Database activity monitoring (DAM) : Blocking invalid access while monitoring
Blocking invalid access while monitoring
Because the real-time blocking feature uses the TCP/IP Sniffer, the Real Time Blocking tab is only available when Collection Method is TCP/IP Sniffer.
You can configure FortiDB to use a TCP/IP Reset (RST) mechanism to prevent invalid access to the server by database clients. FortiDB allows you to select which alert policies FortiDB uses to validate the connection data.
Whenever it blocks access, FortiDB generates a critical security alert.
Because real-time blocking interrupts the TCP connection, it can destabilize your database client application or application server. Ensure that you understand this feature and its implications before you enable it.
You can configure FortiDB to block a client for a specified period of time after it violates access policies. During this period, instead of scanning the connection for policy violations, which uses system resources, FortiDB automatically resets connections from the client. After the blocking period expires, FortiDB resumes the scanning process. Specifying a blocking period can improve performance if FortiDB is under attack by malicious clients. The default blocking period is 5 minutes.
To enable real-time blocking
1. Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target.
2. If FortiDB is currently monitoring the target, click Stop Monitoring.
3. On the Real Time Blocking tab, select Enable Real Time Blocking.
4. To configure FortiDB to continue to deny access to clients that it blocks for a specified period of time, select Block Client for [x] minutes, and then enter a value in minutes.
The default value is 5 minutes.
5. For TCP RST Blocking Port, select the network port FortiDB uses to send the TCP RST packet to the client's connection.
Ensure that FortiDB can reach the connection between database client and server through the port you specify. If the client is behind firewall or router with NAT, the TCP reset signal appears to be sent to the client from the firewall or router.
6. To assign alert policies for real-time blocking, select one or more policies from the Available Policies list, and then click >> (right arrows) to move them to the Selected Policies list.
The items in the Available Policies list are from groups selected on the Alert Policy Groups tab.
To remove items, select them and then click << (left arrows).
7. Click Save.
8. On the General tab, to re-start monitoring with the real-time blocking feature, click Start Monitoring.
See also
Database Activity Monitoring (DAM) policies