About VA Policies

VA policies are best practice business rules that are applied during assessments. FortiDB is pre-populated with hundreds of policies for security and compliance to address security standards.

Policy types

There are two types of policies you can use for database vulnerability assessments.

Pre-Defined Policies: Fortinet adaptation of a Best Practice policy in database security. In addition to numerous database vulnerability policies, Fortinet also provides policies that help you perform operating system (OS)-level assessments such as making sure that your OS version is appropriate for the version of your target database.
User-Defined Policies: Customer- or third-party-adaptation of an industry- or company-specific security policy. UDPs are constructed with conventional or procedural SQL.

You can use the policy groups that ship with FortiDB or create your own.

Policy updates

Fortinet updates its policies several times a year with an XML file containing new or enhanced policies. Fortinet recommends that you import this list in order to stay current. You can download the latest policies from FortiGuard Center. For details, please refer to Managing Pre-Defined Policies (PDPs).

Exporting and importing policies

If you want to move FortiDB policies to another computer, you can export the source FortiDB repository as XML files and then import them to the target FortiDB repository.

Note: Before importing policies, verify that the element content in your XML file are accurate. Database Type, Severity, and Classification are not validated when importing. To view a sample of what the content should be, export one or more policies.

Policy version

The policy version tracks:

Pre-defined policies you imported, and ran assessments.
The policy version number will be incremented when you import the PDP Updates.
User-defined policies you updated.
When you update your User-defined policy (UDP) in the Modify User Defined Policy page, the policy version number remains same. To update the policy version number, you must export your UDP, change the policy version number, then import the policy. When you import your UDP with an equal or lower policy number than the original policy number, the policy will not be imported.

Note: Data restored from an old archive (prior to v3.2.1) will have the latest version of policies at the time you restored.

Policy groups

Assessments use policy groups. A policy group must contain at least one policy.

These are the policy groups shipped with FortiDB.

DB2 Policy Group
MySQL Policy Group
Oracle Policy Group
Pen Test Policy Group
SQL Server Policy Group
Sybase Policy Group

Policy states

At a given moment, a FortiDB policy will be in one of the following states:

State(applicable icon)	Indication
Enabled ()	Subsequent assessments will use this policy.
Disabled ()	Subsequent assessments will not use this policy.
Modified and Enabled ( )	A previously existing policy has been modified by an import and subsequent assessments will use this policy.
Modified and Disabled ()	A previously existing policy has been modified by an import and subsequent assessments will not use this policy.
New and Enabled ()	A new policy has been added by an import and subsequent assessments will use this policy.
New and Disabled ()	A new policy has been added by an import and subsequent assessments will not use this policy.

Keywords and user keywords

Keywords are read-only pre-defined policy keywords.

User Keywords are input by you, and can be used as a criterion for grouping.