11 Using Oracle Database Firewall with Oracle RAC

You can configure Oracle Database Firewall to work with Oracle Real Application Clusters (Oracle RAC) so that it can block and substitute statements or log SQL statements and raise alerts.

11.1 Configuring a Database Firewall with Oracle RAC for Monitoring and Blocking

Learn how to configure a database firewall with Oracle Real Application Clusters (Oracle RAC) for monitoring and blocking.

11.1.1 About Configuring Database Firewall with Oracle RAC for Monitoring and Blocking

Oracle Database Firewall has monitoring and blocking features that you can use with Oracle RAC.

To use blocking, you must use the Monitoring / Blocking (Proxy) mode.

The Database Firewall when configured in Monitoring / Blocking (Proxy) mode, the following takes place:

  1. SQL client connects to Database Firewall.
  2. Database Firewall connects to SCAN Listener.
  3. SCAN Listener redirects the connection to a RAC node.
  4. Database Firewall handles the redirection, makes a outbound connection to the re-directed RAC node.
  5. The response from Oracle RAC node is passed to the client.

11.1.2 Configure a Proxy Using the Audit Vault Server Console

You can use the Oracle Audit Vault Server Console to configura a proxy.

  1. Log in to the Audit Vault Server console as administrator.
  2. Complete the steps for Configuring the Database Firewall As a Traffic Proxy.
  3. Complete the steps for Creating and Configuring a Database Firewall Monitoring Point.
    Be sure to select the RAC Instance/Autonomous DB check box (RAC Instance check box in Oracle AVDF 20.7 and earlier) in the Connection Details section.
  4. Ensure Network Interface Card and Proxy Ports fields are selected. After selecting them, the RAC Instance/Autonomous DB check box (RAC Instance check box in Oracle AVDF 20.7 and earlier) is enabled.
  5. After selecting the RAC Instance/Autonomous DB check box (RAC Instance check box in Oracle AVDF 20.7 and earlier) and adding the SCAN fully qualified domain name (FQDN) in the Host Name / IP Address field, the following message is displayed:
    Configure SCAN Listener Domain Name as target. For more details refer: Real Application Clusters Installation Guide.
  6. Ensure that the SCAN FQDN is entered in the Host Name / IP Address.
  7. Enter the Port number of SCAN Listener.
  8. Enter the Service Name or SID (optional).
  9. Click Add.
  10. Click Save on the dialog.
  11. Click Save on the main page. The target is created and shows up under the Database Firewall Monitoring sub tab on the main page.
  12. Click the newly created RAC target to verify the details.

11.2 Configuring a Database Firewall with Oracle RAC for Monitoring

You can configure an Oracle Database Firewall with Oracle RAC to use Host Monitoring and Out-of-Band deployment modes.

Oracle recommends that you configure Oracle Database Firewall with Oracle RAC in one of the following deployment modes:

  • Monitoring (Out-of-Band) - In this deployment mode, Oracle Database Firewall can monitor and alert on SQL traffic, but cannot block or substitute SQL statements. Create a monitoring point using IP addresses of all the RAC nodes. Select this option only while creating the monitoring point.

  • Monitoring (Host Monitor) - In this deployment mode, Oracle Database Firewall can monitor and alert on SQL traffic, but cannot block or substitute SQL statements. For this deployment mode, install the Host Monitor Agent on each RAC node and create a monitoring point for each RAC node. Select this option only while creating the monitoring point.

Note:

Complete the steps for Creating and Configuring a Database Firewall Monitoring Point. While executing this procedure, ensure to select the deployment mode as mentioned above.