11 Using Oracle Database Firewall with Oracle RAC

You can configure Oracle Database Firewall to work with Oracle Real Application Clusters (Oracle RAC) so that it can block and substitute statements or log SQL statements and raise alerts.

11.1 Configuring a Database Firewall with Oracle RAC for Monitoring and Blocking

Learn how to configure a database firewall with Oracle Real Application Clusters (Oracle RAC) for monitoring and blocking.

11.1.1 About Configuring Database Firewall with Oracle RAC for Monitoring and Blocking

Oracle Database Firewall has monitoring and blocking features that you can use with Oracle RAC.

To use blocking, you must use the Monitoring / Blocking (Proxy) mode.

The Database Firewall when configured in Monitoring / Blocking (Proxy) mode, the following takes place:

  1. SQL client connects to Database Firewall.
  2. Database Firewall connects to SCAN Listener.
  3. SCAN Listener redirects the connection to a RAC node.
  4. Database Firewall handles the redirection, makes a outbound connection to the re-directed RAC node.
  5. The response from Oracle RAC node is passed to the client.

All components must be in the same subnet. If the client and the SCAN Listener are in different subnets, then 2 Network Interface Cards are needed (one in the client subnet and the other in SCAN Listener subnet). The internal Database Firewall routing must be adjusted if the client, Database Firewall, and database server reside in a different subnet.

11.1.2 Configure A Proxy Using the Audit Vault Server Console

You can use the Oracle Audit Vault Server Console to configura a proxy.

  1. Log in to the Audit Vault Server console as administrator.
  2. Complete the steps for Configuring Database Firewall As A Traffic Proxy.
  3. Complete the steps for Creating and Configuring a Database Firewall Monitoring Point. While executing this procedure, ensure to select the check box against RAC Instance under Connection Details section.
  4. Ensure Network Interface Card and Proxy Ports fields are selected. Upon selecting them, the check box against RAC Instance is enabled.
  5. Upon selecting the check box RAC Instance, and adding the SCAN Listener Domain Name in the Host Name / IP Address field, the following message is displayed:
    Configure SCAN Listener Domain Name as target. For more details refer: Real Application Clusters Installation Guide.
  6. Ensure the SCAN Listener Domain Name is entered in the Host Name / IP Address.
  7. Enter the Port number of SCAN Listener.
  8. Enter the Service Name or SID (optional).
  9. Click Add.
  10. Click Save on the dialog.
  11. Click Save on the main page. The target is created and shows up under the Database Firewall Monitoring sub tab on the main page.
  12. Click the newly created RAC target to verify the details.

11.2 Configuring a Database Firewall with Oracle RAC for Monitoring

You can configure an Oracle Database Firewall with Oracle RAC to use Host Monitoring and Out-of-Band deployment modes.

Oracle recommends that you configure Oracle Database Firewall with Oracle RAC in one of the following deployment modes:

  • Monitoring (Out-of-Band) - In this deployment mode, Oracle Database Firewall can monitor and alert on SQL traffic, but cannot block or substitute SQL statements. Create a monitoring point using IP addresses of all the RAC nodes. Select this option only while creating the monitoring point.

  • Monitoring (Host Monitor) - In this deployment mode, Oracle Database Firewall can monitor and alert on SQL traffic, but cannot block or substitute SQL statements. For this deployment mode, install the Host Monitor Agent on each RAC node and create a monitoring point for each RAC node. Select this option only while creating the monitoring point.

Note:

Complete the steps for Creating and Configuring a Database Firewall Monitoring Point. While executing this procedure, ensure to select the deployment mode as mentioned above.