Just got Database Firewall 220.127.116.11.0-6_130819.1600 and Audit Vault setup for evaluation.
I am trying to configure monitor only (DAM mode). I have the network tapped and have verified there is traffic on the link (we do this sort of thing a lot). The problem is the dbfirewall is not seeing the traffic.
If I go into "Live Capture" I can see packets on the management interface, but not "Network 0". I tried installing another network card, but I think something is more broken. When I dump traffic on the management interface I see (from syslog messages) that eth0 goes into promiscuous mode.
Oct 31 00:37:39 dbfw001b215e2a07/18.104.22.168 kernel: device eth0 entered promiscuous mode
Oct 31 00:37:44 dbfw001b215e2a07/22.214.171.124 kernel: device eth0 left promiscuous mode
However, when I try to dump traffic on "Network 0" no log message is not created. In fact it doesn't even look like the GUI is attempting to dump the traffic. For example, if I say dump for duration of 30 seconds, the GUI returns in 1 second - suggesting something is more broken under the hood that it doesn't see the traffic.
I was hoping to ssh in as root and see if I could see traffic on the card at the kernel level, but I guess to can't ssh root@ on the device?
Anyway, stuck and need help.
"You cant ssh as root. You need to ssh as Support user and then su - to be root"
Indeed, thanks. Got in as "support" and su to root, confirm I see the traffic on br1.
"To get traffic source from the network 0, you need to setup the network as inline (DBFW as a bridge) or Proxy mode (DBFW as a Proxy)"
I thought DAM mode allowed me to just passively monitor the traffic? I would prefer to not have the dbfirewall in line either physically (proxy) or logically (bridge). Sounds like maybe that is not possible? The actual traffic really needs to flow through the dbfirewall?
Thanks for the reply.
Please note we are already making a copy of the traffic with a tap. A tap is an alternative (better alternative some would argue) than a span port. Getting a copy of the traffic to the dbfirewall network interface is not the problem. I can ssh in and confirm traffic is arriving on br1. However the application does not see the traffic.
To close this thread, I got help for Oracle support. It seems there is just a bug in the "Live Capture" tool. If you can see traffic on the interface, either with tcpdump or ifconfig RX packet counts increasing, it's working. That's what Oracle had me do and they didn't quite say "Live Capture" had a bug, but they did say they have seen this before.
If just only Bug of "Live Capture" tool in DBFW, so after configure enforcement point to enable "Log All" policy but when i run report then there aren't anything? i have a question. so do you continued used DBFW in DAM mode? if you success please let me known which version of DBFW you use? thank for repply.