IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2

 
IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2
IBM QRadar Network Insights
Version 7.3.2

Installation and Configuration Guide

IBM
IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2
Note
     Before you use this information and the product that it supports, read the information in “Notices” on
     page 33.

Product information
This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unless
superseded by an updated version of this document.
© Copyright International Business Machines Corporation 2017, 2019.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2
Contents

  Introduction to installing QRadar Network Insights................................................ v

  Chapter 1. Real-time threat investigations with QRadar Network Insights...............1
     What's new in QRadar Network Insights V7.3.2......................................................................................... 1
     What's new in QRadar Network Insights V7.3.1......................................................................................... 2

  Chapter 2. QRadar Network Insights appliances.....................................................3
     QRadar Network Insights 1901...................................................................................................................3
     QRadar Network Insights 1901-C............................................................................................................... 5
     QRadar Network Insights 1910-C............................................................................................................... 6
     QRadar Network Insights 1920...................................................................................................................8
     QRadar Network Insights 1920-C.............................................................................................................10

  Chapter 3. Upgrading QRadar Network Insights....................................................13

  Chapter 4. Installing QRadar Network Insights .................................................... 15

  Chapter 5. Flow inspection...................................................................................17
     Flow inspection levels............................................................................................................................... 17
     Performance impacts.................................................................................................................................18
     Supported protocols and document types................................................................................................18

  Chapter 6. Appliance configuration...................................................................... 21
     Configuring the size of the raw payload data capture.............................................................................. 21
     Configuring the flow inspection level........................................................................................................ 22
     Configuring QFlow Collector format.......................................................................................................... 23
     Configuring DTLS communications protocol.............................................................................................24
     Installing the QRadar Network Insights content extension..................................................................... 25

  Chapter 7. Stacking QRadar Network Insights appliances.....................................27
     Appliance cabling.......................................................................................................................................27
     Creating a stack......................................................................................................................................... 29
     Modifying an existing stack........................................................................................................................30
     Removing stacked appliances................................................................................................................... 31

  Notices................................................................................................................33
     Trademarks................................................................................................................................................ 34
     Terms and conditions for product documentation................................................................................... 34
     IBM Online Privacy Statement.................................................................................................................. 35
     General Data Protection Regulation..........................................................................................................35

                                                                                                                                                               iii
IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2
iv
IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2
Introduction to installing QRadar Network Insights
      This guide contains information about analyzing network data in real-time by using IBM QRadar Network
      Insights.

      Intended audience
      Investigators extract information from the network traffic and focus on security incidents, and threat
      indicators.

      Technical documentation
      To find IBM QRadar product documentation on the web, including all translated documentation, access
      the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).
      For information about how to access more technical documentation in the QRadar products library, see
      Accessing IBM Security Documentation Technical Note (www.ibm.com/support/docview.wss?
      rs=0&uid=swg21614644).

      Contacting customer support
      For information about contacting customer support, see the Support and Download Technical Note
      (http://www.ibm.com/support/docview.wss?uid=swg21616144).

      Statement of good security practices
      IT system security involves protecting systems and information through prevention, detection and
      response to improper access from within and outside your enterprise. Improper access can result in
      information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of
      your systems, including for use in attacks on others. No IT system or product should be considered
      completely secure and no single product, service or security measure can be completely effective in
      preventing improper use or access. IBM systems, products and services are designed to be part of a
      lawful comprehensive security approach, which will necessarily involve additional operational
      procedures, and may require other systems, products or services to be most effective. IBM DOES NOT
      WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR
      ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
      Please Note:
      Use of this Program may implicate various laws or regulations, including those related to privacy, data
      protection, employment, and electronic communications and storage. IBM QRadar may be used only for
      lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumes
      all responsibility for complying with, applicable laws, regulations and policies. Licensee represents that it
      will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBM
      QRadar.

© Copyright IBM Corp. 2017, 2019                                                                                  v
IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2
vi IBM QRadar Network Insights: Installation and Configuration Guide
IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2
Chapter 1. Real-time threat investigations with
QRadar Network Insights
      IBM QRadar Network Insights is a network threat analytics solution that provides visibility into deep
      application-level content to better detect insider threats, data exfiltration, and malware activity, and
      provides real-time analysis of network data and an advanced level of threat detection and analysis.

      Integration with IBM QRadar Incident Forensics
      QRadar Network Insights provides QRadar with deep visibility into application activities, extracts artifacts,
      and identifies assets, applications, and users that participate in network communications. It is tightly
      integrated with IBM QRadar Incident Forensics for post incident investigations and threat hunting
      activities.
      QRadar Incident Forensics and IBM QRadar Network Packet Capture captures, reconstructs, and replays
      the entire conversation, but QRadar Network Insights provides the incident detection, and informs you
      whether suspect items or topics of interest were discussed at any time during the conversation.
      Suspect content can originate from a wide variety of sources, such as malware, non-standard ports, regex,
      or Yara rules. For more information about suspect content, see Advanced inspection level attributes in the
      QRadar Network Insights User Guide.

What's new in QRadar Network Insights V7.3.2
      IBM QRadar Network Insights V7.3.2 includes the following new features and enhancements to help you
      administer your IBM QRadar Network Insights appliances.

      QRadar on Cloud support
      QRadar Network Insights is now supported in IBM QRadar on Cloud deployments.
      You can pair your QRadar Network Insights appliance with a QRadar on Cloud data gateway and send
      flows into your QRadar on Cloud deployment.

         To learn more about working with QRadar on Cloud data gateways, see the IBM QRadar on Cloud
      Getting Started Guide.

      Configuration improvements for stacked and stand-alone appliances
      In IBM QRadar Network Insights, it is easier for you to manage the QRadar Network Insights stand-alone
      and stacked appliances in your deployment. Now, you can easily add or reallocate processing capabilities
      across your deployments by creating new stacks, and adding or removing devices from stacks.
      With the new QRadar Network Insights configuration management, you can easily make the following
      changes:
      • Edit a stack directly from the Deployment Actions menu.
      • Configure the flow inspection level for an individual QRadar Network Insights appliance.
      • Set the maximum amount of capture data that each appliance includes in the flow report.
      • Remove a stack and reconfigure each managed host as a stand-alone appliance.
      • In a stacked configuration, specify which QRadar Network Insights appliance is the primary host.

