Multiple Network Interface Cards

M Multiple Network Interface Cards

The Audit Vault Server (AVS) supports network separation through addition and initialization of additional network interfaces.

M.1 About Multiple Network Interface Cards

Oracle Audit Vault and Database Firewall enables additional network interfaces to allow some services to be accessible on networks other than the default management interface.

Oracle Audit Vault and Database Firewall supports multiple network interface cards. The Audit Vault Server console can only be used to modify secondary NICs of the Database Firewall. The config-nic command must be used to modify the secondary NICs for the Audit Vault Server only.

Note:

Oracle AVDF appliances support only 1 NIC (Network Interface Card) with an IP address per subnet. This can be a secondary NIC or a NIC used for monitoring traffic. If higher throughput or redundancy is an issue, then see Bonding of Network Interface Cards.

Perform the following steps in the Audit Vault Server console to view and manage the network interface cards for Database Firewall.

Log in to the Audit Vault Server console as administrator.
Click the Database Firewalls tab.
Select a specific Database Firewall instance.
In the main page, under the Configuration section, click Network Settings link.
Starting in Oracle AVDF 20.12, if the Synchronize NICs button is disabled, proceed to the next step. If the Synchronize NICs is active, click it, as the AVS detects NIC name changes in the Database Firewall which must be synchronized.
1. Select a NIC name on the Database Firewall for all the devices. If a device is no longer available on the Database Firewall and is no longer required on the AVS, select not required.
2. After mapping each device, select Save.
In the Network Settings dialog, click on a specific network interface card.
Select the specific network interface that needs to be modified. The Network Interface Settings dialog is displayed. It can be used to view and manage the secondary network interface cards.

Note:

The Database Firewall diagnostics package can be installed. After the installation, the commands executed for the Audit Vault Server can be executed on the Database Firewall.

The secondary network interfaces can be enabled and modified for the Audit Vault Server. Log in to the Audit Vault Server as support user and then switch user to root, to execute these commands.

Action	Command
To display the current status of the configured NICs on the appliance.	`/opt/avdf/config-utils/bin/config-nic show`
To display the settings of a single network interface on the Audit Vault Server.	`/opt/avdf/config-utils/bin/config-nic show device=enp0s8`
To bring a secondary NIC online. The NIC must be configured with an IP, mask, and gateway (optional and not advisable).	`/opt/avdf/config-utils/bin/config-nic set device=enp0s8 ip_address=192.0.2.9 network_mask=255.255.255.0 enabled=true`
To disable a secondary network interface.	`/opt/avdf/config-utils/bin/config-nic set device=enp0s8 enabled=false`
To delete the setting of a secondary network interface.	`/opt/avdf/config-utils/bin/config-nic delete device=enp0s8`

M.2 Enabling SSH on a Secondary Network Interface Card

Use this procedure to enable SSH on a secondary network interface card for Audit Vault Server and Database Firewall.

To enable and configure SSH on a secondary network interface card, follow these steps:

Execute the command config-nic to bring the NIC online.
The NIC must be configured with an IP, mask, and gateway (optional). Execute the following command:
The dbfw.conf file contains the settings of the secondary network interface card. To enable SSH, modify the settings as follows:
```
NET_SERVICE_MAP="{"enp0s8":{"ip4":{"address":"192.0.2.9/24","gateway":"","enabled":true},"ssh":{"port":"22","access_list":["192.0.2.1"]}}}"
```
The access_list field can be used with the following attributes:
- "all": The IP tables allow any IP address to connect through SSH.
- "disabled": The IP tables reject all incoming connections for SSH on this NIC.
- An array of IP addresses separated by comma and a space. These IP addresses are permitted to access the SSH port on the NIC. For example: ["192.0.2.11","192.0.2.12"]
Ensure a valid port number on the appliance is mentioned in the Port field.

M.3 Enabling Agent Connectivity on a Secondary NIC for Audit Vault Server 20.7 and Earlier

Use this procedure to enable Agent connectivity on a secondary network interface card for Audit Vault Server version 20.7 and earlier.

After a secondary NIC (network interface card) is online, you can enable it for communication between the Audit Vault Agent and the target database. This topic describes how to enable the Agent connectivity on secondary network interface cards in Oracle AVDF release 20.7 and earlier.

