QRadar: Network Address Translation (NAT) in QRadar deployments

Created by Erlington Jona… on Mon, 02/08/2021 - 13:14
Published URL:
https://www.ibm.com/support/pages/node/6403099
6403099

Question & Answer


Question

What is the functionality of NAT in QRadar® deployments?

Answer

In several cases, the managed hosts are in isolated networks that require access through a different IP address or network.

NAT enables the QRadar® Console to access managed hosts or vice versa (from managed hosts to the Console) through an IP address that will be "translated" to the managed host's real IP address, thus granting the connectivity between the two.

The NAT implementation in QRadar® is known as NAT Groups and has these known limitations:

  1. Static 1:1 NAT (one-to-one NAT) is preferred as it provides easier administration and configuration than PAT (Port Address Translation). The static 1:1 NAT must be configured with 1 Public IP only, and the same IP must be used to connect in both ways (outbound and inbound).

    Example of Static 1:1 NAT
    Note: The following IPs are only meant to illustrate the example. All of them are considered "Private IP addresses" by the RFC 1918.


    Figure01
  2. NAT must be configured in a network device such as a Firewall or Router and not locally in QRadar® (using IP Tables pre-routing and post-routing).
  3. Accessing managed hosts through a Double NAT configuration is not supported and must be avoided.

    Example of Double NAT.
    Note: The following IPs are only meant to illustrate the example. All of them are considered "Private IP addresses" by the RFC 1918.

    Figure02
  4. For easier administration of firewall rules, encryption is highly recommended when using QRadar® NAT Groups.
Using NAT to access the QRadar® WebUI.
The QRadar® WebUI can be accessed through different IP addresses as this is configured outside QRadar.
NAT in QRadar® on Cloud (QRoC).
QRoC deployments do not use NAT Groups as the connections are established by using VPN tunnels.
Event Forwarding through NAT.
NAT's connection to Log sources is discouraged to prevent issues when parsing the event due to IP address and port changes.
This depends entirely on how the Log Source behaves. For example, WinCollect does not support event forwarding through NAT.
More details about a Log Source configuration can be found in the QRadar® documentation.

Internal Use Only

https://q1wiki.canlab.ibm.com/display/CSD/NAT+Configuration+-+How+QRadar+works+with+NAT%2C+Nat+Groups%2C+gotchas

OLD NAT technote
https://www.ibm.com/support/pages/qradar-nat-configuration-qradar-additional-information

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS004773797","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
15 March 2021

UID

ibm16403099

Page Feedback