         Learn more about configuring appliances...

         Learn more about stacking appliances...

© Copyright IBM Corp. 2017, 2019                                                                                 1
More control over the appliance inspection level
      In V7.3.1, every QRadar Network Insights appliance in the deployment used the same global-set flow
      inspection level.
      Now, in V7.3.2, you can configure the flow inspection level for individual appliances or stacks. In a
      stacked configuration, each stack can have a different inspection level, but all appliances within a stack
      must have the same inspection level.

         Learn more about configuring the flow inspection level...

      Support for raw payload capture
      Now you can use IBM QRadar Network Insights to extract raw payload data.
      For example, you can extract data from the beginning of the packet payload, and then use regex
      expressions or custom properties to look for patterns. For QFlow users that are migrating to QRadar
      Network Insights, this capability enables the same raw payload analysis that you used in the past while
      also giving you QRadar Network Insights network analysis and data extraction capabilities.
      On initial installation, IBM QRadar Network Insights is configured to capture a maximum of 64 bytes of
      raw payload data. To stop capturing payload data, set the Maximum Raw Payload Size to 0. You can
      increase the size to extract more data from the payload, but larger sizes result in higher network traffic
      and can negatively impact the performance of your QRadar deployment.

         Learn more about configuring the raw payload capture size...

What's new in QRadar Network Insights V7.3.1
      IBM QRadar Network Insights V7.3.1 simplifies the configuration, deployment, and stacking of IBM
      QRadar Network Insights appliances.

      Stack appliances by using the user interface
      QRadar Network Insights V7.3.1 makes it easier to configure up to four appliances in a stack to distribute
      data across multiple CPUs and Napatech cards.
      Stacking appliances helps you increase your data throughput at higher inspection levels.

         Learn more about stacking appliances...

2 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 2. QRadar Network Insights appliances
      The IBM QRadar Network Insights appliance is a managed host that you attach to the QRadar console.
      QRadar Network Insights appliances connect to network TAPs, SPAN, or mirror ports to access full packet
      data for real-time analysis. All QRadar Network Insights appliances provide detailed analysis of network
      flows to extend the threat detection capabilities of QRadar.
      This Installation Guide includes hardware specifications for the latest QRadar Network Insights
      appliances. To view hardware specifications for older QRadar Network Insights appliances, see the IBM
      QRadar Hardware Guide.

      Table 1: QRadar Network Insights appliances
      QRadar Network Insights appliances                                Appliance ID
      QRadar Network Insights 1901                                      6300
      QRadar Network Insights 1910                                      6400
      QRadar Network Insights 1920                                      6200

      Appliance stacking
      You can stack the QRadar Network Insights 1920 appliances (type 6200) to distribute network packet
      data across multiple Napatech cards. By distributing the data processing and analysis across multiple
      appliances, stacking can help you handle higher data volumes and improve flow throughput performance
      at the highest inspection levels.
      For more information about stacking appliances, see Chapter 7, “Stacking QRadar Network Insights
      appliances,” on page 27.

QRadar Network Insights 1901
      The IBM QRadar Network Insights 1901 (MTM 4412-F4Y) appliance provides detailed analysis of network
      flows to extend the threat detection capabilities of IBM QRadar.
      With four 1G capture ports on a Napatech card, the QRadar Network Insights 1901 appliance provides the
      same capabilities as the QRadar Network Insights 1920 appliance but on a lower-price hardware platform
      that is designed for 1 Gbps network connectivity.
      The QRadar Network Insights 1901 appliance has the following hardware specifications:

      Table 2: QRadar Network Insights 1901 overview
      Hardware              Description
      Dimensions            28.9 inches deep x 17.1 inches wide x 1.7 inches high
      Power                 Dual redundant 750 Watt AC power supply
      Storage               2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
                            The storage is labeled as [1] in the appliance diagram.

      Memory                64 GB (4 x 16 GB DDR4 2400MHz)

© Copyright IBM Corp. 2017, 2019                                                                              3
Table 2: QRadar Network Insights 1901 overview (continued)
       Hardware             Description
       Network capture      2 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
       transceivers
                            2 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
                            Use these transceivers with the network packet capture card, labeled as [4] in the
                            appliance diagram.

       Network              2 x 10 G Short Range SFP
       management
                            The transceivers may have one of the following part numbers:
       transceivers
                            • Avago AFBR-709SMZ-IB8
                            • Finisar FTLX8571D3BCL-BN
                            • BNT BN-CKM-SP-SR
                            Use these transceivers with the management ports, labeled as [5] in the appliance
                            diagram.

      System performance of QRadar Network Insights appliances varies depending on the exact configuration
      and tuning of the system components. It is influenced not only by hardware, but also factors such as the
      search, extraction criteria, and the amount of network data. For more information, see Performance
      impacts in the IBM QRadar Network Insights Installation Guide.

      Figure 1: Back panel of the QRadar Network Insights 1901 appliance

4 IBM QRadar Network Insights: Installation and Configuration Guide
Table 3: Legend for use with the QRadar Network Insights 1901 image
    Label          Description
    1              QRadar Firmware Storage
    2              IMM Port (1GbE TX)
    3              Management ports (1 GbE TX)
    4              Network Packet Capture (SFP)
    5              Management ports (10 GbE SFP+)

    Note: Only the Network Packet Capture card [4] can be used for capturing network packet data.
    For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://
    www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/
    com.lenovo.sysx.8871.doc/t_removing_system_battery.html)
    For more information about the QRadar Network Insights 1901, including front and back panel diagrams,
    see IBM System X3550 M5 (https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-
    type-8869).

QRadar Network Insights 1901-C
    The IBM QRadar Network Insights 1901-C (MTM 4654-F6Y) appliance provides detailed analysis of
    network flows to extend the threat detection capabilities of IBM QRadar.
    With four 1G capture ports on a Napatech card, the QRadar Network Insights 1901-C appliance provides
    the same capabilities as the QRadar Network Insights 1920 appliance but on a lower-price hardware
    platform that is designed for 1 Gbps network connectivity.

