IBM Support

QRadar: Reverse Flow Direction (QFlow and NetFlow)

Troubleshooting


Problem

The Network Activity tab displays flow direction for certain flows in the wrong direction. Traffic originating from the server might be reversed to make it look like the flow originated from the client.

Symptom

From the Network Activity tab in QRadar, the flow directions of certain flows display in the wrong direction. For example, NetFlow data for inbound firewall deny traffic that should be R2L displays as outbound traffic (L2R).

Diagnosing The Problem

QRadar's default behavior is to review incoming traffic and change the direction when the system believes that flow direction is incorrectly reported.

For example, if we see a traffic "originating" from the Server to the Client, then the direction will be reverse to make it look like Client to the Server. QRadar makes decisions about flow direction and will reverse the direction based on the following criteria:
 

  • If the destination port IS NOT a common destination port then reverse the flow direction if:
      1. the source port is a common destination port OR
      2. the source port is less than 1024 AND the destination port is greater than 1024

  • OR

  • If the destination port IS a common destination port then reverse the flow direction if:
      1. the source port is a common destination port AND
      2. the source port is less than 1024 AND the destination port is greater than 1024

 

About NetFlow
When using netflow as a flow source, reversed flow direction (Netflow direction in QRadar showing L2R instead of R2L)  is a very common problem. The reason is, that the qflow component only sees one side of the communication, as, depending on the device, the router will only represent the "ingress" or "egress" of the flow traffic.

When the "Use Common Destination Port" is enabled, the qflow process will reverse the direction of flow information, based on commonly used ports. A lot of users will adjust this setting when using NettFlow sources, which disables the setting. Keep in mind, though, that if qflow creates a bi-directional session as reported by two netflow sources (1 reporting ingress, 1 reporting egress), but sees the response packet first (ie, webserver responding on port 443, to some remote, random ephemeral port), it will not adjust the direction to show the server responding to the remote client, and may show up as an outbound direction.

 

Resolving The Problem

The advanced configuration option for the QFlow component can be updated to disable the "Use Common Destination Port" option. When turned off, the reported flow direction does not change in the user interface.

Note: Changing this option should resolve your issue, however, administrators might notice other issues with traffic direction in your flow traffic, which is caused by disabling the common destination port option in QFlow.
 

 

How to configure 'Use Common Destination Port' in QRadar 7.2.5 and later

Administrators on newer versions of QRadar can manage this component setting from the System and License Management interface.

  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the System and License Management icon.
  4. Select a QFlow system (1201 / 1202 appliances) from the list.
  5. From the Deployment Actions drop-down, select Edit Host.
  6. Click the Component Management icon.
  7. From the Flow Collector panel, locate the Use Common Destination Port drop-down and set the value to No.
  8. Click Save.
  9. Click Deploy Changes.
    The update is complete.
  10. Review the user interface to determine of the flow direction issue is resolved.

 

 

How to configure 'Use Common Destination Port for QRadar 7.2.4 and prior versions

This procedure is specific to QRadar 7.2.4 and earlier versions. These procedure change can only be made through the Deployment Editor in QRadar.

  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Launch the Deployment Editor.
  4. In the Deployment Editor, right-click on the qflow object and select Configure.
  5. Click Advanced to display advanced component settings.
  6. Locate the field Use Common Destination Port and set the value to No.
  7. Click Save.
  8. When prompted with a performance message, click Yes.
  9. Click File > Save and Close or Save to Staging if there are multiple qflow components that need to be updated.
  10. Repeat this process for each qflow component in your deployment. There will be one component for each QFlow appliance and VM in your network.
  11. Click Deploy Changes.
  12. Review the user interface to determine of the flow direction issue is resolved.

 


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Flows","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21972754

Page Feedback