IBM QRadar

 View Only

Configure IBM Qradar Data Synchronization app using NATed (Public IP) at Main site and the Destination Site

By Nitin Sarode posted Sat November 09, 2024 01:51 AM

  

IBM QRadar Data Synchronization app

The QRadar Data Synchronization app mirrors your data to another identical system. When you have two identical QRadar systems in separate geographic environments that mirror each other, configurations and data can be maintained. Data is collected at both sites, ensuring operations can continue to function as normally as possible in scenarios when your main site fails.

QRadar Data Synchronization forwards live data, such as flows and events from the main site's QRadar system to a parallel destination site. You can set up data synchronization with deployments in different geographical locations.

To use the QRadar Data Synchronization app, the main site and destination site deployments must be running QRadar 7.4.0 Fix Pack 3 or later. The destination site must be a fully duplicated deployment (1:1 host ratio) for hosts that contain or collect Ariel (event and flow) data. This includes Event Processors, Flow Processors, All-in-one Event Processors and Flow Processors, Event Collectors, Flow Collectors, consoles, and data nodes. However, QRadar Risk Manager, QRadar Vulnerability Manager, QRadar Incident Forensics, QRadar Network Insights, and QRadar App Host do not require 1:1 mapping.

A high-availability (HA) cluster is considered one host and the Data Synchronization app supports an HA cluster that is paired with a non-HA host.

Here is the supported document to know more about the supported environment for the QRadar Data sync Application


Note: Currently Data Synchronisation Applications do not support NAT between DC and DR deployment.
You can vote for the idea here
for this feature to be incorporated in future DC DR Application realease.
In case any assistance required please comment on this blog. 


Through this blog, we are implementing a Data Synchronisation Application implementation where we have NAT between DC and DR Sites. Where Managed hosts from the DC console will be communicating with Managed hosts on the DR console over public IP.

Here is the supported Data Synchronization Application Architecture:

Here is the Unsupported Data Synchronization app Architecture where there is NAT between DC and DR.

 

Implementation Steps:

Configuration of Data Synchronization app with NATed (Public) IP:

  1. Install the Data Synchronization app On the Main and the Destination Site Console using the assistance app or by downloading from Data Synchronization App IBM x-force exchange and installed with Extension management.
  2. Create Security Taken using Authorized Services (Admin —> User Management —> Authorized Services —> Add) options respectively for Main and Destination Site.
  3. Copy and save the key on your local system, it will flash only once.

     4.  Open the Data Sync app on DC-Console and Click on Configure Main Site, Enter the NATed (Public) IP of the Destination Site and Input the Security tokens respectively of the Main and Destination Site to authorize.

     5.  Enable the Ariel Data Synchronization.

6.        Select the Ariel Data Sync Start date, Select the frequency, Enable automatic Configuration backup transfer, and Enable automatic Configuration backup restore.

7.        Enable Automatic deployment after restoring.

8.        Select the day of the week to restore the configuration backup. Set the time to restore the config backup. (At that particular time the copied config backup will restored at the destination site)

9.        Set the default bandwidth between the main site and the destination site and test the connection by clicking on the Connection test.

10 .  Click on Finish and you will find the list of devices with private IP at the Main site to pair with the Destination Site.

11.   Login to the destination site Enter the public ip of the Main site and the respective authorized service tokens and test the connection by clicking on the Connection test and Clicking on Finish.

12.  You will find the list of devices with private IP at the Destination site to pair with the Main Site.

13.  Perform the Deployment changes on the Both Main Site and the Destination site.

14.   After this point we need to modify the Data Synch Application Database to connect through public IP for Ariel sync.  Connect to the application container using the below command, Run the below command on the console or app host based on the location of the applications. 
Connect to the Data Synch App container from App host. Refer link how to find app ID Here

/opt/qradar/support/recon connect <App_ID>

15.  Connect to the sqlite database and list the list of hosts of the main sites and the DR site

sqlite3 /opt/app-root/store/mystore.db
select * from mainsite;
select * from drsite;

16.  Update the console and the managed host private IP to public IP.

update mainsite set ip=<Public IP of MAIN SITE> where id=<host_id>;
update drsite set ip=<Public IP of DR SITE> where id=<host_id>;

17.  Repeat the same steps on the Destination site by logging into the destination app host.

18.  Perform device paring from the Main site, This time you will see the NATed IP in the IP column when you open the Data Synch app. Select Console Check box —> click on Pair —> Select a paired device from the destination site —> click on pair.
You will be prompted to run commands on specified hosts to copy SSH keys before synchronization between the paired hosts begins. So log in to the Main site and run the requested command with the Destination site NATed (public IP).
log in to the Destination site and run the requested command with the Main site NATed (public IP) Then click OK.

19.  You will see the devices are paired Main site with the Destination Site with NATed (Public IP)

1. 20.  SSH to the main site and validate ariel_copy_profile table (destination_host_ip column) with public IP.
SSH to DR site and validate ariel_copy_profile table (destination_host_ip column) with public IP.

psql -U qradar -c "select * from ariel_copy_profile;"

For more FAQ:

https://www.ibm.com/support/pages/qradar-data-synchronization-app-faq

If you have any questions regarding any of the points mentioned above or want to discuss this further, feel free to get in touch with us:
Nitin N Sarode: nitin.sarode@ibm.com
Vishal Tangadkar : vishal.tangadkar1@ibm.com

Special thanks to Vishal Tangadkar (vishal.tangadkar1@ibm.com) for reviewing and approving this article.