    Table 4: QRadar Network Insights 1901-C overview
    Description           Value
    Physical dimensions 31.1 inches deep x 17.1 inches wide x 1.7 inches high
    Unit weight           48.5 lbs
    CPU                   2 x Xeon Gold 5118 12C 2.3 GHz 16 MB Cache 3.20 GHz 105 W
    Memory                64 GB, 4 x 16 GB
    Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
    Network interfaces    4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)
                          and 4 x LR (LC Long range fiber) transceivers
                          4 x 10/100/1000 Base-T Ethernet management interfaces
                          1 x 10/100/1000 Base-T integrated management module interface
                          2 x 10 Gbps SFP+ management interfaces

    Network Capture       4 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
    Transceivers
                          4 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)

    Network               2 x 10 G SR LC Transceivers (Avago AFBR-709SMZ-IB8 or Finisar
    Management            FTLX8571D3BCL-BN or BNT BN-CKM-SP-SR)
    Transceivers

                                                                      QRadar Network Insights appliances 5
Table 4: QRadar Network Insights 1901-C overview (continued)
       Description                    Value
       Traffic rate                   1 Gbps
       Power supply                   Dual redundant 750 W AC

      Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved

      Figure 2: QRadar Network Insights 1901-C

       Table 5: Legend for use with the QRadar Network Insights 1901-C image
       Label              Description
       1                  QRadar firmware storage
       2                  IMM port (1 GbE TX)
       3                  Management ports (10 GbE SFP+)
       4                  Management ports (1 GbE TX)
       5                  Network packet capture (SFP)
                          Ports are numbered 0, 1, 2, 3, from left to right.

QRadar Network Insights 1910-C
      The IBM QRadar Network Insights 1910-C (MTM 4654-Q9C) appliance offers 1 Gbps and 10 Gbps
      connectivity in a smaller, lower-cost appliance for deployments that require 10 Gbps connectivity but
      don't require the same level of processing or performance that is found in the more powerful 1920
      appliance.

       Table 6: QRadar Network Insights 1910-C overview
       Description                    Value
       Physical dimensions 31.3 inches deep x 17.1 inches wide x 1.7 inches high
       Unit weight                    48.5 lbs
       CPU                            2 x Xeon Gold 5118 12C 2.3 GHz 16 MB Cache 3.20 GHz 105 W

6 IBM QRadar Network Insights: Installation and Configuration Guide
Table 6: QRadar Network Insights 1910-C overview (continued)
 Description                    Value
 Memory                         64 GB, 4 x 16 GB
 Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
 Network interfaces             4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)
                                and 4 x LR (LC Long range fiber) transceivers
                                4 x 10/100/1000 Base-T Ethernet management interfaces
                                1 x 10/100/1000 Base-T integrated management module interface
                                2 x 10 Gbps SFP+ management interfaces

 Network Capture                4 x 10 G SR LC Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)
 Transceivers
                                4 x 10 G LR LC Transceivers (Avago AFCT-739SMZ-IB2)

 Network                        2 x 10 G SR LC Transceivers (Avago AFBR-709SMZ-IB8 or Finisar
 Management                     FTLX8571D3BCL-BN or BNT BN-CKM-SP-SR)
 Transceivers
 Traffic rate                   10 Gbps
 Power supply                   Dual redundant 750 W AC

Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved

Figure 3: QRadar Network Insights 1910-C

 Table 7: Legend for use with the QRadar Network Insights 1910-C image
 Label              Description
 1                  QRadar firmware storage
 2                  IMM port (1 GbE TX)
 3                  Management ports (10 GbE SFP+)
 4                  Management ports (1 GbE TX)
 5                  Network Packet Capture (SFP/SFP+)
                    Ports are numbered 0, 1, 2, 3, from left to right.

                                                                            QRadar Network Insights appliances 7
QRadar Network Insights 1920
      The IBM QRadar Network Insights 1920 (MTM 4412-F3F) appliance provides detailed analysis of network
      flows to extend the threat detection capabilities of IBM QRadar.
      The appliance has two Napatech cards, each with four ports. By default, the four ports on the first
      network capture card are configured for inbound traffic from the network tap. If the appliance is included
      in a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cabling
      stacked appliances, see the IBM QRadar Network Insights Installation Guide.
      The second Napatech card is cabled internally for load balancing and cannot not be used. If you use these
      ports when you cable the appliance, you do not get any data.
      The following table shows the hardware information and requirements for the IBM QRadar Network
      Insights 1920 (MTM 4412-F3F) appliance:

       Table 8: QRadar Network Insights 1920 overview
       Description           Value
       Dimensions            29.7 inches deep x 17.5 inches wide (19 inches with EIA) x 3.4 inches high
       Power                 Dual redundant 900 Watt AC power supply
       Storage               2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
                             The storage is labeled as [1] in the appliance diagram.

       Memory                128 GB (8 x16 GB DDR4 2400MHz)
       Network capture       2x 10Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)
       transceivers
                             2x 1G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
                             2x 1G SX LC Transceivers (Avago AFBR-5715PZ)
                             Use these transceivers with the network packet capture card, labeled as [2] in the
                             appliance diagram.

       Network               2x 10G Short Range SFP
       management
                             The transceivers may have one of the following part numbers:
       transceivers
                             • Avago AFBR-709SMZ-IB8
                             • Finisar FTLX8571D3BCL-BN
                             • BNT BN-CKM-SP-SR
                             Use these transceivers with the management ports, labeled as [4] in the appliance
                             diagram.

      System performance of QRadar Network Insights appliances varies depending on the exact configuration
      and tuning of the system components. It is influenced not only by hardware, but also factors such as the
      search, extraction criteria, and the amount of network data. For more information, see Performance
      impacts in the IBM QRadar Network Insights Installation Guide.

