4 Configuring the Database Firewall

This chapter explains how to configure the Database Firewall on the network and how to configure traffic sources, bridges, and proxies.

Topics

4.1 About Configuring the Database Firewall

Configuring the system and firewall settings for each Database Firewall depends on your overall plan for deploying Oracle Audit Vault and Database Firewall.

When you configure each firewall, you identify the Audit Vault Server that will manage that firewall. Depending on your plan for the overall Oracle Audit Vault and Database Firewall system configuration, you also configure the firewall's traffic sources, and determine whether it will be inline or out of band with network traffic, and whether you will use it as a proxy.

Note:

  • The Audit Vault Server and the Database Firewall server are software appliances. You must not make any changes to the Linux operating system through the command line on these servers unless following official Oracle documentation or under guidance from Oracle Support.

  • Database Firewall introduces very minimal latency overhead of less than 100 microseconds per SQL statement with 4000 transactions per second. This is based on internal performance tests.

Basic firewall configuration consists of these four steps:

  1. Managing the Database Firewall's Network and Services Configuration

  2. Setting the Date and Time in the Database Firewall

  3. Specifying the Audit Vault Server Certificate and IP Address

  4. Configuring Database Firewall and its Traffic Sources on Your Network

After configuring the Database Firewalls, perform the following tasks:

  • Configure enforcement points for each database secured target that the firewall is protecting.

  • You can optionally set up resilient pairs of Database Firewalls for a high availability environment.

See Also:

4.2 Changing the UI (Console) Certificate for the Database Firewall

When you first access the Database Firewall administration console, you see a certificate warning or message. To avoid this type of message in the future, you can upload a new UI certificate signed by a relevant certificate authority.

Prerequisite

Log in to the Database Firewall administration console as an administrator. See Logging in to the Database Firewall Console UI for more information.

To change the UI certificate for the Database Firewall:

  1. Under System, click Change UI Certificate.
  2. In the Change UI Certificate page, click Generate a Certificate Request and download the certificate.csr file.

    The Generate Certificate Signing Request form is displayed, with the common name for the certificate. The certificate warnings are based on the common name used to identify the Audit Vault Server host.

  3. If you do not want to see the certificate warning when you access the Audit Vault Server console using its IP address instead of the host (common) name, check the Suppress warnings for IP based URL access checkbox.
  4. Fill out the form, and then click Generate.

    A confirmation message appears confirming that the request has been generated.

  5. Click Download, select Save File, and then save the .csr file in a selected location.
  6. Submit the saved .csr file to a certificate authority.
  7. Once the certificate authority issues a new certificate, to upload it, return to the UI Certificate page and click Upload the issued certificate to this Database Firewall.
  8. Browse for the new certificate .csr file, and then click Upload Certificate.

Note:

You may need to install the public certificate of the Certificate Authority in your browser, particularly if you are using your own public key infrastructure.

4.3 Managing the Database Firewall's Network and Services Configuration

Topics

4.3.1 Configuring Network Settings For A Database Firewall

The installer configures initial network settings for the Database Firewall during installation. You can change the network settings after installation.

Prerequisite

Log in to the Database Firewall administration console. See Logging in to the Database Firewall Console UI for more information.

To change the Database Firewall network settings:

  1. In the System menu, select Network.
  2. In the Network Configuration page, click the Change button.
  3. In the Management Interface section, complete the following fields as necessary.

    • IP Address: The IP address of the currently accessed Database Firewall. An IP address was set during installation. If you want to use a different address, then you can change it here. The IP address is static and must be obtained from the network administrator.

    • Network Mask: The subnet mask of the Database Firewall.

    • Gateway: The IP address of the default gateway (for example, for internet access). The default gateway must be on the same subnet as the host.

    • Name: Enter a descriptive name for this Database Firewall. The name must be alphanumeric with no spaces.

  4. In the Link Properties section, only change these settings if you are advised to do so by your network administrator.

    Auto-negotiation is the most common configuration and is the default.

  5. Click Save.

4.3.2 Configuring Network Services For A Database Firewall

The network services configuration determines how administrators can access the Database Firewall. See the guidelines to protect data and ensure that you take the appropriate security measures when configuring network services.

