M Multiple Network Interface Cards
The Audit Vault Server (AVS) supports network separation through addition and initialization of additional network interfaces.
M.1 About Multiple Network Interface Cards
Oracle Audit Vault and Database Firewall enables additional network interfaces to allow some services to be accessible on networks other than the default management interface.
Oracle Audit Vault and Database Firewall supports multiple network interface cards. The
Audit Vault Server console can only be used to modify secondary NICs of the Database
Firewall. The config-nic
command must be used to modify the secondary
NICs for the Audit Vault Server only.
Note:
Oracle AVDF appliances support only 1 NIC (Network Interface Card) with an IP address per subnet. This can be a secondary NIC or a NIC used for monitoring traffic. If higher throughput or redundancy is an issue, then see Bonding of Network Interface Cards.Perform the following steps in the Audit Vault Server console to view and manage the network interface cards for Database Firewall.
- Log in to the Audit Vault Server console as administrator.
- Click the Database Firewalls tab.
- Select a specific Database Firewall instance.
- In the main page, under the Configuration section, click Network Settings link.
- Starting in Oracle AVDF 20.12, if the Synchronize NICs button is disabled, proceed to the next step. If the Synchronize NICs is active, click it, as the AVS detects NIC name changes in the Database Firewall which must be synchronized.
- Select a NIC name on the Database Firewall for all the devices. If a device is no longer available on the Database Firewall and is no longer required on the AVS, select not required.
- After mapping each device, select Save.
- In the Network Settings dialog, click on a specific network interface card.
- Select the specific network interface that needs to be modified. The Network Interface Settings dialog is displayed. It can be used to view and manage the secondary network interface cards.
Note:
The Database Firewall diagnostics package can be installed. After the installation, the commands executed for the Audit Vault Server can be executed on the Database Firewall.The secondary network interfaces can be enabled and modified for the Audit Vault Server. Log in to the Audit Vault Server as support user and then switch user to root, to execute these commands.
Action | Command |
---|---|
To display the current status of the configured NICs on the appliance. |
|
To display the settings of a single network interface on the Audit Vault Server. |
|
To bring a secondary NIC online. The NIC must be configured with an IP, mask, and gateway (optional and not advisable). |
|
To disable a secondary network interface. |
|
To delete the setting of a secondary network interface. |
|
M.2 Enabling SSH on a Secondary Network Interface Card
Use this procedure to enable SSH on a secondary network interface card for Audit Vault Server and Database Firewall.
To enable and configure SSH on a secondary network interface card, follow these steps:
M.3 Enabling Agent Connectivity on a Secondary NIC for Audit Vault Server 20.7 and Earlier
Use this procedure to enable Agent connectivity on a secondary network interface card for Audit Vault Server version 20.7 and earlier.
After a secondary NIC (network interface card) is online, you can enable it for communication between the Audit Vault Agent and the target database. This topic describes how to enable the Agent connectivity on secondary network interface cards in Oracle AVDF release 20.7 and earlier.
To enable agent connectivity on secondary network interface cards for Audit Vault Server release 20.7 and earlier:
M.4 Enabling Agent Connectivity on a Secondary NIC for Audit Vault Server 20.8 and Later
Use this procedure to enable Agent connectivity on a secondary network interface card for Audit Vault Server version 20.8 and later.
After a secondary NIC (network interface card) is online, you can enable it for communication between the Audit Vault Agent and the target database. This topic describes how to enable the Agent connectivity on secondary network interface cards in Oracle AVDF release 20.8 and later.
To enable agent connectivity on secondary network interface cards for Audit Vault Server release 20.8 and later:
M.5 Enabling the Agent for High Availability Connection on a Secondary NIC for Audit Vault Server
Use this procedure to enable the Audit Vault Agent for high availability connection on a secondary network interface card for Audit Vault Server.
If the Audit Vault Agent is being run on a high availability pair of appliances, the
secondary NIC must be enabled on the standby appliance (Audit Vault Server or Database
Firewall). High availability involves a pair of Audit Vault Server instances or a pair of
Database Firewall instances. Additional entries must also be made to the
dbfw.conf
file of both appliances.
To enable Audit Vault Agent connectivity on secondary network interfaces card for Audit Vault Server in a high availability environment:
M.6 Bonding of Network Interface Cards
This section contains information on bonding of Database Firewall Network Interface cards.
Oracle Audit Vault and Database Firewall 20 supports bonding of Network Interface cards for Database Firewall only. This bonding functionality is used by the Database Firewall monitoring points. Bonding increases bandwidth and supports redundancy of the network connections on the appliance.
Note:
The Database Firewall command-line interface (CLI) creates a bond interface with the default configuration for the operating system. To configure specific bonding controls, use the operating system. See the Create Network Bonds using Network Manager CLI documentation or Configuring Network Bonding in the Oracle Linux 8 documentation for details on creating network bonds in Oracle Linux.Run the following command to check for bonding between network interface cards:
/opt/avdf/config-utils/bin/config-bond
The command output displays information about the composite device.
Run the following command to bond multiple network interface cards and give the composite device an IP address:
/opt/avdf/config-utils/bin/config-bond add device=bond0 components=enp0s18,enp0s19 ip4addr=192.0.2.10 ip4mask=255.255.255.0 ip4gateway=192.0.2.1 state=true
/opt/avdf/config-utils/bin/config-bond add device=bond0 components=enp0s18,enp0s19
state=true
Upon establishing the bonding, the following confirmation message is displayed:
config-bond add ...
Run the following command to delete a bonded device:
/opt/avdf/config-utils/bin/config-bond delete device=bond0
The following confirmation message is displayed:
config-bond delete ...
Run the following command to remove the existing bonding between network interfaces:
/opt/avdf/config-utils/bin/config-bond delete device=bond0
The following is the output:
Notice: Settings deleted.
:device: bond0
:components:
- enp0s9
- enp0s8
:description:
:ip_address: 192.0.2.20
:network_mask: 255.255.255.0
:gateway: ''
:enabled: true
Note:
-
Run the following command to seek help for the bonding of network interfaces:
/opt/avdf/config-utils/bin/config-bond help
-
It is not possible to create bonding of two network interface cards using the interfaces on which the monitoring point already exists. In this case disable the existing monitoring point, create bonding between the network interface cards, and then use the newly created bond name to configure the monitoring point.
M.7 Configuring Routing on Secondary Network Interface Cards
The following table contains the necessary information to view and set routing for the secondary network interface cards on Audit Vault Server and Database Firewall. Log in to the terminal as root user to run the commands listed in the table.
Task | Command | Output |
---|---|---|
To view the existing routing configuration on the network interface card. |
|
|
To set the gateway. Note: A gateway must be assigned to only one device. However, it is possible to assign a gateway to multiple devices. It introduces system instability. In most cases the gateway must be assigned to only the default management interface device that is configured during installation. |
|
|
To set a custom static route. |
For example:
|
|
To set multiple route at the same time. Note: Although the routes are assigned to a single device, the routing table applies to all devices. |
For example:
|
|
To add a single static route. |
For example:
|
|
To delete a single static route. |
For example:
|
|
To delete all static routes. |
|
|
M.8 Changing a New or Secondary NIC to the Management NIC
You can change a new or secondary network interface card (NIC) to the management NIC.
The management NIC is usually the main NIC of the appliance (Audit Vault Server or Database Firewall). It is attached to the default gateway.
Note:
Alternately, you can change the NIC by turning off the appliance (Audit Vault Server or Database Firewall). Then replace theeth0
device with the new one in the same slot. The new device
is replaced with the new one when the server is restarted.