8 IBM QRadar Network Insights: Installation and Configuration Guide
Figure 4: Back panel of the QRadar Network Insights 1920 appliance

Table 9: Legend for use with the QRadar Network Insights 1920 image
Label         Description
1             QRadar Firmware Storage
2             Network Packet Capture (SFP/SFP+)
3             IMM Port (1GbE TX)
4             Management ports (10 GbE SFP+)
5             Cabled internally. Do not use these ports.
6             Management ports (1 GbE TX)

For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://
publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/
t_removing_system_battery.html)
For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/
systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/
systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).

                                                                  QRadar Network Insights appliances 9
For more information, you can also see System x3650 M5 (https://lenovopress.com/lp0068-lenovo-
      system-x3650-m5-machine-type-8871.html).

QRadar Network Insights 1920-C
      The IBM QRadar Network Insights 1920-C (MTM 4654-F4F) appliance provides detailed analysis of
      network flows to extend the threat detection capabilities of IBM QRadar.
      The appliance has two Napatech cards, each with four ports. By default, the four ports on the first
      network capture card are configured for inbound traffic from the network tap. If the appliance is included
      in a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cabling
      stacked appliances, see the IBM QRadar Network Insights Installation Guide.
      The second Napatech card is cabled internally for load balancing and cannot not be used. If you use these
      ports when you cable the appliance, you do not get any data.
      The following table shows the hardware information and requirements for the IBM QRadar Network
      Insights 1920-C (MTM 4654-F4F) appliance.

       Table 10: QRadar Network Insights 1920-C
       Description           Value
       Physical dimensions 29.0 inches deep x 17.1 inches wide x 3.4 inches high
       Unit weight           73 lbs
       CPU                   2 x Xeon Gold 6132 14C 2.6 GHz 19 MB Cache 3.70 GHz 140 W
       Memory                128 GB, 8 x 16 GB
       Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
       Network interfaces    4 x 10 Gb SFP+ network capture interfaces (Left-Side), including 2 x SR (LC short
                             range fiber), 2 x SX (LC short range fiber), and 2 x TX (RJ-45 copper) transceivers
                             4 x 10/100/1000 Base-T Ethernet management interfaces
                             1 x 10/100/1000 Base-T integrated management module interface
                             2 x 10 Gbps SFP+ management interfaces

       Network capture       2 x 10 Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ or
       transceivers          AFBR-709SMZ)
                             2 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
                             2 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
                             Use these transceivers with the network packet capture card, labeled as [2] in the
                             appliance diagram.

       Network               2 x 10 G Short Range SFP
       management
                             The transceivers may have one of the following part numbers:
       transceivers
                             • Avago AFBR-709SMZ-IB8
                             • Finisar FTLX8571D3BCL-BN
                             • BNT BN-CKM-SP-SR
                             Use these transceivers with the management ports, labeled as [4] in the appliance
                             diagram.

       Traffic rate          10 Gbps

10 IBM QRadar Network Insights: Installation and Configuration Guide
Table 10: QRadar Network Insights 1920-C (continued)
 Description                    Value
 Power supply                   Dual redundant 750 W AC

Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved

Figure 5: QRadar Network Insights 1920-C

 Table 11: Legend for use with the QRadar Network Insights 1920-C image
 Label              Description
 1                  QRadar firmware storage
 2                  IMM port (1 GbE TX)
 3                  Management ports (10 GbE SFP+)
 4                  Management ports (1 GbE TX)
 5                  Network Packet Capture (SFP/SFP+)
                    Ports are numbered 3, 2, 1, 0, from left to right.

 6                  Do not use these ports

                                                                         QRadar Network Insights appliances 11
12 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 3. Upgrading QRadar Network Insights
      You must upgrade all of your IBM QRadar products in your deployment to the same version.
      Restriction: Resizing logical volumes by using a logical volume manager (LVM) is not supported.

      Procedure
       1. Download the .sfs file from IBM Fix Central (www.ibm.com/support/
          fixcentral).
       2. Use SSH to log in to your system as the root user.
       3. Copy the patch file to the /tmp directory or to another location that has sufficient disk space.
       4. To create the /media/updates directory, type the following command:
          mkdir -p /media/updates
       5. Change to the directory where you copied the patch file.
       6. To mount the patch file to the /media/updates directory, type the following command:
          mount -o loop -t squashfs .sfs /media/updates/
       7. To run the upgrade installer, type the following command:
          /media/updates/installer
          The first time that you run the patch installer script, there might be a delay before the first patch
          installer menu is displayed.
       8. Provide answers to the pre-patch questions based on your deployment.
       9. Use the upgrade installer to upgrade all hosts in your deployment.
          Note: If you do not select Patch All, you must upgrade systems in the following order:
          • QRadar Console
          • QRadar Incident Forensics
          If your SSH session is disconnected while the upgrade is in progress, the upgrade continues. When
          you reopen your SSH session and rerun the installer, the installation resumes.
      10. After the upgrade is complete, type the following command to unmount the software update:
          umount /media/updates

© Copyright IBM Corp. 2017, 2019                                                                                  13
14 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 4. Installing QRadar Network Insights
      IBM QRadar Network Insights is already installed when you purchase a QRadar Network Insights
      appliance. However, you might need to reinstall the software if, for example, you have a hardware failure.

      Before you begin
      Before you install QRadar Network Insights, ensure that the following requirements are met:
      • The appliance hardware is installed.
      • A keyboard and monitor are connected by using the VGA connection.
      • The activation key is available.

      About this task
      Install the QRadar Console on one appliance, and the QRadar Network Insights managed host on another
      appliance.
      Restriction: Software versions for all appliances in a deployment must be the same version and fix level.
      Deployments that use different versions of software are not supported.
      Resizing logical volumes by using a logical volume manager (LVM) is not supported.
      You install QRadar Network Insights using the QRadar ISO. QRadar Network Insights requires only a
      connection to the QRadar console. You can deploy QRadar Network Insights separately from the IBM
      QRadar Incident Forensics Processor deployment.

