Changing firewall rules

Posted on Updated on

By the original QRadar configuration, all the appliances comes with a pre-configured firewall rules in the OS. For testing purposes we can simple deactivate the firewall using the command “service iptables stop” (to stop the firewall) and “service iptables start” (to turn it back). But sometimes we need to update the firewall configuration aiming permanent changes.

In order to change firewall rules on your appliance you need to follow the below steps:

  • Connect through SSH to the appliance that you want to make modifications;
  • Login using ‘root’ account;
  • Edit one of the following files:
    • /opt/qradar/conf/iptables.pre
    • /opt/qradar/conf/iptables.post
    • /opt/qradar/conf/iptables-nat.post
  • Add your firewall rules in the file, for example:
    • -A INPUT -i eth0 -s x.x.x.x -j ACCEPT
  • Save the file with the ‘ :wq ‘;
  • Run /opt/qradar/bin/iptables_update.pl so your changes take effect;

With those steps your firewall configuration is now changed and will persist even in rebooting cases.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s