QRadar HA Configuration in DR
Hello all,we have a QRadar setup with one pair of EP in HA cluster and a console installed on a VM. I want to know whether it is feasible to deploy the secondary EP (in HA) in a different data center as a DR box.can someone please suggest. Thanks
Hi @biswabhusan,
If yo want to deploy your HA on a different Data Center you will probably use a wide area network (WAN) to geographically distribute the hosts in your cluster. Don't forget that latency increases with distance, then system performance is affected.
You wan't to run an EP where data collected from EC or other devices will be stored, so your HA cluster will use disk synchronization (drdb), don't forget the following conditions :
minimum bandwidth of 1 gigabits per second (Gbps)
The latency between the primary and secondary HA host is less than 2 milliseconds (ms)
I think in an DR point of view, you better have to get an EP and a console or just an AIO on the disaster recovery site, and use routing rules/forwarding destinations. (If you configure domains, don't forget to tag). You can also use the Content Management or Backup Restore to get the same configuration (NH, Asset, custom DSM...) on your site. Consider licensing too.
Hope this give some ideas.
hi @biswabhusan ..
Normally, we recommend against running HA peers in 2 different data centers, due to latency and network connectivity issues, as @zoldax mentions above. The requirements for at least 1Gbps (per HA pair) & <2ms latency time are normal requirements as well. Also, the HA peers need to be on the same subnet - if your data centers cannot provide the same subnet in both locations, then you cannot run HA across the two locations.
Latency is impacted by distance between the locations, and disk replication performance is -highly- affected by latency. If latency becomes too high, you can see increase load on the system, decreased disk IO performance, to the point of actually dropping data.
We did a review with a university customer who ran their HA peers "across campus", in 2 data center locations on campus, that were around 1.5 kilometers apart. I believe they had 10Gbps between the systems and latency in their case was <1ms. I believe they went ahead with their HA implementation in that environment. Other than the increased risk of network outage between the hosts - there IS 1.5KM distance between them - they met the criteria we had set out for the environment, and i'm not aware of any issues that have come up.
dwight s.