Prerequisite

Log in to the Database Firewall administration console. See Logging in to the Database Firewall Console UI for more information.

To configure network services for a Database Firewall:

  1. In the System menu, select Services.
  2. Click the Change button.
  3. In the Configure Network Services page, edit the following as necessary:

    • DNS Server 1, DNS Server 2, and DNS Server 3: If you require host names to be translated, then you must enter the IP address of at least one DNS server on the network. You can enter IP addresses for up to three DNS servers. Keep the fields blank if there is no DNS server, otherwise system performance may be impaired.

      If you want to use DNS, then ensure the servers are reliable. If the DNS servers are unavailable, then many services on the Database Firewall will not work. For example, the Database Firewall may pass traffic that it would otherwise block.

    • Web Access: If you want to enable selected computers to have Web access to the Database Firewall administration console, enter their IP addresses separated by spaces. Entering all allows access from any computer in your site.

    • SSH Access: If you want to allow selected computers to have secure shell access to the Database Firewall, enter their IP addresses separated by spaces. Enter disabled to block all SSH access. Enter all to allow unrestricted access.

    • SNMP Access: If you want to allow access to the network configuration of the Database Firewall through SNMP, enter a list of IP addresses that are allowed to do so, separated by spaces. Enter disabled to restrict all SNMP access. Enter all to allow unrestricted access.

    • SNMP Community String: Enter an SNMP community string (password) that is unique for this Oracle AVDF installation. It must not be the same password as any other password used for authentication. Confirm this string in the Confirm SNMP Community String field.

  4. Click Save.

4.4 Setting the Date and Time in the Database Firewall

Use this procedure to set the Database Firewall date and time:

Prerequisite

Log in to the Database Firewall administration console. See Logging in to the Database Firewall Console UI for more information.

To set the Date and Time in the Database Firewall:

  1. In the System menu, select Date and Time.
  2. In the Date and Time page, select Change.
  3. After System Time, enter the correct date and time in Coordinated Universal Time (UTC).
  4. (Optional) Under NTP Synchronization, select the Enable NTP Synchronization check box and then and add 1 to 3 NTP server addresses in the fields provided.

    Selecting Enable NTP Synchronization keeps the time synchronized with the average of the time recovered from the time servers specified in the Server 1, Server 2, and Server 3 fields, which can contain an IP address or a name. If you specify a name, then the DNS server specified in the System Settings page is used for name resolution.

    To enable time synchronization, you also must specify the IP address of the default gateway and a DNS server.

    Selecting Synchronize Time After Save causes the time to be synchronized with the time servers when you click Save.

    WARNING:

    In DPE (blocking) mode, changing the time causes all enforcement points to restart, dropping existing connections to protected databases. This causes a temporary disruption to traffic, and will happen when you choose Synchronize Time After Save or enter the time directly.

  5. Click Save.

    See Also:

    Managing the Database Firewall's Network and Services Configuration to specify the IP address of the default gateway and DNS server.

4.5 Specifying the Audit Vault Server Certificate and IP Address

You must associate each Database Firewall with an Audit Vault Server by specifying the server's certificate and IP address, so that the Audit Vault Server can manage the firewall. If you are using a resilient pair of Audit Vault Servers for high availability, you must associate the firewall to both servers.

Note: You must specify the Audit Vault Server certificate and IP address to the Database Firewall (by following the procedure below) before you register the firewall in the Audit Vault Server.

To specify the Audit Vault Server certificate and IP address:

  1. Ensure that the system clocks for each server that you want to use for a Database Firewall and for the Audit Vault Server are synchronized.
  2. Log in to the Audit Vault Server administration console.
  3. Select Settings.
  4. In the Security menu, click Server Certificate.

    The server's certificate is displayed.

  5. Copy the server's certificate.
  6. Log in to the Database Firewall administration console.
  7. In the System menu, click Audit Vault Server.
  8. In the Audit Vault Server 1 IP Address field, enter the IP address of the Audit Vault Server.
  9. Paste the Audit Vault Server's certificate in the Audit Vault Server 1 Certificate field.
  10. If you are using a resilient pair of Audit Vault Servers, in the Audit Vault Server 2 area, add the IP address and certificate of this secondary Audit Vault server.

