This guide leads you through the process that monitors your
target database with TCP/IP sniffer, and results in generating
alerts and exporting alerts to a report.
Note: DAM via the
TCP/IP sniffer feature is only available with FortiDB
appliance.
Note: All GUI
fields marked with an asterisk (*) must be filled in or
specified.
The example used in this guide assumes you
will monitor an
Oracle target database with the
TCP/IP sniffer. You will apply a Alert Data-Table policy and
generate alerts for the Security Violation rule and Suspicious
Databases Users rule. Before starting a target connection, you
mustmake sure that your target database is configured properly to
be monitored by FortiDB. For details about configuring Oracle
target databases, see
Configuring the
Oracle Target Database.
Note: To use the
TCP/IP sniffer for DAM, following network environment and
interconnections are required:
- Your target database server and clients use TCP/IP as protocol,
and all database activities are going through LAN.
- The network switch, which your target database server
connected, must support the port mirroring feature.
- Connect one ethernet port of FortiDB appliance to the mirror
port (also known as SPAN port) of switch, which database server
connects to.
- Login to FortiDB as the FortiDB
admin user using fortidb1!$ for the password
(default administrator user and password).
- Create a target database
connection.
- Go to Target
Database Server >
Targets.
- Select the Add
button. The Target page will display. The
General tab is selected.
- Enter the information in the text
boxes marked with an asterisk (*) with settings
appropriate to your target database. Assume an Oracle target with
these parameters:
- Name: Enter your target_name
- Type:Select your database type
(Oracle)
- DB Host Name/IP: Enter IP address or computer
name on your system that contains the Oracle target database (ex.
test_machie or 172.30.12.112)
- Port: Enter the port number or leave the
default (1521)
- DB Name: Enter the name of your target
database. (ex. orcl).
- User Name: Enter the name of the your target
database.
- Password: Enter the password of your target
database.
- DB Activity Monitoring: Verify that the
'Allow' check box is selected.
- Select the Test
Connection button to verify that your target database is
reachable and that your connection parameters are correct.
You should see a 'Success' message.
- Select the
Save. target_name and related
information should appear on the Targets
page.
- Configure Monitoring and Data-Table
policy.
- Go to DB Activity
Monitoring > Monitoring Management.
You will see your target database listed in the Target
Monitoring Management page.
- Click on the name of the
target.
- In the General
tab, setup collection method and parameters for Audit
Configuration.
- In the Collection Method field, select 'TCP/IP
Sniffer' (for this example).
- Select the Version for your target database
(9i, 10g, or 11g for Oracle).
- In the Sniffer on Port, select which FortiDB
appliance port is connected to switch's mirror port.
- Check the Enable Activity Auditing and
Log All, to auditing all database activity.
- Check the Enable Activity Profiling.
- Check the Save button to save your
Audit Configuration.
- Go to the Alert
Policies tab.
- Select the Table
from the Data Policies dropdown list at the button
of the screen.
- Click the
Add. The Target Monitor:<target
name> page will display.
- Configure a Table policy.
- Enter a policy name or use the default name.
- Enter a description if necessary.
- Select the Enable check box (checked by
default). If checked, the policy will be enabled.
- Select the Create new policy group for policy
check box (checked by default). If checked, a policy group will be
created.
- Select a severity from the Severity dropdown or use the
default.
- Click the triangle icon of the
Audit Settings section to expand it.
- In the Select Objects to
Audit section, configure the following fields:
- Select the Browse Object by Target check box.
(checked by default). If this is checked, you can select the item
from the dropdown list.
- Select a schema from the Schema dropdown list
(ex. SCOTT)
- Select a table or multiple tables you want to monitor from the
Tables box (ex. EMP or DEPT)
- Select both Read and/or Write
check boxes in the Audit Actions filed.
- Click the right arrow to move your selection to the
Selected Objects table.
- Click the triangle icon of the
Alert Rule section to expand it.
- Configure the following
fields:
- Confirm that "Issue alert if ANY of the enabled rules
are triggered"(default) is selected.
- Select the Security Violation check box
(checked by default).
- Check the check box of Suspicious Database
Users.
- Click the triangle icon of Suspicious Database
Users to expand the field.
- Select user name(s) and click the right arrow to move the
selection to the Selected users box.
- Check the Alert any successful access if the database
user is in the list check box.
- Select the Save.
Verify that that the policy you created is listed with the green
up-arrow (policy is enabled) in the Status column.
- Confirm the table policy group has
been automatically created and associated to the target
database.
- Select the Alert Policy Groups
tab.
- Confirm the table policy group which is names as
"<your policy name> Group" is created and listed in the right
box.
- Start monitoring your target.
- Go to the General
tab.
- Click the Start
Monitoring. Monitor status will show "Starting" and
then "Running".
- Execute SQL statements with your
database client side application to generate alerts.
Note: To generate
alerts for the Data-Table policy that you configured, execute
several SQL statements.
- Check alerts.
- Go to DB Activity
Monitoring > Security Alerts.
You should see a single or multiple alerts in the Alerts
table.
- To display the alert details, click
on each alert. To close the alert details, click the triangle icon
of Alert Details.
- Create a user-defined DAM
report.
- Go to Report
Management > User-Defined DAM
Reports.
- Select the
Add.
- Enter a name in the
Name field, and a description in the
Description field (optional).
- Go to the Columns
tab to specify the columns to include in the report.
- Select the formats from the
Export as dropdown list.
Note: The
following file formats are supported:
- PDF
- Excel
- Tab-delimited
- Comma-separated values
- Select the
Export. The File Download dialog displays.
You can open or save the report to a file.
- Check activity auditing.
- Go to DB Activity
Monitoring > Activity Auditing.
You should see the audit logs for database activity.
- To display the audit details, click
on each audit log and detail information will be displayed below
audit log table.
- Check the activity profiling.
- Go to DB Activity
Monitoring > Activity
Profiling. The Profiling page will list the
profiling status and summary information for target(s) currently
monitored.
- Click the name of target, to open
the profiling detail page to view the profiling detail
information.