benjamin Nworah
Subject: RE: HA Implementation between two sites

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hi Benjamin,

I'd recommend splitting the HA part of what you are trying to do from DR (BCDR).

As per previous posts, HA in IBM's terms, is only to protect in the event of appliance [hardware] failure. HA is not supported outside a particular site due to the minimal latency requirement, which will be difficult to achieve over 29.3Km due to laws of physics. The model is also not supported by IBM, if you need support from IBM.

DR app, which is what Shane and Oliver refer to, is an application that requires both sites to be identical, data to be synchronised between them, is not automatic (you have to press a button to confirm) and also has fail-over time. It is as Oliver says, much better than anything before (DR is not possible in previous versions without IBM PS), but it is not automatic nor magically seamless.

QRadar is an enterprise application and was never designed for for DR (all those years ago), which is why the DR app and data sync now exists.

To avoid difficulty, I'd recommend reviewing the DR app and reviewing the time to recover budget for this approach.

What is your SLA for doing these activities by the way? - this will affect the time-to-recover target and what approach is worth taking (cost versus time versus complexity versus supportability).


------------------------------
Darren H.
------------------------------

Original Message:
Sent: Tue December 15, 2020 03:53 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello Oliver,

Thank you for the feedback. 

I was thinking setting up an IPSec tunnel or any WAN technologies to connect the two distinct subnets. The issue is that the distance between these two sites is 29.3km approximately.

I am thinking what will be the bandwidth and latency to allow an automatic fail-over between the Primary appliance and the secondary appliance.

Also, i want to setup a virtual appliance as the secondary node, what are the requirements to consider?. from the qradar_ha_guide i see that the storage has to be the same between appliances, the combined size of the /store and /transient partitions on the secondary host must be equal to or
larger than the /store partition on the primary host., the secondary host must use the same management interface as the primary HA host. If the primary HA host uses ens192, for example, as the management interface, the secondary HA host must also use ens192. and lastly the number of physical interfaces have to match between appliances.

Lastly does the secondary node require any license.? from the qradar_ha_guide_v7.3.2, i see the below lines. For my case i purchased  DIRSOLL (IBM QRadar High Availability Software Install License + SW Subscription & Support 12 Months), what does this license stands for, and where will it be applied (primary or secondary)?
:

Configuring the cluster

              Use the HA wizard to configure the primary host, secondary host, and cluster virtual IP address.
              The following items are validated when you configure by using the HA wizard:
                      The secondary HA host has a valid HA activation key. (is this the DIRSOLL mentioned above?)

------------------------------
benjamin Nworah

Original Message:
Sent: Tue December 15, 2020 03:36 AM
From: Oliver Braun
Subject: HA Implementation between two sites

Hi, Benjamin, 

with two subnets you can unfortunately not do HA. With HA, the VIP switches between the two appliances. This only works if both appliances are in the same subnet.

By the way, the Data Sync App is unfortunately not yet fully developed. We are currently testing the app as part of a bachelor thesis. A major limitation that I do not understand is, for example, that you need one DR appliance per appliance in the deployment. That means for my event collector, which is located in another site, I also need a second DR appliance (no matter where).

If you just just have a All-in-One appliance it works quite well, but here too, event forwarding still has to be solved manually. For example, by changing the DNS entry for QRadar from the main appliance to the DR appliance.

The fail back also works with the All-In-One.

Never the less the Data Sync app already works, in my opinion, much better than QRadar DR currently does.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Mon December 14, 2020 08:07 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello,

Yes two different DCs with different subnets.

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 07:47 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

Hi, is this two separate data centres with different subnets?

 

 

thanks,
Shane
 

Shane Lundy IBM QRadar: Offering Manager

E-mail: Shane.lundy1@ibm.com	IBM House, Level 2 Shelbourne Road Dublin 4, D04 NP20 Ireland

 

Original Message:
Sent: 12/14/2020 7:17:00 AM
From: benjamin Nworah
Subject: RE: HA Implementation between two sites

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hi Darren, I'd like to just clear up what you mentioned above a little
"data to be synchronised between them" is automatic (events, flows and config)
and as you mentioned above moving from the main site to the DR site is a manual process within the application itself. 

------------------------------
SHANE LUNDY
------------------------------

Original Message:
Sent: Tue December 15, 2020 04:20 AM
From: Darren H.
Subject: HA Implementation between two sites

Hi Benjamin,

I'd recommend splitting the HA part of what you are trying to do from DR (BCDR).

As per previous posts, HA in IBM's terms, is only to protect in the event of appliance [hardware] failure. HA is not supported outside a particular site due to the minimal latency requirement, which will be difficult to achieve over 29.3Km due to laws of physics. The model is also not supported by IBM, if you need support from IBM.

