This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

QRadar CE on Google Cloud Platform (GCP) network issue

Posted on 04-28-2022 01:46 PM
matteocapuano
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello to everyone,

I've installed QRadar Community Edition on a Google Cloud VM but I can't figure out how to make the internal networking works.

Here's my issue: I got some VM's on the same subnet as QRadar, one of them is a firewall connected via VPN to another infrastructure, every machine is able to ping the others but QRadar's one. GCP gives you IPs with a /32 mask and, obviously, the gateway is outside that subnet. Before installing QRadar the VM is able to ping and being pinged but after the installation it is unable to ping anything but it's pingable from the other VMs.
I've tried to change network settings before the installation, changing the mask to /24. The results is that after the installation the machine is able to ping only the gateway, internet, but it's unable to ping the other VMs on the subnet and it isn't pingable from the other VMs.
I've also tried to use the command qchange_netsetup but it doesn't work on GCP serial console because the screen goes to black and I can't see anything.

Someone could help me?

Anyone as already installed the QRadar CE on GCP?


Thank you

Matteo

0 2 663
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
alexmoore
Staff
Reply posted on --/--/---- --:-- AM

My assumption would be that QRadar is applying policy to prevent the traffic - assuming your VPC firewall rules allow the traffic.

Don't worry about the subnet mask - you should set it back to a /32, the VPC will take care of routing.

However please look at this article regarding allowing ICMP for QRadar hosts: https://www.ibm.com/support/pages/qradar-enabling-ping-response-appliances

0 Likes

Posted on --/--/---- --:-- AM
matteocapuano
Bronze 1
Bronze 1
In response to alexmoore
Reply posted on --/--/---- --:-- AM

Hi Alex,

thank you for your answer. Your assumption was right and I was narrow-minded and forgot about iptables.

But now I've moved my issue further: if I use a /24 network on QRadar, the instance is pingable from the other VMs and QRadar is able to ping internet and the firewall acting as gateway but it can't ping other VMs on the same subnet.
If I put QRadar on /32 subnet, as the right setting used by GCP, if I try to ping anything the instance gives me back: "Network is unreachable".
It seems that after the installation of QRadar, CentOS 7.5 became unable to interpret the /32 network used by GCP.

Do you have any other ideas?

Do you think this is a question I should ask to GCP support? I'm willing to subscribe to Standard Support if this would be useful to find a solution.

Thanks

Matteo

0 Likes
Top Labels in this Space
Top Solution Authors
View all