      Procedure
      1. For installations on your own hardware, copy the QRadar ISO to the root directory.
         a) Create the /media/dvd directory by typing the following command:
            mkdir /media/dvd
         b) Mount the QRadar ISO by using the following command:
           mount -o loop /media/dvd
      2. Use the setup script to start the installation.
         a) Change the working directory by typing the command:
            cd /media/dvd
         b) Start the setup script by typing the command:
            setup.sh
      3. Follow the instructions in the installation wizard.
         On the Select the Appliance ID page, choose the IBM QRadar Network Insights component to install.
      4. Apply your license key.
         a) Log in to QRadar:
            https://IP_Address_QRadar
            The default user name is admin. The password is the password of the root user account.
         b) Click the login.

          c) On the navigation menu (      ), click Admin.
         d) In the navigation pane, click System Configuration.
         e) Click the System and License Management icon.
          f) From the Display list, select Licenses, and upload you license key.

© Copyright IBM Corp. 2017, 2019                                                                              15
g) Select the unallocated license and click Allocate System to License.
         h) From the list of licenses, select and license, and click Allocate License to System.
         For a QRadar Network Insights deployment, only the 6200 managed host requires a license. The
         QRadar console does not need a QRadar Network Insights license.

      What to do next
      Configure your QRadar Network Insights appliance. For more information, see Chapter 6, “Appliance
      configuration,” on page 21.

16 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 5. Flow inspection
      Flows provide QRadar with visibility into network activity. QRadar Network Insights analyzes the network
      activity, and correlates flow data with event data to detect threats that cannot be identified by using logs
      alone, thereby revealing previously hidden threats and malicious behaviors.

Flow inspection levels
      The flow inspection level determines how much data is analyzed and extracted from the network flows.
      By default, the flow inspection level is a global setting that is configured in the System Settings on the
      Admin tab. It applies to all appliances in your deployment. You can override the global setting by
      configuring a custom flow inspection level for each appliance. In a stacked configuration, each stack can
      have a different inspection level, but all appliances within a stack must have the same inspection level.

      Basic inspection level
      Basic flows is the lowest level of inspection. Basic flows are detected by 5-tuple, and the number of bytes
      and packets that are flowing in each direction are counted. This kind of information is similar to what you
      get out of a router or network switch that does not perform deep packet inspection. This level supports
      the highest bandwidth, but generates the least amount of flow information.
      The attributes that QRadar Network Insights generates using the basic flows inspection level are: 5-tuple
      values, a flow ID, packet and octet counts in each direction, and flow start and end times.
      For more information about the content fields that are extracted with the Basic inspection level, see the
      QRadar Network Insights User Guide.

      Enriched inspection level
      With the enriched inspection level, each flow is identified and inspected by one of the protocol or domain
      inspectors, and many kinds of attributes can be generated from that inspection.
      The following list describes the attributes that QRadar Network Insights generates by using the Enriched
      flow inspection level are:
      • HTTP metadata values - including categorization of URLs
      • Application ID and action
      • File information (name, size, hash)
      • Originating and recipient user names
      • Limited suspect content values
      For more information about the content fields that are extracted with the Enriched inspection level, see
      the QRadar Network Insights User Guide.

      Advanced inspection level
      Advanced is the default setting and the highest level of inspection. It adds to the flow attributes extracted
      at the Enriched inspection level through comprehensive analysis of the application content. Additional
      suspect content can also be detected through this content analysis. This analysis can yield more suspect
      content values that result from the inspection of the file contents.
      The following list describes the attributes that QRadar Network Insights generates by using the Advanced
      flow inspection level:
      • Personal information
      • Confidential data

© Copyright IBM Corp. 2017, 2019                                                                                17
• Embedded scripts
      • Redirects
      • Configurable content-based suspect content
      For more information about the types of suspect content that are identified at the Advanced inspection
      level, see the QRadar Network Insights User Guide.

Performance impacts
      Flow inspection levels are cumulative, and each level collects more data than the level before it. You must
      configure the flow inspection level to suit the flow rate that you want to achieve. System performance
      varies based on the exact configuration and tuning of the system components. It is influenced not only by
      hardware, but also factors such as the search, extraction criteria, and the amount of network data.

       Table 12: Flow inspection level performance for QRadar Network Insights appliances
       Flow Inspection         1901 appliances             1910 appliance          1920 appliances
       Level
       Basic                   ~ 4 Gbps                    ~ 10 Gbps               ~ 10 Gbps
       Enriched                ~ 3 Gbps                    ~ 3 Gbps                ~ 6 Gbps
       Advanced                ~ 1.2 Gbps                  ~ 1.2 Gbps              ~ 2.5 Gbps
                               Does not support            Does not support        You can achieve up to 10
                               stacking.                   stacking.               Gbps by stacking multiple
                                                                                   appliances.

      Scaling performance with the 1920 appliances
      To achieve higher flow rates, you can stack the QRadar Network Insights 1920 appliances (type 6200) to
      distribute data processing across multiple Napatech cards and CPUs.
      In a stacked configuration, the performance scales linearly according to the number of appliances in the
      stack. For example, a stack with two appliances can achieve up to 2x the performance. You can have up to
      four appliances in a stack.
      For more information, see Chapter 7, “Stacking QRadar Network Insights appliances,” on page 27.

Supported protocols and document types
      As network traffic data is processed and protocols are identified, the data is further inspected by the
      appropriate protocol and domain inspectors.

      Protocol inspectors
      Protocol inspectors can identify protocols such as HTTP, POP3, FTP, and telnet. You can also exclude
      protocol inspectors. When the inspectors are excluded, any network traffic data that is associated with
      the inspector is still ingested, but the traffic is identified and indexed only on a generic level.
      Any protocol that is not identifiable by a protocol inspector is categorized as Unknown.
      The following list describes the supported protocols that QRadar Network Insights can process:
      • AIM
      • DHCP
      • DNS

18 IBM QRadar Network Insights: Installation and Configuration Guide
• Exchange
• FTP
• HTTP
• iCAP
• IMAP
• IRC
• Jabber
• Myspace
• MySQL
• NFS
• NetBIOS
• Oracle
• POP3
• SIP
• SMB V2 / V3
• SMTP
• SPDY
• SSH
• Telnet
• TLS (SSL)
• Yahoo Messenger
With exception of SIP (Session Initiation Protocol) traffic, by default, all inspectors are turned on and you
can see traffic from all protocols. The SIP call setup protocol, which operates at the application layer, is
turned off by default.

