Authenticated Proxy for X-Force in QRadar

Authenticated Proxy for X-Force in QRadar

When you want to enable X-Force updates through a proxy that requires basic authentication you need to follow the steps from this tech note: https://www-01.ibm.com/support/docview.wss?uid=swg21701213#proxy

If you are lucky, it works and you don't even notice that actually some calls are made to the QRadar Console from the QRadar Console through the proxy. Weird. If your proxy is more picky - as it was in our case, it does not allow this connection and you see that the feed update does not work. You must change two more config files to avoid this. Edit the files:

/opt/qradar/dca/dca/init/dca_update/dca_update_settings_user.txt
/opt/qradar/dca/dca/init/dca_license/dca_license_settings_user.txt

Both files contain URLs with "localhost" or the console's own IP address. Change these to point to the actual X-Force update and license servers respectively, which are:

update.xforce-security.com

and

license.xforce-security.com

The log files you want to check to see if X-Force updates work fine are:

/var/log/dca/dca_info.log<br>
/var/log/dca/sca_server.log