The Database Firewall monitors SQL traffic from clients (users and applications) to databases and determines whether to allow, log, alert, substitute, or block the SQL. It sends the network events that it captures to the Audit Vault Server based on the policy configuration.

You can choose the following Database Firewall deployment modes:

• Monitoring/Blocking (Proxy) mode enables the Database Firewall to both monitor and block SQL traffic, as well as optionally substitute SQL statements. You configure clients to connect to the Database Firewall instead of the database so that the firewall can intercept all SQL traffic and take the necessary actions, based on policies that you define.

• To use Monitoring (Host Monitor) mode, you install the Audit Vault Agent and Host Monitor Agent on the host machine that's running the target database. The Host Monitor Agent captures traffic from the network interface card (NIC) on the host machine and securely forwards it to the Database Firewall.
• In Monitoring (Out-of-Band)mode, the Database Firewall monitors and alerts on SQL traffic, but it can't block or substitute SQL statements. To copy database traffic to the Database Firewall, you can use a switch with a SPAN port (as shown in the diagram), a network tap, a packet replicator, or other similar technology.

One Database Firewall can monitor traffic from multiple targets deployed in different modes. For example, one Database Firewall can be deployed in Monitoring/Blocking (Proxy) mode for some targets and in Monitoring (Host Monitor) mode and Monitoring (Out-of-Band) mode for other targets.