Hello Martin,
The issue is similar to yours - we need to get data from remote devices (netflow) which are interconnected with some kind of site to site VPN, sharing addresses from one special segment. There are no more free physical interfaces on the appliance, so we cannot add interface with address from required segment. On the Qradar physical appliance the ports are bonded and we don't have free ports anymore. Maybe the easiest way will be to buy extra license for node and to deploy dedicated virtual collector. I don't see any other options as obviously using more then one IP address on interface is not documented and probably not supported.
For the routing - we have been in situation where we were asked to use dedicated address for management, another one for Internet access, 3rd for collecting logs and 4th for netflow. It was working with routing, but suddenly after an upgrade (about an year ago) we experienced issues with the routing and had to remove one of the dedicated ports/address. So especially for environment with lot of network segments and sites, it will be really useful if there are more options for the routing used with physical appliances indeed.
regards,
Konstantin
------------------------------
Konstantin Tomanov
------------------------------
Original Message:
Sent: Thu June 17, 2021 12:09 PM
From: Martin Schmitt
Subject: Secondary (alias) address on QRadar interface
Hello,
this is an interesting question. I was also thinking about using 2 ips. What is your usecase? For me i have 2 Cisco log sources (ISE and DNA Center) that allows only one Logging Destination per Installation. The customer uses Collectors in each country so my idea was to use an IP that is the same in every country to collect the events there with the event collectors installed in each country and use a second interface with a unique IP to connect the collectors to the AIO in the head quater. For both interfaces routing would be necessary. In my case i have virtual ECs so interfaces are not really an issue, but routing would be necessary. I already have another installation where management and logsource are seperated due to security requirements and both are routed. I got it working, but before and after updates it is necessary to check if it is still working and maybe add the routes again. I am wondering if maybe we can use the option "Public IP" in the Network information setup as well. Anyway i think we need more routingoption and interface possiblities on the systems anyway (vlan trunks). I raised an rfe for that a view years ago, but it was closed. Maybe we should rise it again.
Martin
------------------------------
Martin Schmitt
Original Message:
Sent: Wed June 02, 2021 02:25 AM
From: Konstantin Tomanov
Subject: Secondary (alias) address on QRadar interface
Hello Mario,
The issue is that there are no free interfaces and that's why they are looking for setting up an interface with two IP addresses.
------------------------------
Konstantin Tomanov
Original Message:
Sent: Wed June 02, 2021 01:10 AM
From: Mario Sebastiani
Subject: Secondary (alias) address on QRadar interface
Hello Konstantin,
you can use the free network interfaces to collect data as explained at Network interface management
chapter in the documentation.
Please note that "TCP-based data sources must be in the same subnet as the data collection interface" , no additional routing is allowed.
Best regards,
Mario
------------------------------
Mario Sebastiani
Original Message:
Sent: Tue June 01, 2021 09:00 AM
From: Konstantin Tomanov
Subject: Secondary (alias) address on QRadar interface
Hello all,
Recently I was asked if it is possible to set secondary (alias) address on one of the Qradar appliance interfaces.
They would like to use it to forward syslog. The reason is that there are no unused interfaces on the appliance and there is no routing option for the particular isolated segment...
regards,
Konstantin
------------------------------
Konstantin Tomanov
------------------------------