Hello Igor,
there are several options to handle flow information with QRadar. I'll try to give you a simple statement to your questions:
If you want to monitor a vswitch in an ESX Environment with your QRadar VM, which is connected to this vswitch with one interface, this vswitch needs to be set in promiscuous mode to handle the flows of this vswitch.
In case of handle flows from cisco devices, one way could be just to forward flows from the cisco device to QRadar. If you use an AiO (All-In-One) QRadar Deployment, it's the IP of AiO. If you use a managed host deployment, for example console, FP (Flow Processor), EP (Event Processor), etc. you should use the IP in this case of the FP host for example...
Hope this helps.
Regards,
Ralph
------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+49 721 90981727
------------------------------
Original Message:
Sent: Fri April 23, 2021 10:09 AM
From: Igor Volkov
Subject: QRadar network flows and interfaces
Hello.
We want to handle network flows flow Cisco devices with QRadar. QRadar will be installed as a VMWARE ESXi virtual machine. We plan to separate management interface that is used to manage QRadar via its GUI and the interface that network flows will be sent to. As far as I understand QRadar network interface that is responsible for handling network flows should be set to promiscuous mode. Am I right? Or QRadar is able to handle flows even when this interface isn't in promiscuous mode?
------------------------------
Igor Volkov
------------------------------