Domain inspectors
When network traffic data is identified by the HTTP protocol inspector, additional analysis is done by the
domain inspector. For domain inspectors to be active, the HTTP protocol inspector must also be active.
The following list describes the supported domains (websites) as well as the supported languages for
each domain:
• AOL (Accessible, Basic, Standard) (EN)
• Charter (EN)
• Comcast (Zimbra) (EN)
• Facebook (Mobile, Desktop) (AR,CN,DE,EN,ES,FR,RU)
• Gmail (Classic, Standard) (AR,CN,DE,EN,ES,FR,RU)
• Hotmail (AR,CN,DE,EN,ES,FR,RU)
• LinkedIn (DE,EN,ES,FR,RU)
• MailCom (CN,EN,ES,FR,RU)
• MailRu (RU)
• Maktoob (AR,EN)
• Myspace (EN)
• QQMail (EN,CN)
• Twitter (EN)
• YAHOO Mail (Standard, Classic) (EN)

                                                                                          Flow inspection 19
• YAHOO Note (EN)
      • YouTube (AR,CN,DE,EN,ES,FR,RU)
      You can also exclude domain inspectors. When you exclude domain inspectors, any HTTP network traffic
      data that is associated with the inspector is still ingested, but the traffic is identified and indexed only at
      the HTTP level.

      Supported document formats
      The following list describes the supported document formats that QRadar Network Insights can process:
      • HyperText Markup Language
      • XML and derived formats
      • Microsoft Office document formats
      • OpenDocument Format
      • Portable Document Format
      • Electronic Publication Format
      • Rich Text Format
      • Compression and packaging formats
      • Text formats
      • Audio formats
      • Image formats
      • Video formats
      • Java™ class files and archives
      • mbox format

      Application detection
      Application detection is used when no other inspectors can detect an application, session, or protocol.
      Application detection inspects the first 64 bytes of a packet for a signature and attempts to identify the
      application from the signature and port.
      The following list shows examples of applications, sessions, or protocols that can be identified with the
      application detection processes:
      • BitTorrent
      • Blubster
      • CitrixICA
      • Google Talk
      • Gnucleuslan
      • Gnutella
      • GSS-SPNEGO
      • NTLMMSSP
      • OpenNap
      • PeerEnabler
      • Piolet
      • UpdateDaemon
      • VNC

20 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 6. Appliance configuration
      After your IBM QRadar Network Insights appliance is installed and attached to the QRadar Console as a
      managed host, you must configure the appliance before you can use it for investigating threats on your
      network.
      After the appliance is configured, it reads the raw packets from the network tap or span port and then
      generates IPFIX packets. The IPFIX packets are sent to flow processes in the deployment.
      For more information about installing IBM QRadar, see the IBM QRadar Installation Guide.
      For more information about adding a managed host to your deployment, see Managed hosts in the IBM
      QRadar Administration Guide.

Configuring the size of the raw payload data capture
      You can use IBM QRadar Network Insights to extract raw payload data. The Maximum Raw Payload Size
      for each appliance is inherited from the QRadar Network Insights global settings.

      About this task
      On initial installation, IBM QRadar Network Insights is configured to capture a maximum of 64 bytes of
      raw payload data. To stop capturing payload data, set the Maximum Raw Payload Size to 0.
      When you change the global setting, the new value is inherited by all QRadar Network Insights appliances
      that are configured to use the global setting. This includes new appliances that you add after the setting is
      changed.
      You can override the global settings by configuring custom Maximum Raw Payload Size settings for
      individual QRadar Network Insights appliances. After an appliance is configured to use a custom setting, it
      is not affected by changes to the global setting. To revert an appliance back to using the global setting,
      you must edit the host connection and set the Maximum Raw Payload Size to Global.
      Note: You can increase the raw payload size up to 32 768 bytes, but larger payloads can impact
      performance. Adjust the byte size in small increments, and monitor the disk capacity to ensure that it
      does not fill up quickly.

      Procedure
      1. Log in to QRadar as an administrator.
      2. To configure the global settings, follow these steps:
         a) On the Admin tab, click System Settings.
         b) Click QRadar Network Insights Settings.
         c) In the Maximum Raw Payload Size, select the maximum amount of data that you want to capture.
            To turn payload data capture off, set the Maximum Raw Payload Size to 0.
            Appliances that use a custom Maximum Raw Payload Size setting are not affected by changes to
            the global setting. You must configure the customized appliances individually.
         d) Click Save.
      3. To configure the settings for individual QRadar Network Insights appliances, follow these steps:
         a) On the Admin tab, click System and License Management.
         b) Select the appliance that you want to modify, and click Deployment actions > Edit Host
            Connection.
         c) Set the flow collector and the flow source connection and click Save.
         d) Specify the Maximum Raw Payload Size for the appliance.

© Copyright IBM Corp. 2017, 2019                                                                                21
Appliances that are configured to use a custom Maximum Raw Payload Size are not affected by
               future changes to the global setting.
         e) Click Next and then click Save.
      4. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration.

                Warning: When you deploy the full configuration, QRadar services restart. During this time,
                events and flows are not collected, and offenses are not generated.
      5. Refresh your web browser.

      What to do next
      Deploy the changes.

Configuring the flow inspection level
      The flow inspection level determines how much data is analyzed and extracted from the network flows.
      Each Flow Inspection Level setting provides deeper visibility and extracts more content than the
      preceding levels.

      About this task
      The following table explains the difference between each inspection level:

       Table 13: Flow inspection levels
       Flow Inspection Level           Description
       Basic                           Lowest level of inspection. Flows are detected by 5-tuple, and the
                                       number of bytes and packets that are flowing in each direction are
                                       counted.
       Enriched                        Each flow is identified and inspected by one of the protocol or domain
                                       inspectors, and many kinds of attributes can be generated from that
                                       inspection.
       Advanced                        The default setting. The highest level of inspection.
                                       Flows are subjected to more rigorous content extraction processes,
                                       including scanning and inspecting the content of the files that it finds.