To enable agent connectivity on secondary network interface cards for Audit Vault Server release 20.7 and earlier:

Run the command config-nic to bring a NIC online.
The dbfw.conf file contains the settings of the secondary network interface card. To enable access to the Audit Vault Agent, modify the settings as follows:
```
NET_SERVICE_MAP="{"enp0s8":{"ip4":{"address":"192.0.2.9/24","gateway":"","enabled":true},"agent":{"port":"1521","tls_port":"1522","access_list":["192.0.2.1"]}}}"
```
The access_list field can be used with the following attributes:
- "all": The IP tables allow any IP address for connection to the Audit Vault Agent.
- "disabled": The IP tables reject all incoming connections for the Audit Vault Agent on this NIC.
- An array of IP addresses separated by comma and a space. These IP addresses are permitted to access the Agent port on the NIC. For example, ["192.0.2.11","192.0.2.12"]
Ensure a valid port number on the appliance is mentioned in the Port field.
Run the following command to apply the Agent and enable the changes to the network configuration:
```
/usr/local/dbfw/bin/priv/configure-networking
```
Note:
If this command is not run, then the changes made are not applied and the Audit Vault Agent does not work on the secondary NIC.
See Also:

Deploying the Audit Vault Agent

M.4 Enabling Agent Connectivity on a Secondary NIC for Audit Vault Server 20.8 and Later

Use this procedure to enable Agent connectivity on a secondary network interface card for Audit Vault Server version 20.8 and later.

To enable agent connectivity on secondary network interface cards for Audit Vault Server release 20.8 and later:

Use the following command to activate the specific NIC required for the Audit Vault Agent:
```
config-nic
```
Run the following example command to enable device enp0s9 in the local network:
```
/opt/avdf/config-utils/bin/config-nic set device=enp0s9 ip_address=192.0.2.24 network_mask=255.255.255.0 enabled=true
```
Note:
Do not add a gateway to a secondary NIC if it has already been assigned in the system configuration.
Use the following command to add the Audit Vault Agent configuration:
```
config-agent
```
Run the following example command to enable Audit Vault Agent connectivity on the specific ports using the device enp0s9 from the Agent host machine:
```
/opt/avdf/config-utils/bin/config-agent set device=enp0s9 port=12345 tls_port=12346 access_list=all
```
Note:
Enable the Audit Vault Agent for high availability as per the requirement. See Enabling the Agent for High Availability Connection on a Secondary NIC for Audit Vault Server for complete information.

M.5 Enabling the Agent for High Availability Connection on a Secondary NIC for Audit Vault Server

Use this procedure to enable the Audit Vault Agent for high availability connection on a secondary network interface card for Audit Vault Server.

Prerequisite: This procedure must be performed prior to pairing the appliances (Audit Vault Server or Database Firewall) for high availability.

If the Audit Vault Agent is being run on a high availability pair of appliances, the secondary NIC must be enabled on the standby appliance (Audit Vault Server or Database Firewall). High availability involves a pair of Audit Vault Server instances or a pair of Database Firewall instances. Additional entries must also be made to the dbfw.conf file of both appliances.

To enable Audit Vault Agent connectivity on secondary network interfaces card for Audit Vault Server in a high availability environment:

Enable the Audit Vault Agent for high availability connection. Open the dbfw.conf file and scroll to the bottom where you will see automatically generated entries similar to the following:
```
SECONDARY_NIC_1_DEVICE         = enp0s8 
SECONDARY_NIC_1_ADDRESS        = enp0s8:ip4:address:192.168.90.9 
SECONDARY_NIC_1_AGENT_PORT     = enp0s8:agent:port:1521 
SECONDARY_NIC_1_AGENT_PORT_TLS = enp0s8:agent:port:1522
```
Note:
In case these entries are not generated and are missing, refer to the previous topic on how to generate them.
Depending on the number of secondary NICs configured for Agent connectivity, there may be more than one block of SECONDARY_NIC_[N]_ values. Select the block with the correct IP address and add the following field:
```
SECONDARY_NIC_1_ADDRESS_HA=”<IP address>”
```
On the primary instance, this value will be the IP address of the NIC on the standby instance. And on the standby instance it is the IP address of the NIC on the primary instance.
Apply the Audit Vault Agent high availability configuration. Run the following command to apply the configuration, on both appliances:
```
/usr/local/dbfw/bin/priv/configure-networking
```

M.6 Bonding of Network Interface Cards

This section contains information on bonding of Database Firewall Network Interface cards.

Oracle Audit Vault and Database Firewall 20 supports bonding of Network Interface cards for Database Firewall only. This bonding functionality is used by the Database Firewall monitoring points. Bonding increases bandwidth and supports redundancy of the network connections on the appliance.

Note:

The Database Firewall command-line interface (CLI) creates a bond interface with the default configuration for the operating system. To configure specific bonding controls, use the operating system. See the Create Network Bonds using Network Manager CLI documentation or Configuring Network Bonding in the Oracle Linux 8 documentation for details on creating network bonds in Oracle Linux.

Run the following command to check for bonding between network interface cards:

/opt/avdf/config-utils/bin/config-bond

The command output displays information about the composite device.

Run the following command to bond multiple network interface cards and give the composite device an IP address:

/opt/avdf/config-utils/bin/config-bond add device=bond0 components=enp0s18,enp0s19 ip4addr=192.0.2.10 ip4mask=255.255.255.0 ip4gateway=192.0.2.1 state=true

Run the following command to bond multiple network interface cards without an IP address (for use in out-of-band mode):

/opt/avdf/config-utils/bin/config-bond add device=bond0 components=enp0s18,enp0s19
      state=true

Upon establishing the bonding, the following confirmation message is displayed:

config-bond add ...

