Troubleshooting
Problem
I am monitoring Oracle ASO traffic with IBM Security Guardium. Load balancing is used to split the S-TAP traffic between different collectors.
In my report 'analyzed client IP' should contain the real client IP of the session, but it is blank for almost every session. Client Host Name is populated for the same sessions.
Cause
For Oracle ASO encrypted sessions ATAP is required to capture the unencrypted traffic. At the same time, KTAP is also capturing the encrypted traffic for the same sessions. The two parts of the traffic are correlated together on the collector side by the sniffer. Both parts of the traffic are required to correctly populate analyzed client IP.
Some load balancing configurations result in the traffic from one S-TAP being split across multiple collectors. In that case, two parts (ATAP and KTAP) from the same session can be sent to different collectors. That means that analyzed client IP cannot be populated for those sessions.
Load balancing options that can result in the traffic being split:
participate_in_load_balancing=1
participate_in_load_balancing=3
participate_in_load_balancing=4 (If multiple collectors are set in the S-TAP configuration or if ELB in use and load_balancer_num_mus > 1)
For further details on load balancing, see S-TAP configuration general parameters.
The same applies if Enterprise Load Balancer (ELB) is used in the environment.
Diagnosing The Problem
Test one S-TAP by reverting its load balancing configuration to send data to only one collector. If analyzed client IP is populated when traffic is sent to one collector but not when the traffic is split, this problem is present.
1. Set the S-TAP configuration to send traffic to only one collector
Use:
participate_in_load_balancing=0
and one collector in the S-TAP configuration.
2. Confirm in the reports that analyzed client IP is now populated on that collector
Resolving The Problem
Session Level Policy Option
In Guardium v11.2 and above, session level policy rules can be used to transform the client host name to the analyzed client IP.
For example, create a session level policy rule like:
In the rule condition, add details to identify the client sessions.
In the rule action of type TRANSFORM_ANALYZED_CLIENT_IP use CLIENT_HOST_NAME as the source, ? as the search prefix and (.*) as the output.
Enterprise Load Balancer Option
Before v11.2, enterprise load balancing can be used to set one collector for the S-TAP traffic and dynamically allocate a new one if that collector goes down.
Warning! - This option removes load balancing from the S-TAP. It may introduce other problems by increasing traffic on collectors. It is not recommended unless capturing analyzed_client_ip is the top priority in your environment.
For example, in the S-TAP configuration set:
load_balancer_ip=<central manager ip>
load_balancer_num_mus=1
participate_in_load_balancing=1
This option would only be feasible if traffic level from any one S-TAP is not too large to fit on any one collector. The load balancer will allocate a new collector if one goes down, but if the load balancer and collector or down, there will be no failover option.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001gcKAAQ","label":"A-TAP"},{"code":"a8m0z0000001iWJAAY","label":"STAP-\u003EELB"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
06 September 2022
UID
ibm16325239