Troubleshooting
Problem
I am logging in as SYS user on Oracle via sqlplus. I notice S-GATE policy actions do not trigger as expected on the session login.
Symptom
S-GATE actions do not trigger on the login of SYS user in the case of:
- Logging in with sqlplus on Oracle.
- Firewall is in open mode (firewall_default_state=0)
S-GATE actions do trigger on the first SQL statement in the session.
Cause
SYS login via sqlplus does not produce any SQL associated with the login packets. The S-GATE firewall actions need an SQL statement to trigger in the normal way because the functionality is controlled by the logger part of the sniffer.
Diagnosing The Problem
You might see this problem in the below example:
1. firewall_default_state=0 in the guard_tap.ini
2. Policy with S-GATE attach action for DB User=SYS
3. Policy with S-GATE terminate action for DB User=SYS and Command = Insert
After logging in via sqlplus as SYS an insert statement is able to be run without terminating the session. This is the case even if a long time is left in between login and running the insert.
This is because the login packet does not trigger the attach rule. The insert triggers the attach rule, then another SQL is required to trigger the terminate rule.
Assuming good performance of the sniffer, the session terminate signal is sent when a second insert statement is run. Note that if firewall is in open mode there is always a risk of further SQL statements being run before the session is terminated. Be aware of the trade-offs between firewall in open and closed mode as discussed here.
Resolving The Problem
This problem is resolved in v9.5 p609 and above. Follow these steps:
1.Install p609 or more recent GPU on the affected appliances.
p600 is a prerequisite for p609.
Patches should be installed 'top down' in an enterprise environment starting with CM first.
Always check the release notes from fix central before installing patches or What changes have been made in the latest Guardium GPU patch?
2. Create GDM_ANALYZER rule via cli to attach affected sessions immediately on the login packet. Use the command as follows:
store gdm_analyzer new
Set the parameters:
Rule type: 3. Send Verdict
Rule Action: 1. Watch
Database Protocol: 34. Oracle
Server IP (optional): <server IP of affected traffic>
Server IP mask (optional): <appropriate mask for the ip>
Service Name (optional): <service name of affected traffic>
Pattern: DB_USER
Format: SYS
3. S-GATE actions should now trigger on the login packets of SYS user. If you find the problem remains, sniffer performance may be the cause. If you need to contact IBM support for this issue attach the output of cli support must_gather sniffer_issues.
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21973039