Run the following command to delete a bonded device:

/opt/avdf/config-utils/bin/config-bond delete device=bond0

The following confirmation message is displayed:

config-bond delete ...

Run the following command to remove the existing bonding between network interfaces:

/opt/avdf/config-utils/bin/config-bond delete device=bond0

The following is the output:


Notice: Settings deleted.
:device: bond0
:components:
- enp0s9
- enp0s8
:description:
:ip_address: 192.0.2.20
:network_mask: 255.255.255.0
:gateway: ''
:enabled: true

Note:

Run the following command to seek help for the bonding of network interfaces:
```
/opt/avdf/config-utils/bin/config-bond help
```
It is not possible to create bonding of two network interface cards using the interfaces on which the monitoring point already exists. In this case disable the existing monitoring point, create bonding between the network interface cards, and then use the newly created bond name to configure the monitoring point.

M.7 Configuring Routing on Secondary Network Interface Cards

Learn how to configure routing on secondary network interface cards in Oracle AVDF.

The following table contains the necessary information to view and set routing for the secondary network interface cards on Audit Vault Server and Database Firewall. Log in to the terminal as root user to run the commands listed in the table.

Task	Command	Output
To view the existing routing configuration on the network interface card.	`/opt/avdf/config-utils/bin/config-route`	`device: enp0s3` `gateway: " "` `routes: []`
To set the gateway. Note: A gateway must be assigned to only one device. However, it is possible to assign a gateway to multiple devices. It introduces system instability. In most cases the gateway must be assigned to only the default management interface device that is configured during installation.	`/opt/avdf/config-utils/bin/config-route set device=enp0s3 gateway=<gateway address>`	`Notice: Success. Settings saved.`
To set a custom static route.	`/opt/avdf/config-utils/bin/config-route set device=enp0s3 routes='<IP address of the network interface card followed by the gateway address separated by space>'` For example: `/opt/avdf/config-utils/bin/config-route set device=enp0s3 routes='192.0.2.1 192.0.2.4'`	`Notice: Success. Settings saved.`
To set multiple route at the same time. Note: Although the routes are assigned to a single device, the routing table applies to all devices.	`/opt/avdf/config-utils/bin/config-route set device=enp0s3 routes='<IP address of the network interface card and gateway address separated by comma and space>'` For example: `/opt/avdf/config-utils/bin/config-route set device=enp0s3 routes='192.0.2.1 192.0.2.4, 192.0.2.11 192.0.2.5, 192.0.2.21 192.0.2.6,'`	`- :device: enp0s3` `:gateway: " "` `:routes:` `- 192.0.2.1 192.0.2.4` `- 192.0.2.11 192.0.2.5` `- 192.0.2.21 192.0.2.6`
To add a single static route.	`/opt/avdf/config-utils/bin/config-route add device=enp0s3 routes='<IP address of the network interface card followed by the gateway address separated by space>'` For example: `/opt/avdf/config-utils/bin/config-route add device=enp0s3 routes='192.0.2.1 192.0.2.4'`	`Notice: Success. Settings saved.` `---` `:device: enp0s3` `:gateway: " "` `:routes:` `- 192.0.2.1 192.0.2.4` `- 192.0.2.11 192.0.2.5` `- 192.0.2.21 192.0.2.6` `- 192.0.2.22 192.0.2.16`
To delete a single static route.	`/opt/avdf/config-utils/bin/config-route delete device=enp0s3 routes='<IP address of the network interface card followed by the gateway address separated by space>'` For example: `/opt/avdf/config-utils/bin/config-route delete device=enp0s3 routes=192.0.2.1 192.0.2.4`	`Notice: Settings deleted.` `---` `:device: enp0s3` `:gateway: ''` `:routes:` `- 192.0.2.1 192.0.2.4`
To delete all static routes.	`/opt/avdf/config-utils/bin/config-route set device=enp0s3 routes=""`	`Notice: Success. Settings saved.`

M.8 Changing a New or Secondary NIC to the Management NIC

You can change a new or secondary network interface card (NIC) to the management NIC.

The management NIC is usually the main NIC of the appliance (Audit Vault Server or Database Firewall). It is attached to the default gateway.

Log in to the Audit Vault Server or Database Firewall as an administrator.
Make sure that the new or secondary NIC is plugged in.
Enable SSH on the new or secondary NIC.
Change to the /usr/local/dbfw/etc folder and open the dbfw.conf file, which contains the NIC settings.
Edit the value of DEFAULT_DEVICE in the dbfw.conf file.

By default, DEFAULT_DEVICE is set to eth0. Change this value and specify the name of the new or secondary NIC.
Run the following command to complete the configuration script:
```
/usr/local/dbfw/bin/priv/configure-networking
```

Note:

Alternately, you can change the NIC by turning off the appliance (Audit Vault Server or Database Firewall). Then replace the eth0 device with the new one in the same slot. The new device is replaced with the new one when the server is restarted.