      By default, the Flow Inspection Level for each appliance is inherited from the global setting that is
      defined in the System Settings on the Admin page. When you change the global setting, the new value is
      inherited by all QRadar Network Insights appliances that are configured to use the global setting. This
      includes new appliances that you add after the setting is changed.
      You can override the global setting by configuring custom settings for individual QRadar Network Insights
      appliances.
      In a stacked configuration, each stack can have a different flow inspection level, but all appliances within
      a stack must have the same inspection level.

      Procedure
      1. Log in to QRadar as an administrator.
      2. To configure the global setting, follow these steps:
          a) On the Admin tab, click System Settings.
         b) Click QRadar Network Insights Settings.
          c) From the Flow Inspection Level, select the flow rate.

22 IBM QRadar Network Insights: Installation and Configuration Guide
d) Click Save.
    3. To configure the settings for individual QRadar Network Insights appliances, follow these steps:
       a) On the Admin tab, click System and License Management.
       b) Select the appliance that you want to modify, and click Deployment actions > Edit Host
          Connection.
       c) Set the flow collector and the flow source connection and click Save.
       d) Specify the Flow Inspection Level for the appliance.
       e) Click Next and then click Save.
    4. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration.

              Warning: When you deploy the full configuration, QRadar services restart. During this time,
              events and flows are not collected, and offenses are not generated.
    5. Refresh your web browser.

    What to do next
    Deploy the QRadar Network Insights Processor.

Configuring QFlow Collector format
    You can choose the format that your QRadar QFlow Collectors use to export data to the QFlow processor:
    TLV (type-length-value) or Payload.
    The TLV format stores the content metadata properties in the flow record, and can be searched without
    extra configuration in QRadar.
    The payload format stores the content metadata properties in the payload field of the flow record. To run
    searches on the data, you must use custom properties to extract the data from the payload.

    Before you begin
    Before you configure the QRadar QFlow Collector format, ensure that you complete the following tasks:
    __ • Install a QRadar Console with a QRadar Network Insights appliance attached as a managed host.
    __ • Perform a full deployment after you attach the IBM QRadar Network Insights appliance as a managed
         host.
    Important: Content extension v1.3.0 introduced support for TLV fields, which supersedes earlier content
    extensions that were based on custom properties. If you are using content extension v1.3.0 or later, you
    must set the QFlow format setting to TLV; otherwise the rules in the content pack don't work.

    Procedure
    1. Log in to QRadar: https://QRadar_IP_Address
       The default user name is admin. The password is the password of the root user account.
    2. On the navigation menu (      ), click Admin.
    3. In the navigation pane, click System Settings.
    4. Click the QFlow Settings menu, and choose the QFlow format.

                                                                                  Appliance configuration 23
Table 14: QFlow format options
          QFlow format                   Description
          TLV                            Default QFlow format setting.
                                         Choose TLV (type-length-value) for new installations, or for upgrades
                                         that don't have a QRadar Network Insights appliance as part of their
                                         deployment.
                                         QRadar Network Insights V7.3.0 or later supports only TLV for content
                                         flows.

          Payload                        Choose Payload if you don't have QRadar Network Insights in your
                                         environment.
      5. Click Save.
      6. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm your changes.

                Warning: When you deploy the full configuration, QRadar services are restarted. During this
                time, events and flows are not collected, and offenses are not generated.
      7. Refresh your web browser.

Configuring DTLS communications protocol
      To prevent eavesdropping and tampering, you can set up Datagram Transport Layer Security (DTLS) on a
      QRadar Network Insights managed host.
      Configuring DTLS is optional, and is not required for QRadar Network Insights to work.

      Before you begin
      Ensure that your deployment has a QRadar Network Insights (appliance type 6200) managed host that is
      attached. For more information about how to add a managed host, see the IBM QRadar Administration
      Guide.

      About this task
      You can have more than one QRadar Network Insights appliance that points to a single DTLS port, but
      configuring multiple DTLS ports is not supported.
      If, after you configure the DTLS communications protocol, you change the QRadar Flow Collector or flow
      source of any QRadar Network Insights managed hosts in your deployment, you must deploy the changes.

      Procedure
      1. To configure a flow source, complete these steps:
          a) Log in to the QRadar Console as an administrator.
         b) Click the Admin tab.
          c) In the Flows section, click Flow Sources.
         d) Click the Add icon.
         e) In the Flow Source Name field, type a descriptive name.
          f) In the Target Flow Collector field, select a flow collector or accept the value provided.
         g) In the Flow Source Type list, select Netflow v.1/v.5/v.7/v.9/IPFIX.
         h) In the Monitoring Port field, select a port or accept the value provided.
          i) In the Linking Protocol list, select DTLS.
          j) Click Save.

24 IBM QRadar Network Insights: Installation and Configuration Guide
2. To configure DTLS communication, complete these steps:
       a) On the Admin tab, in the System Configuration section, click System and License Management.
       b) Select the managed host, and on the Deployment Actions menu, click Edit Host Connection.
       c) On the Modify QRadar Network Insights Connection page, select the QRadar Flow Collector and
          flow source.
       d) Click Save.
       e) Specify whether to configure the QRadar Network Insights appliance as a stand-alone or stacked
          appliance.
        f) Click Next, and then click Save.
       g) Close the System and License Management page.
       h) On the Admin tab menu bar, click the Deploy Changes icon.

Installing the QRadar Network Insights content extension
    QRadar Network Insights content extensions include extra content, such as rules, reports, searches, and
    custom properties, that can be used to provide in-depth analysis, alerts, and reports in QRadar Network
    Insights deployments.

    Before you begin
    Download the QRadar Network Insights v7.3.0 content extension to your local computer from the IBM
    Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/
    5faf57a09236654323cbc4db41bd74f4).

