Step 9 Set the system time:
a Choose one of the following options:
- In the System Time box, specify the current date and time you want to assign to the managed host.
- Click Set system time to hardware time.
b Click Apply.
The Hardware Time window appears.
Step 10 Set the hardware time:
a Choose one of the following options:
- In the Hardware Time box, specify the current date and time you want to assign to the managed host.
- Click Set hardware time to system time.
b Click Save.
Step 11 Configure the time zone:
a Click Change time zone.
The Time Zone window appears.
b Using the Change Timezone To drop-down list box, select the time zone in which this managed host is located.
c Click Save.
QRadar Administration Guide
4 M H A
The High Availability (HA) feature ensures QRadar data remains available in the event of a hardware or network failure. To achieve HA, QRadar pairs a primary appliance with a secondary HA appliance to create an HA cluster. The HA cluster uses several monitoring functions, such as a heartbeat ping between the primary and secondary appliances, and network connectivity monitoring to other
appliances in the QRadar deployment. The secondary host maintains the same data as the primary host by one of two methods: data synchronization between the primary and secondary appliances or shared external storage. If the secondary host detects a failure, the secondary host automatically assumes all
responsibilities of the primary host.
Scenarios that cause failover include:
• Network failure, as detected by network connectivity testing
• Management interface failure on the primary host
• Complete Redundant Array of Independent Disks (RAID) failure on the primary host
• Power supply failure
• Operating system malfunction that delays or stops the heartbeat ping Note: Heartbeat messages do not monitor specific QRadar processes.
Note: You can manually force a failover from a primary host to a secondary host.
This is useful for planned maintenance on the primary host. For more information about manually forcing a failover, see Setting an HA Host Offline.
This chapter provides information for configuring and managing HA, including:
• Before You Begin
• HA Deployment Overview
• Adding an HA Cluster
• Editing an HA Cluster
• Setting an HA Host Offline
• Setting an HA Host Online
• Restoring a Failed Host
Before You Begin Before adding an HA cluster, confirm the following:
Note: For more information about HA concepts, such as HA clustering and data storage strategies, see HA Deployment Overview.
• If you plan to enable disk replication (see Disk Synchronization), we require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps).
• Virtual LAN (VLAN) routing, which divides a physical network into multiple subnets, is not recommended.
• The secondary host is located on the same subnet as the primary host.
• The new primary host IP address is set up on the same subnet.
• The management interface only supports one Cluster Virtual IP address.
Multihoming is not supported.
• The secondary host you want to add must have a valid HA activation key.
• The secondary host must use the same management interface specified as the primary host. For example, if the primary host uses ETH0 as the management interface, the secondary host must also use ETH0.
• The secondary host you want to add must not already be a component in another HA cluster.
• The primary and secondary host must have the same QRadar software version and patch level installed.
• If you plan to share storage (see Shared Storage), the secondary host must be configured with the same external iSCSI devices (if any) as the primary host.
For more information about configuring iSCSI, see the Configuring iSCSI technical note.
• If you are configuring HA on your own hardware installed with QRadar software, the /store partition on the secondary host must be equal to or larger than the /store partition on the primary host. For example, do not pair an primary host with a 3 TB disk with a secondary host with a 2 TB disk. The appliances must be the same model and type, and have the same disk configuration.
• We recommend that you backup your configuration information and data on all hosts you intend to configure for HA. For more information about backing up your configuration information and data, see Chapter 7 Managing Backup and Recovery.
Note: Disk replication is not enabled by default on QFlow Collectors and is not required for successful failover.
HA Deployment
Overview This overview includes information on the key HA deployment concepts, including:
• HA Clustering
• Data Storage Strategies
• Failovers
HA Clustering An HA cluster consists of the following:
• Primary host - The primary host is the host for which you want to configure HA.
You can configure HA for any system (Console or non-Console) in your deployment. When you configure HA, the IP address of the primary host automatically becomes the Cluster Virtual IP address; therefore, you must configure a new IP address for the primary host.
• Secondary host - The secondary host is the standby for the primary host. If the primary host fails, the secondary host automatically assumes all responsibilities of the primary host.
• Cluster Virtual IP address - When you configure HA, the current IP address of the primary host automatically becomes the Cluster Virtual IP address and you must assign a new IP address to the primary host. In the event that the primary host fails, the Cluster Virtual IP address is assumed by the secondary host.
