DAM QuickStart (TCP/IP Sniffer with Alert Data Policy)

This guide leads you through the process that monitors your target database with TCP/IP sniffer, and results in generating alerts and exporting alerts to a report.

Note: DAM via the TCP/IP sniffer feature is only available with FortiDB appliance.
Note: All GUI fields marked with an asterisk (*) must be filled in or specified.
The example used in this guide assumes you will monitor an Oracle target database with the TCP/IP sniffer. You will apply a Alert Data-Table policy and generate alerts for the Security Violation rule and Suspicious Databases Users rule. Before starting a target connection, you mustmake sure that your target database is configured properly to be monitored by FortiDB. For details about configuring Oracle target databases, see Configuring the Oracle Target Database.
Note: To use the TCP/IP sniffer for DAM, following network environment and interconnections are required:
  • Your target database server and clients use TCP/IP as protocol, and all database activities are going through LAN.
  • The network switch, which your target database server connected, must support the port mirroring feature.
  • Connect one ethernet port of FortiDB appliance to the mirror port (also known as SPAN port) of switch, which database server connects to.
  1. Login to FortiDB as the FortiDB admin user using fortidb1!$ for the password (default administrator user and password).
  2. Create a target database connection.
    1. Go to Target Database Server > Targets.
    2. Select the Add button. The Target page will display. The General tab is selected.
    3. Enter the information in the text boxes marked with an asterisk (*) with settings appropriate to your target database. Assume an Oracle target with these parameters:
      • Name: Enter your target_name
      • Type:Select your database type (Oracle)
      • DB Host Name/IP: Enter IP address or computer name on your system that contains the Oracle target database (ex. test_machie or 172.30.12.112)
      • Port: Enter the port number or leave the default (1521)
      • DB Name: Enter the name of your target database. (ex. orcl).
      • User Name: Enter the name of the your target database.
      • Password: Enter the password of your target database.
      • DB Activity Monitoring: Verify that the 'Allow' check box is selected.
    4. Select the Test Connection button to verify that your target database is reachable and that your connection parameters are correct. You should see a 'Success' message.
    5. Select the Save. target_name and related information should appear on the Targets page.
  3. Configure Monitoring and Data-Table policy.
    1. Go to DB Activity Monitoring > Monitoring Management. You will see your target database listed in the Target Monitoring Management page.
    2. Click on the name of the target.
    3. In the General tab, setup collection method and parameters for Audit Configuration.
      • In the Collection Method field, select 'TCP/IP Sniffer' (for this example).
      • Select the Version for your target database (9i, 10g, or 11g for Oracle).
      • In the Sniffer on Port, select which FortiDB appliance port is connected to switch's mirror port.
      • Check the Enable Activity Auditing and Log All, to auditing all database activity.
      • Check the Enable Activity Profiling.
      • Check the Save button to save your Audit Configuration.
    4. Go to the Alert Policies tab.
    5. Select the Table from the Data Policies dropdown list at the button of the screen.
    6. Click the Add. The Target Monitor:<target name> page will display.
    7. Configure a Table policy.
      • Enter a policy name or use the default name.
      • Enter a description if necessary.
      • Select the Enable check box (checked by default). If checked, the policy will be enabled.
      • Select the Create new policy group for policy check box (checked by default). If checked, a policy group will be created.
      • Select a severity from the Severity dropdown or use the default.
    8. Click the triangle icon of the Audit Settings section to expand it.
    9. In the Select Objects to Audit section, configure the following fields:
      • Select the Browse Object by Target check box. (checked by default). If this is checked, you can select the item from the dropdown list.
      • Select a schema from the Schema dropdown list (ex. SCOTT)
      • Select a table or multiple tables you want to monitor from the Tables box (ex. EMP or DEPT)
      • Select both Read and/or Write check boxes in the Audit Actions filed.
      • Click the right arrow to move your selection to the Selected Objects table.
    10. Click the triangle icon of the Alert Rule section to expand it.
    11. Configure the following fields:
      • Confirm that "Issue alert if ANY of the enabled rules are triggered"(default) is selected.
      • Select the Security Violation check box (checked by default).
      • Check the check box of Suspicious Database Users.
      • Click the triangle icon of Suspicious Database Users to expand the field.
      • Select user name(s) and click the right arrow to move the selection to the Selected users box.
      • Check the Alert any successful access if the database user is in the list check box.
    12. Select the Save. Verify that that the policy you created is listed with the green up-arrow (policy is enabled) in the Status column.
  4. Confirm the table policy group has been automatically created and associated to the target database.
    1. Select the Alert Policy Groups tab.
    2. Confirm the table policy group which is names as "<your policy name> Group" is created and listed in the right box.
  5. Start monitoring your target.
    1. Go to the General tab.
    2. Click the Start Monitoring. Monitor status will show "Starting" and then "Running".
  6. Execute SQL statements with your database client side application to generate alerts.
    Note: To generate alerts for the Data-Table policy that you configured, execute several SQL statements.
  7. Check alerts.
    1. Go to DB Activity Monitoring > Security Alerts. You should see a single or multiple alerts in the Alerts table.
    2. To display the alert details, click on each alert. To close the alert details, click the triangle icon of Alert Details.
  8. Create a user-defined DAM report.
    1. Go to Report Management > User-Defined DAM Reports.
    2. Select the Add.
    3. Enter a name in the Name field, and a description in the Description field (optional).
    4. Go to the Columns tab to specify the columns to include in the report.
      • Select columns you want to include in the report, and click the right arrow to move the selections to the Columns in Report box.
        Note: PDF report is limited to 5 columns if you select the Portrait radio button, 8 columns if you select the Landscape radio button.
      • Click the Save.
    5. Select the formats from the Export as dropdown list.
      Note: The following file formats are supported:
      • PDF
      • Excel
      • Tab-delimited
      • Comma-separated values
    6. Select the Export. The File Download dialog displays. You can open or save the report to a file.
  9. Check activity auditing.
    1. Go to DB Activity Monitoring > Activity Auditing. You should see the audit logs for database activity.
    2. To display the audit details, click on each audit log and detail information will be displayed below audit log table.
  10. Check the activity profiling.
    1. Go to DB Activity Monitoring > Activity Profiling. The Profiling page will list the profiling status and summary information for target(s) currently monitored.
    2. Click the name of target, to open the profiling detail page to view the profiling detail information.
Parent topic: FortiDB Quick Start


FortiDB 5.0.0 Handbook
1st Edition , July 11 2013
© Copyright 2013 Fortinet Inc. All rights reserved.
Latest documentation: http://docs.fortinet.com/fdb.html