    Procedure
    1. Log in to the QRadar Console as an administrator.
    2. On the navigation menu (    ), click Admin.
    3. Click Extension Management.
    4. To upload an extension and install it immediately, follow these steps:
       a) Click Add and select the extension to upload.
       b) To install the extension immediately, select the Install immediately check box, and then click Add.
    5. To preview the contents of an extension before you install it, follow these steps:
       a) Select the extension from the list, and click More Details.
          The content items are compared to content items that are already in the deployment. If the content
          items exist, you can choose to overwrite them or to keep the existing data.
       b) Select Replace existing items. This setting ensures that existing custom properties are updated
          when the extension is installed.
       c) Click Install.
       d) Review the installation summary, and click OK.

    Results
    After the extension is added, a yellow caution icon in the Status column indicates potential issues with
    the digital signature. Hover the mouse over the triangle for more information. Extensions that are
    unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility
    issues in your deployment.

                                                                                   Appliance configuration 25
26 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 7. Stacking QRadar Network Insights
appliances
      With QRadar Network Insights stacking, you can distribute network packet data across multiple Napatech
      cards. By distributing the data processing and analysis across multiple appliances, stacking can help you
      handle higher data volumes and improve flow throughput performance at the highest inspection levels.
      If any of the appliances in the stack experience a failure and becomes unavailable, the entire stack is
      impacted. For example, if the first appliance in a stack has a hardware failure, the data is not received by
      the rest of the stacked appliances.

Appliance cabling
      You can stack the QRadar Network Insights 1920 appliances (type 6200) only. Each stack can have a
      maximum of four appliances, but you can have more than one stack in a deployment. You cannot stack
      the QRadar Network Insights 1901 appliance.
      Each QRadar Network Insights 1920 appliance is configured with 2 Napatech cards. The port
      configuration on the first Napatech card changes, depending on whether the appliance is part of a
      standalone configuration or a stacked configuration.
      Standalone configuration
         In a standalone configuration, the four ports on the first Napatech card are configured to accept
         inbound traffic from the network tap.
         The second Napatech card is a load balancer that is configured internally. Do not use the ports on this
         card; if you use them, you do not get any data.
      Stacked configuration
         In a stacked configuration, the four ports on the first Napatech card are reconfigured, two ports for
         inbound traffic and two ports for outbound traffic. The ports are configured as linked pairs, so the data
         that comes in on port 0 goes out on port 2, and the data that comes in on port 1 goes out on port 3.
         Similar to a standalone configuration, the second Napatech card cannot be used in a stacked
         configuration.

      Single incoming TAP line
      When your deployment has incoming data on one network tap only, the stacked appliances must be
      cabled like this:

© Copyright IBM Corp. 2017, 2019                                                                                 27
Figure 6: Cabling for stacked 1920 appliances with single network TAP

      Dual incoming TAP lines
      When your deployment has incoming data on two network taps, the stacked appliances must be cabled
      like this:

28 IBM QRadar Network Insights: Installation and Configuration Guide
Figure 7: Cabling for stacked 1920 appliances with dual network TAP

Creating a stack
    You can stack QRadar Network Insights 1920 appliances (type 6200) to scale performance at higher
    inspection levels by load balancing the network packet data across multiple appliances.

    Before you begin
    Ensure that all appliances that you want to include in the stack are racked and cabled. For more
    information about how to cable the appliances for use in a stacked configuration, see “Appliance cabling”
    on page 27.
    Ensure that the appliance and the QRadar Console used to manage it are at the same QRadar version and
    fix pack level.

    About this task
    By default, the Flow Inspection Level for each appliance is inherited from the global settings that are
    defined in the System Settings on the Admin page. You can override the global setting by configuring the
    flow inspection level for each appliance. In a stacked configuration, each stack can have a different
    inspection level, but all appliances within a stack must have the same inspection level.
    The Maximum Raw Payload Size is also inherited from the global system settings, but you can change it
    for individual appliances. The default size of the payload is 64 bytes, and the maximum size is 32 768
    bytes. Large payloads can impact performance. You should adjust the byte size in small increments, and
    monitor the disk capacity to ensure that it does not fill up quickly.

                                                            Stacking QRadar Network Insights appliances 29
Procedure
      1. If required, add the QRadar Network Insights appliance to your deployment as a managed host.

          a) On the navigation menu (     ), click Admin.
         b) In the System Configuration section, click System and License Management.
          c) In the Display list, select Systems.
         d) On the Deployment Actions menu, click Add Host.
         e) Configure the settings for the managed host by providing the fixed IP address and the root
            password for the appliance.
          f) Click Add.
             The managed host is added and the new configuration is ready to deploy.
         g) On the Admin tab, click Advanced > Deploy Full Configuration.
            QRadar V7.3.1 and later continues to collect events when you deploy the full configuration. In
             earlier versions of QRadar, event collection stops while the new configuration is deployed.
      2. To configure the managed host as part of a QRadar Network Insights stack, edit the host connection
         information.
          a) On the Admin tab, click System and License Management.
         b) In the Display list, select Systems.
          c) Select the QRadar Network Insights managed host, and on the Deployment Actions menu, click
             Edit Host Connection.
         d) On the Modify QRadar Network Insights Connection page, select the QRadar Flow Collector and
            the NetFlow source.
            By default, the flow collector is the IP address of the QRadar Console.
         e) Click Save.
            The console recognizes that the managed host is a 6200 appliance that can be configured as part of
            a stack.
          f) In the Host Action field, select Create new stack and type a descriptive name.
         g) Change the Flow Inspection Level and the Maximum Raw Payload Size.
         h) Select Next.
            The Configure QNI Ports window shows that the ports are now reconfigured from four inbound
            ports to two ports for inbound traffic and two ports for outbound traffic.
          i) Click Save.
            The System and License Management window now shows the new QRadar Network Insights stack
            with one QRadar Network Insights appliance.

      What to do next
      You must deploy the changes for the new configuration to take effect.

Modifying an existing stack
      You can edit an existing stack to add or remove QRadar Network Insights appliances, set the primary host
      in the stack, and set the flow inspection level and the raw payload size for all appliances in the stack.

      Before you begin
      Before you add an appliance to a stack, ensure that the appliance is deployed into your QRadar
      environment. For more information about cabling appliances for use in a stacked configuration, see
      “Appliance cabling” on page 27.

30 IBM QRadar Network Insights: Installation and Configuration Guide
You can also read