QRadar uses the primary host’s IP address as the Cluster Virtual IP address to allow other hosts in your deployment to continue communicating with the HA cluster without requiring you to reconfigure the hosts to send data to a new IP address.
In the following figure, for example, the current IP address of the primary host is 10.100.1.1 and the IP address of the secondary host is 10.100.1.2.
When configured as an HA cluster, the current primary host IP address (10.100.1.1) automatically becomes the Cluster Virtual IP address. A new IP address must be assigned to the primary host. In this example, the assigned IP address for the primary host is 10.100.1.3.
Note: You can view the IP addresses for the HA cluster by pointing your mouse over the Host Name field in the System and License Management window.
Data Storage Strategies
QRadar provides the following data storage strategies in an HA deployment:
• Disk Synchronization
• Shared Storage Disk Synchronization
The hosts in an HA cluster must have access to the same data on the /store partition. When you install your secondary host and apply an HA license key, a /store partition is automatically installed and configured on the host. Once an HA cluster is configured with the Disable Disk Replication option cleared (default) and the /store partition is not mounted externally, data in the active host’s /store partition is automatically replicated to the standby host’s /store partition using a disk synchronization system.
When you initially add an HA cluster, the first disk synchronization can take an extended period of time to complete, depending on size of your /store partition and your disk synchronization speed. For example, the initial disk synchronization can take an extended period of time, up to 24 hours or more, depending on your deployment. We require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). The secondary host only assumes the Standby status after the initial disk
synchronization is complete.
When the primary host fails over and the secondary host becomes the Active host, the secondary host continues to read and write data on the /store partition. When
the Offline state and you must manually set the primary host to the Online state.
The period of time to perform the post-failover disk synchronization is considerably less than the initial disk synchronization, unless the disk on the primary host disk was replaced or reformatted when the host was manually repaired.
Shared Storage
If the primary host has the /store partition mounted on an external storage device, the secondary host must also have the /store partition mounted on the same external storage device.
Caution: You must configure the external storage on the secondary host before configuring the HA cluster. For more information on configuring external storage, see the Configuring iSCSI technical note.
If the primary and secondary host access the shared storage at the same time, data corruption can occur. Before a failover occurs, the secondary host determines if the primary host is still accessing the shared storage. If the secondary host detects the primary host is still reading and writing to the shared storage, failover cannot occur. The secondary host is automatically set to the Offline state.
Caution: If your primary host and secondary hosts are geographically isolated, failover may still occur while the primary host is reading or writing to the shared storage.
Failovers When the primary host fails over, the secondary host performs the following actions in sequence:
• Mounts any external shared storage devices, if required.
• Creates a network alias for the management interface. For example, the network alias for eth0 is eth0:0.
• Assigns the Cluster Virtual IP address to the network alias.
• Starts all QRadar services.
• Connects to the Console and downloads configuration files.
This section includes information on general failover scenarios, including:
• Primary Network Failure
• Primary Disk Failure
• Secondary Network or Disk Failure Primary Network Failure
The primary host automatically pings all other managed hosts to test it’s network connection. If the primary host loses network connectivity to a managed host and the connection to the secondary host is still intact, the primary host requests the secondary host to verify that it has full connectivity to other managed hosts in the deployment. The secondary host performs a network connectivity test, testing all hosts specified in the Advanced Settings of the HA wizard, (Table 5-2). If the test
succeeds, the primary host performs a controlled shutdown and fails over to the secondary host. This prevents the primary host failover to a secondary host that is also experiencing network connectivity problems.
Primary Disk Failure
An HA cluster configured with disk replication monitors disks on which the /store partition is mounted. If RAID completely fails and all disks are unavailable, the primary host performs shuts down and fails over to the secondary host.
Secondary Network or Disk Failure
If the primary host detects that the secondary host has failed, the primary host generates an event to notify you that the secondary host is no longer providing HA protection.
Adding an HA
Cluster The System and License Management window allows you to manage your HA clusters
To add an HA cluster:
Step 1 Click the Admin tab.
Step 2 In the navigation menu, click System Configuration.
The System Configuration panel appears.
Step 3 Click the System and License Management icon.
The System and License Management window appears.
Step 4 Select the host for which you want to configure HA.