    Tip:

    The secondary Audit Vault Server does not have a console UI. However, you can get the secondary server's certificate from the primary server: In the Audit Vault Server console, click the Settings tab, then from the System menu, select High Availability. The secondary server's certificate is in the Secondary server certificate field.

  11. Click Apply.
  12. Register each firewall in the Audit Vault Server console, to complete the association of the Database Firewall to the Audit Vault Server.

See Also:

4.6 Changing IP Address For A Single Instance Of Database Firewall Server

Use this procedure to change the IP address of the Database Firewall Server.

Before you begin

Change the IP address of the Database Firewall Server during a safe period as it avoids interruption to collection of logs.

To change the IP address of the Database Firewall Server:

  1. Log in to the Database Firewall Web User Interface console as FWADMIN user.
  2. Click SYSTEM and then Network in the User Interface on the left navigation bar.
  3. The IP Address of the Database Firewall Server is displayed under the tab Management Interface.
  4. Scroll down to the bottom of the Network Configuration page. Click Change in order to change the IP address of the Database Firewall Server.
  5. Remove the existing IP address and enter the new one provided by your network administrator.
  6. Click Save.
    Result:

    Settings saved message is displayed on the screen. The new IP address appears in the Management Interface tab confirming the change.

    This change is effective immediately on the Database Firewall. However, it may take a few seconds for the network update on the Database Firewall and for the system to settle.

  7. Change the IP address on the /etc/hosts to the new one as root user.
  8. Once the IP address of the Database Firewall Server is changed using the UI console, update this information in the Audit Vault Server. Click Database Firewalls under the Database Firewalls menu.
  9. Check the IP Address listed on the UI console.
  10. The Database Firewall instance for which the IP address was changed, registers as Offline. Click on the link under the Name field. This is the name of the Database Firewall and is similar to the one assigned to the Database Firewall System Appliance.
  11. The Modify Database Firewall screen appears. Enter the new IP address and click Save.
  12. Once the changes are saved, the certificate validation may fail. Click on the name of the Database Firewall and then click Update Certificate.
  13. Once the certificate is updated, the Database Firewalls tab is displayed. The Database Firewall Server is online.

Note:

Once the Database Firewall Server is back online it begins to download any Enforcement Point log data that is not downloaded while it was offline.

See Also:

Changing IP Address Of An Active And Registered Host

4.7 Configuring Database Firewall and its Traffic Sources on Your Network

Topics

4.7.1 About Configuring The Database Firewall And Traffic Sources On Your Network

During your planning of the network configuration, you must decide whether to place Database Firewall inline with traffic to your secured target databases, or out of band (for example, using a spanning or mirror port). You may also decide to use a firewall as a traffic proxy. The network configuration is impacted by whether the Database Firewall will operate in DAM (monitoring only) or DPE (blocking) mode.

Using the Database Firewall administration console, you configure traffic sources for each firewall, specifying whether the sources are inline with network traffic, and whether the firewall can act as a proxy.

You will use traffic and proxy sources of a firewall to configure enforcement points for each secured target database you are monitoring with that firewall.

See Also:

4.7.2 Configuring Traffic Sources

Traffic sources specify the IP address and network interface details for the traffic going through a Database Firewall. Traffic sources are automatically configured during the installation process, and you can change their configuration details later.

Prerequisite

Log in to the Database Firewall administration console. See Logging in to the Database Firewall Console UI for more information.

To change the configuration of traffic sources:

  1. In the System menu, click Network.

    In the Network Configuration page, the current network settings are displayed. These include a range of detailed information, such as the Database Firewall network settings, proxy ports, traffic sources, network interfaces, and any enabled bridges.

  2. Click the Change button.
  3. Scroll to the Traffic Sources section and change the following settings as necessary:

    • To remove a traffic source, click the Remove button next to the traffic source name.

    • Edit the IP address or Network Mask fields as necessary.

    • To enable or disable a bridge, check or uncheck the Bridge Enabled check box. You can only enable a bridge if the traffic source has two network interfaces in the Devices area.