DR app, which is what Shane and Oliver refer to, is an application that requires both sites to be identical, data to be synchronised between them, is not automatic (you have to press a button to confirm) and also has fail-over time. It is as Oliver says, much better than anything before (DR is not possible in previous versions without IBM PS), but it is not automatic nor magically seamless.

QRadar is an enterprise application and was never designed for for DR (all those years ago), which is why the DR app and data sync now exists.

To avoid difficulty, I'd recommend reviewing the DR app and reviewing the time to recover budget for this approach.

What is your SLA for doing these activities by the way? - this will affect the time-to-recover target and what approach is worth taking (cost versus time versus complexity versus supportability).


------------------------------
Darren H.

Original Message:
Sent: Tue December 15, 2020 03:53 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello Oliver,

Thank you for the feedback. 

I was thinking setting up an IPSec tunnel or any WAN technologies to connect the two distinct subnets. The issue is that the distance between these two sites is 29.3km approximately.

I am thinking what will be the bandwidth and latency to allow an automatic fail-over between the Primary appliance and the secondary appliance.

Also, i want to setup a virtual appliance as the secondary node, what are the requirements to consider?. from the qradar_ha_guide i see that the storage has to be the same between appliances, the combined size of the /store and /transient partitions on the secondary host must be equal to or
larger than the /store partition on the primary host., the secondary host must use the same management interface as the primary HA host. If the primary HA host uses ens192, for example, as the management interface, the secondary HA host must also use ens192. and lastly the number of physical interfaces have to match between appliances.

Lastly does the secondary node require any license.? from the qradar_ha_guide_v7.3.2, i see the below lines. For my case i purchased  DIRSOLL (IBM QRadar High Availability Software Install License + SW Subscription & Support 12 Months), what does this license stands for, and where will it be applied (primary or secondary)?
:

Configuring the cluster

              Use the HA wizard to configure the primary host, secondary host, and cluster virtual IP address.
              The following items are validated when you configure by using the HA wizard:
                      The secondary HA host has a valid HA activation key. (is this the DIRSOLL mentioned above?)

------------------------------
benjamin Nworah

Original Message:
Sent: Tue December 15, 2020 03:36 AM
From: Oliver Braun
Subject: HA Implementation between two sites

Hi, Benjamin, 

with two subnets you can unfortunately not do HA. With HA, the VIP switches between the two appliances. This only works if both appliances are in the same subnet.

By the way, the Data Sync App is unfortunately not yet fully developed. We are currently testing the app as part of a bachelor thesis. A major limitation that I do not understand is, for example, that you need one DR appliance per appliance in the deployment. That means for my event collector, which is located in another site, I also need a second DR appliance (no matter where).

If you just just have a All-in-One appliance it works quite well, but here too, event forwarding still has to be solved manually. For example, by changing the DNS entry for QRadar from the main appliance to the DR appliance.

The fail back also works with the All-In-One.

Never the less the Data Sync app already works, in my opinion, much better than QRadar DR currently does.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Mon December 14, 2020 08:07 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello,

Yes two different DCs with different subnets.

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 07:47 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

Hi, is this two separate data centres with different subnets?

 

 

thanks,
Shane
 

Shane Lundy IBM QRadar: Offering Manager

E-mail: Shane.lundy1@ibm.com	IBM House, Level 2 Shelbourne Road Dublin 4, D04 NP20 Ireland

 

Original Message:
Sent: 12/14/2020 7:17:00 AM
From: benjamin Nworah
Subject: RE: HA Implementation between two sites

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hi Benjamin,

you just need to have the DR license and to show it, when you have a license audit by IBM. The license is not applied on any appliance. And there are no more activation keys. I guess your documentation is from 7.2.7 or before.

------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Tue December 15, 2020 03:53 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello Oliver,

Thank you for the feedback. 

I was thinking setting up an IPSec tunnel or any WAN technologies to connect the two distinct subnets. The issue is that the distance between these two sites is 29.3km approximately.

I am thinking what will be the bandwidth and latency to allow an automatic fail-over between the Primary appliance and the secondary appliance.

Also, i want to setup a virtual appliance as the secondary node, what are the requirements to consider?. from the qradar_ha_guide i see that the storage has to be the same between appliances, the combined size of the /store and /transient partitions on the secondary host must be equal to or
larger than the /store partition on the primary host., the secondary host must use the same management interface as the primary HA host. If the primary HA host uses ens192, for example, as the management interface, the secondary HA host must also use ens192. and lastly the number of physical interfaces have to match between appliances.

