IBM Support

What is inspection core and what is inspection engine in InfoSphere Guardium?

Question & Answer


Question

What's the difference between the following CLI commands? start inspection-core start inspection-engine What is inspection-core and What is inspection-engine? How can we control these tow things from GUI?

Answer

1. inspection-core

The inspection-core is sniffer itself. You can stop inspection-core by "stop inspection-core" CLI command and start it by "start inspection-core" CLI command.

2. inspection-engine

The inspection-engine which can be started by "start inspection-engine" CLI command is for capturing network traffic using SPAN port or Network TAP. Guardium recommends to use S-TAP instead, and you don't need to use this CLI command if you capture DB traffic by S-TAP only. It is used only when you have a clear requirement that you need to use SPAN port or Network TAP. Possible reason is that you're not allowed to install any software on your DB servers.

Note that S-TAP has its own inspection engine settings, which is in guard_tap.ini file in the S-TAP side.

3. Operating inspection-engines from Guardium GUI

You can see a list of inspection-engines from Guardium GUI at Administration Console > Configuration > Inspection Engines. Here is an example screen shot of this page. There is one inspection engine defined, which name is "test_engine1". You can start it by pressing Start button as well as issuing "start inspection-engine 1" CLI command, where 1 is the inspection-engine id that you can check by "show inspection-engines" CLI command.

You can add/delete inspection-engine from this GUI. Define a new inspection-engine in the Add Inspection Engine... section and press Add button to create a new inspection-engine. You can delete it by pressing Delete button.

Note that Inspection Engine Configuration section is effective to inspection-core (e.g. sniffer). All the parameters are applied to the inspection-core (e.g. sniffer), which means it's effective to both inspection-engines for network and S-TAP. If you press "Restart Inspection Engines" button, all the inspection-engines for network as well as inspection-core (e.g. sniffer) will be restarted.



S-TAP inspection-engines can be seen in a different page in Guardium GUI, at Administration Console > Local Taps > S-TAP Control.




You can edit (add/delete) S-TAP inspection-engines by pressing button in the GUI while the S-TAP is running, or directly edit guard_tap.ini file in the S-TAP side.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.2;9.0;9.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21691590

Page Feedback