    • To remove a network interface (that is, a network card) from the traffic source, in the Device area, click the Remove button for the device that you want to remove.

    • To add a network interface to a traffic source, scroll to the Unallocated Network Devices section, and from the Traffic Source drop-down list, select the name of the traffic source to which you want to add this device.

  4. Click Save.

    See Also:

    Configuring a Bridge in the Database Firewall to enable or disable a bridge.

4.7.3 Configuring a Bridge in the Database Firewall

Before you configure a bridge in the Database Firewall, ensure that the following is in place:

  • Ensure that the Database Firewall is inline with network traffic (or configured as a proxy) if it is to be used in blocking mode (DPE) to block potential SQL attacks.

  • If the Database Firewall is not in proxy mode, then allocate an additional IP address that is unique to the database network, to enable a bridge.

  • Oracle Audit Vault and Database Firewall uses the bridge IP address to redirect traffic within the Database Firewall. When the Database Firewall is used as a proxy, you do not need to allocate this additional IP address.

  • To enable a traffic source as a bridge, ensure that this traffic source has two network interfaces. These network interface ports must connect the Database Firewall in-line between the database and its clients (whether Database Policy Enforcement or Database Activity Monitoring mode is used).

Note:

  • The IP address of the bridge must be on the same subnet as all secured target databases when the Database Firewall is in DPE mode using that bridge. This restriction does not apply when the Database Firewall is deployed in DAM mode.

  • If the Database Firewall's management interface (specified in the console's Network page) and the bridge are connected to physically separate networks that are on the same subnet, the Database Firewall may route responses out of the wrong interface. If physically separate networks are required, use different subnets.

  • In-line bridge mode is deprecated in 12.2.0.8.0, and will be desupported in 19.1.0.0.0. It is advisable to use proxy mode as an alternative.

To configure the Database Firewall bridge IP address:

  1. Log in to the Database Firewall administration console.

  2. In the System menu, click Network.

  3. In the Management Interface page, click the Change button.

  4. In the Traffic Sources section, find the traffic source that you want to configure as a bridge.

    This traffic source must have two network interfaces, which are listed in the Devices table. You can add an interface if necessary from the Unallocated Network Interfaces section of the page.

  5. Select Bridge Enabled for this traffic source.

  6. If necessary, edit the IP Address or Network Mask settings.

    The bridge IP address is used to redirect traffic within the Database Firewall.

  7. Click Save.

See Also:

4.7.4 Configuring Oracle Database Firewall As A Traffic Proxy

Learn about configuring a firewall as a traffic proxy.

Depending on your network configuration, you may prefer to configure a traffic proxy in the Database Firewall instead of a bridge inline with network traffic. You can then associate the proxy with an enforcement point. You can also specify multiple ports for a proxy in order to use them for different enforcement points.

Once you set up the Database Firewall as a traffic proxy, your database clients connect to the database using the Database Firewall proxy IP and port.

To configure a traffic proxy:

  1. Log in to the administration console of the Database Firewall that is acting as a proxy.
  2. In the System menu, click Network.
  3. In the Network Configuration page, click the Change button.
  4. In the Unallocated Network Interfaces section of the page, find an available network interface, and select Traffic Proxy in Traffic Source drop-down list.

    To free up additional network interfaces, you can remove them from an existing traffic source or traffic proxy by clicking the Remove button for the network interface(s) you want to free up.

  5. Click Add.

    The new traffic proxy appears under the Traffic Proxies area of the page.

  6. Under the new proxy, select Enabled.
  7. In the Proxy Ports section for the new proxy, enter a port number, and then click Add.

    You can specify more than one proxy port by entering another port number and clicking Add.

  8. Check Enabled next to the port number(s).
  9. Click Save. The traffic proxy is now available to use in an Enforcement Point.

4.8 Configuring an Interface Masters Niagara Server Adapter Card

Learn how to configure an Interface Masters Niagara Server adapter card

Caution:

Oracle Audit Vault and Database Firewall release 12.2.0.11.0 does not support Niagara cards. Do not upgrade to this release if you use Niagara cards.

Use this procedure to configure an Interface Masters Niagara Server Adapter Card. The drivers are available when you install Oracle Audit Vault and Database Firewall.