Lastly does the secondary node require any license.? from the qradar_ha_guide_v7.3.2, i see the below lines. For my case i purchased  DIRSOLL (IBM QRadar High Availability Software Install License + SW Subscription & Support 12 Months), what does this license stands for, and where will it be applied (primary or secondary)?
:

Configuring the cluster

              Use the HA wizard to configure the primary host, secondary host, and cluster virtual IP address.
              The following items are validated when you configure by using the HA wizard:
                      The secondary HA host has a valid HA activation key. (is this the DIRSOLL mentioned above?)

------------------------------
benjamin Nworah

Original Message:
Sent: Tue December 15, 2020 03:36 AM
From: Oliver Braun
Subject: HA Implementation between two sites

Hi, Benjamin, 

with two subnets you can unfortunately not do HA. With HA, the VIP switches between the two appliances. This only works if both appliances are in the same subnet.

By the way, the Data Sync App is unfortunately not yet fully developed. We are currently testing the app as part of a bachelor thesis. A major limitation that I do not understand is, for example, that you need one DR appliance per appliance in the deployment. That means for my event collector, which is located in another site, I also need a second DR appliance (no matter where).

If you just just have a All-in-One appliance it works quite well, but here too, event forwarding still has to be solved manually. For example, by changing the DNS entry for QRadar from the main appliance to the DR appliance.

The fail back also works with the All-In-One.

Never the less the Data Sync app already works, in my opinion, much better than QRadar DR currently does.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Mon December 14, 2020 08:07 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello,

Yes two different DCs with different subnets.

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 07:47 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

Hi, is this two separate data centres with different subnets?

 

 

thanks,
Shane
 

Shane Lundy IBM QRadar: Offering Manager

E-mail: Shane.lundy1@ibm.com	IBM House, Level 2 Shelbourne Road Dublin 4, D04 NP20 Ireland

 

Original Message:
Sent: 12/14/2020 7:17:00 AM
From: benjamin Nworah
Subject: RE: HA Implementation between two sites

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------

Hi Oliver, just to let you know that the 1:1 mapping required for Event Collectors will not be the case in version 2.1 of the app which will be delivered in Q1 2021. Thanks

------------------------------
SHANE LUNDY
------------------------------

Original Message:
Sent: Tue December 15, 2020 03:36 AM
From: Oliver Braun
Subject: HA Implementation between two sites

Hi, Benjamin, 

with two subnets you can unfortunately not do HA. With HA, the VIP switches between the two appliances. This only works if both appliances are in the same subnet.

By the way, the Data Sync App is unfortunately not yet fully developed. We are currently testing the app as part of a bachelor thesis. A major limitation that I do not understand is, for example, that you need one DR appliance per appliance in the deployment. That means for my event collector, which is located in another site, I also need a second DR appliance (no matter where).

If you just just have a All-in-One appliance it works quite well, but here too, event forwarding still has to be solved manually. For example, by changing the DNS entry for QRadar from the main appliance to the DR appliance.

The fail back also works with the All-In-One.

Never the less the Data Sync app already works, in my opinion, much better than QRadar DR currently does.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Mon December 14, 2020 08:07 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello,

Yes two different DCs with different subnets.

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 07:47 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

Hi, is this two separate data centres with different subnets?

 

 

thanks,
Shane
 

Shane Lundy IBM QRadar: Offering Manager

E-mail: Shane.lundy1@ibm.com	IBM House, Level 2 Shelbourne Road Dublin 4, D04 NP20 Ireland

 

Original Message:
Sent: 12/14/2020 7:17:00 AM
From: benjamin Nworah
Subject: RE: HA Implementation between two sites

Hello Shane,

Thank you for the feedback.

My concern are these:-

• Can HA be deployed on two data centres without any latency issues, if Yes, can they be done with virtual appliances?
• What are license implications involved?

 

------------------------------
benjamin Nworah

Original Message:
Sent: Mon December 14, 2020 05:02 AM
From: SHANE LUNDY
Subject: HA Implementation between two sites

HI, I see some of the answers below and for what you are trying to achieve I believe the new Data Sync offering (just released this year) is perfect for you. If you want to PM me we can have a call to discuss the offering. Its a flavour of DR that is used to sync data between sites. The application is now on the app exchange.

------------------------------
SHANE LUNDY

Original Message:
Sent: Sun December 13, 2020 01:46 AM
From: benjamin Nworah
Subject: HA Implementation between two sites

Hello QRadar experts,

I want to implement HA in two different sites. One at my Production site, and the other at DR.

What are the steps required to set this up? 

- What latency should i consider?
- What bandwith can i use to achieve this? the distance between sites are 1.5km
- Where will the HA activation key be applied, Secondary or Primary?
- If set up, when the primary fails, how does the VIP moves to the secondary? 
- when the primary fails, how does the log sources send traffic to the secondary? should i set up network connectivity between log sources and secondary appliance?

Thanks Expert, i want to hear from you

------------------------------
benjamin Nworah
------------------------------