IBM Security QRadar

 View Only
  • 1.  Replacing a QRadar Console with an appliance that uses a new IP address

    Posted Mon March 04, 2024 04:39 AM

    Architecture:

    QRadar Console and App Host (Our Datacenter)

    EP (Client Location)

    Using NATed IP for communication.

    We are doing hardware migration of the QRadar console with a New IP address in a different Datacenter.

    I deployed the new console with a new ip but the same hostname. took the configuration backup from the old console and restored it to the new console after that I stopped all the services on the old console and then performed full configuration deployment on the new console. but it was giving deploy error and events were not coming from EP. So we recovered the old console again.

    Question :

    1. Do I have to keep a new hostname or an old hostname?

    2. There are a few apps on the console. Should I restore them as well while configuration restore?

    3. Should I turn off the old console while restoring the configuration backup?

    4. If deployment is successful after turning off the old console then for transferring event and flow data, I will have to turn on the old console so will it conflict with the new console?

    I am following below IBM document.

    https://www.ibm.com/support/pages/qradar-replacing-console-appliance-deployment-using-new-ip-address-or-hostname



    ------------------------------
    Shailendra Kumar Yadav
    ------------------------------


  • 2.  RE: Replacing a QRadar Console with an appliance that uses a new IP address

    IBM Champion
    Posted Mon March 04, 2024 12:31 PM

    Shailendra

    regarding your questions

    1. reduce your risks as much as possible for the whole procedure. Use different hostname and IP address to be sure not to get mixed up in between for the new console.

    2. Best scenario is tu migrate your apps to a new app host before. If not possible remove them from the old console and restore after eveythin has been done.

    3. Restoring the config backup should work independantly . Pls keep the old console running as its beeing needed later on (step5 and step6).

    4. The old console isnt needed anymore. When everything works as designed the new ip address should be picked up by all managed hosts. Pls see comments in step7.

    The whole document doesnt talk about NATted environment. This makes things even more complicated. As NAT requires two different networks being involved, I have doubts this will work. At least there is additional firewalling in between which may cause the error you see even if everything works right. Make sure iptables covers all your communication needs on all hosts. Pls store your error files and contact IBM support. Ask them if the documented procedure covers NAT environment as well.



    ------------------------------
    [Karl] [Jaeger] [#ibmchampion]
    [QRadar Specialist]
    [cnag]
    [Siegen] [Germany]
    ------------------------------



  • 3.  RE: Replacing a QRadar Console with an appliance that uses a new IP address

    Posted Tue March 05, 2024 12:26 AM

    Thanks for your reply Karl. 

    As mentioned in your message, I cant see setp5 and step6.

    1. I am changing hostname of new console as per your suggestion.
    2. I will migrate apps later. First priority is to restore configuration backup and deply should be successful.
    3. We will keep old console running but stop the three processes (hostservices, hostcontext, tomcat)

    We did this migration in production environment and were getting deploy error on new console. we raised ticket with IBM support and they took 26 hours to fix this issue but didnt succeed  and at the end we recovered old console again. But we have to migrate again so we are doing this migration in our testing environment. Kindly suggest.



    ------------------------------
    Shailendra Kumar Yadav
    ------------------------------



  • 4.  RE: Replacing a QRadar Console with an appliance that uses a new IP address

    Posted Tue March 05, 2024 05:09 AM

    Hello,

    OK looking at the technote you are following, you are doing a full config restore. 
    During the restore process the new console will attempt to reach out to the Managed Hosts. 
    You have stopped iptables on the Managed Hosts, so that they will not reject the new consoles connection attempts. 

    Note if the old consle is still running, it will also be trying to connect to teh Managed Hosts. 
    So for me, before you begin the restore on the new console the old console should be turned off, to stop it speaking to the managed hosts.

    For the further steps when you bring the old console online, you should ensure that the QRadar services are stopped on the old system.

    Why the deploy failed on the new console, we would have to review the logs. 

    Regards



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------



  • 5.  RE: Replacing a QRadar Console with an appliance that uses a new IP address

    IBM Champion
    Posted Wed March 06, 2024 04:07 AM

    Hi Shailendra,

    in addition to the advice of @Comghall Morgan here's a link of the mentioned procedure:

    https://www.ibm.com/docs/en/qsip/7.5?topic=qshms-replacing-qradar-console-appliance-that-uses-new-ip-address

    Hopefully this will support you to make progress with your migration..

    Regards,

    Ralph



    ------------------------------
    Ralph Belfiore
    Managing Consultant | Senior SIEM Expert
    connecT SYSTEMHAUS AG
    Siegen
    +491726365525
    ------------------------------