Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating a Stack

SUMMARY Create a stack to help you handle higher data volumes and improve flow throughput performance at the highest inspection levels. You can stack only the QRadar Network Insights 1920 (type 6200) and QRadar Network Insights 1940 (type 6600) appliances.

Ensure that all appliances that you want to include in the stack are racked and cabled.

Ensure that the appliance and the QRadar Console used to manage it are at the same QRadar version and fix pack level.

By default, the Flow Inspection Level for each appliance is inherited from the global settings that are defined in the System Settings. You can override the global setting by configuring the flow inspection level for each appliance. In a stacked configuration, each stack can have a different inspection level, but all appliances within a stack must have the same inspection level.

The Maximum Raw Payload Size is also inherited from the global system settings, but you can change it for individual appliances. The default size of the payload is 64 bytes, and the maximum size is 32 768 bytes. Large payloads can impact performance. Adjust the byte size in small increments, and monitor the disk capacity to ensure that it does not fill up quickly.

  1. If required, add the QRadar Network Insights appliance to your deployment as a managed host.
    1. On the navigation menu, click Admin.
    2. In the System Configuration section, click System and License Management.
    3. In the Display list, select Systems.
    4. On the Deployment Actions menu, click Add Host.
    5. Configure the settings for the managed host by providing the fixed IP address and the root password for the appliance.
    6. Click Add.
      The managed host is added and the new configuration is ready to deploy.
    7. On the Admin tab, click Advanced > Deploy Full Configuration.

      QRadar continues to collect events when you deploy the full configuration.

  2. To configure the managed host as part of a QRadar Network Insights stack, edit the host connection information.
    1. On the Admin tab, click System and License Management.
    2. In the Display list, select Systems.
    3. Select the QRadar Network Insights managed host, and on the Deployment Actions menu, click Edit Host Connection.
    4. On the Modify QRadar Network Insights Connection page, select the QRadar Flow Collector and the NetFlow source.

      By default, the flow collector is the IP address of the QRadar Console.

    5. Click Save.

      The console recognizes that the managed host is a stackable appliance.

    6. In the Host Action field, select Create new stack and type a descriptive name.
    7. Change the Flow Inspection Level and the Maximum Raw Payload Size.
    8. Select Next.

      The Configure QNI Ports window shows that the ports are now reconfigured to work in a stacked configuration.

    9. Click Save.

      The System and License Management window now shows the new QRadar Network Insights stack with one QRadar Network Insights appliance.

You must deploy the changes for the new configuration to take effect.