  1. Log in to the Database Firewall command shell as the root user.

  2. Edit the /etc/init.d/dbfw.niagara file as follows:

    1. Find the line INSTALLED_NIAGARA_CARDS=0.

    2. Change the 0 to match the number of installed Niagara cards for this Database Firewall.

  3. Restart the Database Firewall.

See Also:

4.9 Viewing the Status and Diagnostics Report for a Database Firewall

To view the status and/or diagnostic report for a Database Firewall:

  1. Log in to the Database Firewall administration console.
  2. In the System menu, click Status.

    The Status page is displayed by default. The Status page displays the uptime, software version, component versions, grammar pack versions, free space, and diagnostic status for this Database Firewall.

    The text next to Diagnostic Status indicates OK or Errors.

  3. Next to the Diagnostic Status field, select one of the following:

    • Show Report to see an overview of diagnostic status.

    • Download Diagnostics to download all diagnostics files.

    See Also:

    Logging in to the Database Firewall Console UI

4.10 Configure and Download the Diagnostics Report File

Learn about configuring and downloading the diagnostics report file.

This section contains information about enabling, configuring, and modifying the way diagnostic reports are generated using CLI.

Note:

You need root user privileges to perform these tasks.

Starting with release 12.2.0.6.0, the diagnostic report is not enabled by default. You must enable the feature to capture the diagnostic report. Once enabled, you must configure the information that is to be captured in the diagnostic report. You can customize and package the diagnostics report with flexibility.

The following file contains instructions about how to install, enable, and run the diagnostic utility:

diagnostics-not-enabled.readme

See Also:

This file is generated only if you follow the instructions for downloading the diagnostics report. See Viewing the Status and Diagnostics Report for a Database Firewall for more information.

Use the following commands to accomplish certain tasks related to diagnostics.

Command Action

/usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb

To capture the enabled diagnostic information for the appliance. The location of the saved zip file is displayed at the end of the command execution.

Note:

This command must be run from /usr/local/dbfw/tmp when collecting diagnostics information.

/usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --install

To enable the system to capture diagnostics report.

/usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --enable ALL

To enable capturing the complete diagnostics report.

/usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb –enable <Element>

To enable individual elements in the diagnostics report.

The following elements can be included while customizing the diagnostics report:

SYSTEM
LOG
DATABASE
AVS_ARCHIVE
DBFW_ARCHIVE
PLATFORM_COMMANDS
AVS_HA_COMMANDS
AVS_COMMANDS
DBFW_COMMANDS

The content of the diagnostics report is controlled by the file /usr/local/dbfw/etc/dbfw-diagnostics-package.yml. The user can modify this file to include and exclude a combination of files in multiple categories. Each section of this file has an option to enable and disable the specific category by setting the value to true or false.

For example, to add an item to one of the log file collections simply add the file path or glob to the list under the :files: element.

:log_files:

  :comment: Log files generated by the system runtime, install and upgrade.

  :enabled: false

  :platform:

  - AVS

  - DBFW

  :files:

  - /root/apply.out

  - /root/install.log

  - /root/install.log.syslog

  - /root/install_database_api.log

  - /root/migration-stats-*.yml

  - /root/once.log

  - /root/pre_firstboot_logs/partition-include

  - /root/pre_firstboot_logs/partitions_error

  - /root/pre_firstboot_logs/syslog

  - /var/lib/avdf/system_history.yaml

  - /var/log

  - /path/to/new/file

  - /path/to/new/*glob

To add a new command output to the log, add the command to the correct group:

    :all_commands:

      :comment: Command output to include in the diagnostics package.

      :enabled: false

      :platform:

      - AVS

      - DBFW

      :commands:

        :cpuinfo:

          :enabled: true

          :command:

          - :cat

          - /proc/cpuinfo

          :logfile: /proc-cpuinfo.log

        :diskuse:

          :enabled: true

          :command:

          - :df

          - -kP

          :logfile: /disk-usage.log

        :new_command

          :enabled: true

          :command:

          - :new_command

          - -arg1

          - -arg2

          :logfile: /new-command.log

Note:

To remove the diagnostic package when it is not in use, run the following command:

/usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --remove