Fortinet FortiDB Handbook
Below you will find brief information for FortiDB. This handbook is for use with FortiDB software, which provides a comprehensive database security and compliance platform. The handbook provides information on how to set up, configure, and manage FortiDB, as well as on the various features and capabilities of the software, including vulnerability assessment (VA), database activity monitoring (DAM), and compliance reporting. This allows you to quickly and easily implement internal IT control frameworks for database activity monitoring, IT audit and regulatory compliance.
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
D
ATABASE
S
ECURITY AND
C
OMPLIANCE
FortiDB Handbook
VERSION 5.1.11
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
FORTICAST
http://forticast.fortinet.com
CLI REFERENCE
http://cli.fortinet.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
Friday, March 17, 2017
FortiDB 5.1.11 Handbook
1st Edition
TABLE OF CONTENTS
Introduction
What’s new
FortiDB tutorials
Tutorial: Generating a vulnerability assessment (VA) report
Tutorial: Monitoring a database table using the TCP/IP sniffer
Tutorial: Monitoring a database table using the native auditing feature
Tutorial: Monitoring changes to metadata
Tutorial: Generating PCI, SOX, and HIPAA compliance reports
Installation (software-only)
Configuring the FortiDB repository database
Configuring a PostgreSQL repository
Configuring an Oracle repository
Configuring an Microsoft SQL Server repository
Useful directories, files, and folders
How to set up your FortiDB
Planning the network topology for database activity monitoring (DAM)
Connecting to the web UI and CLI
Changing the “admin” account password
15
16
19
36
48
Configuring the network settings
Configuring network settings using the web UI
Configuring network settings using the CLI
Backups
Administrators
Privileges by license type (software-only FortiDB)
Viewing and exporting an administrator report
Advanced/optional system settings
System information and settings
Changing the FortiDB host name
User Profile/Security properties
Connecting to target databases
Pre-configuration for monitoring target databases
Network requirements for monitoring using the TCP/IP sniffer
Oracle target database pre-configuration
Required privileges for monitoring or auditing Oracle databases
Configuring an Oracle database for PCI, SOX, and HIPAA policies
Enabling FortiDB to delete audit records
Oracle XML file agent installation and configuration (UNIX, Windows, AIX)
Monitoring encrypted Oracle traffic
Using the SYSLOG utility to collect audit data
MySQL target database pre-configuration
Required privileges for monitoring via SQL Trace
Sybase target database pre-configuration
Configuring the Sybase audit system and FortiDB database user
Configuring the Sybase Monitoring and Diagnostic (MDA) tables
DB2 target database pre-configuration
Users and privileges required by the DB2 agent
Configuring the DB2 database and installing the agent
Microsoft SQL Server target database pre-configuration
Database user account requirement
Privileges required by the FortiDB database user
Privileges for VA assessments, privilege summaries, and penetration tests
Privileges for monitoring data
79
67
59
60
Privileges for monitoring privileges
Privileges for monitoring metadata
Searching or filtering the target list
Adding (or modifying) a target connection
Configuring SSH connections to Oracle and DB2 databases
SSH environment requirements (software-only version)
Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX
Adding or modifying a target group
How to discover Microsoft SQL Server
Adding targets from auto-discovery
Vulnerability assessment (VA) policies
Exporting and importing VA policies
Keywords and user keywords for VA policies
Managing VA pre-defined policies
Importing pre-defined policies (appliance)
Importing pre-defined policies (software-only FortiDB)
Setting an access control list (ACL) for minimally-privileged users
Deleting user-defined policies
Exporting user-defined policies
Importing user-defined policies
118
Connection options for penetration tests
Files used for penetration tests
Configuring and running penetration test assessments
Data discovery policies and policy groups
Managing data discovery policies
Database Activity Monitoring (DAM) policies
Configuring policy information for a policy
Automatically generating alert policies
Configuring audit settings for a table policy
Configuring alert rules for a table policy
Table policy alert rules for different databases
Configuring a table and column policy
Configuring audit settings for a session policy
Configuring alert rules for a session policy
Configuring audit settings for a user policy
Configuring alert rules for a user policy
User policy alert rules for various databases
Configuring a database query policy
Microsoft SQL Server privilege policies
Microsoft SQL Server metadata policies
PCI, SOX, and HIPAA alert policies
Configuring PCI, SOX and HIPAA policies
Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit
144
Select users to audit for PCI and SOX reports (User Audit Options)
Creating or modifying an alert or audit policy group
Adding policy groups to target database monitoring
Vulnerability assessment
Adding or modifying assessments
Running an assessment immediately
Running an assessment at a specified date and time
Configuring assessment notifications
Notification OIDs for target-level assessments
Notification OIDs for Rule-Level Assessments
Selecting the type of report an assessment generates
Reviewing, deleting, and aborting assessment results
View VA global summary information
Import or export assessment history
Viewing and exporting a privilege summary
Column and column value differences
Manage sensitive data discovery
Running sensitive data discovery
Viewing sensitive data discovery reports
Viewing VA and sensitive data discovery event logs
Database activity monitoring (DAM)
Target monitoring configuration tabs and options
Configuring target database monitoring
Configuring monitoring using the TCP/IP sniffer (all database types)
Configuring Microsoft SQL Server monitoring
Adding alert and audit policies to monitoring
Adding policy groups to target monitoring
181
195
FortiDB event to ArcSight data field mapping
Blocking invalid access while monitoring
Excluding policies from the Alert Policy settings (whitelist)
Displaying the history of issued audit commands
Microsoft SQL Server audit management
DB2 audit settings with syscat.auditpolicies
DB2 audit settings with syscat.audituse
Changing the status of and annotating alerts
Exporting the alert list as a report
Filtering and searching alerts
Add, edit, or delete an alert group
Data filter for an alert group
Viewing audit records (activity auditing results)
Filtering and searching the audit record list
Add, edit, or delete an audit group
Data filter for an audit group
Viewing status and summary information for activity profiling
Viewing and exporting activity profiling results
Logs
230
Viewing and managing the audit trail records
Examples of audit trail records
Reports
Vulnerability assessment (VA) reports
Report files that FortiDB saves to disk
Sensitive data discovery reports
Adding analysis charts and statistics tables to reports
Email notification for scheduled reports
General steps for generating PCI, SOX, and HIPAA reports
Report: Abnormal Termination of Database Activity
Report: Abnormal or Unauthorized Changes to Data
233
Report: Abnormal Use of Service Accounts
Report: End of Period Adjustments
Report: History of Privilege Changes
Report: Verification of Audit Settings
Archiving audit data
Using the command line interface (CLI)
Specifying file names and locations in commands
Entering spaces in a command strings
Entering quotation marks in strings
Entering a question mark (?) in a string
Special characters that are not permitted in commands
Specifying IP address formats in commands
Completing commands automatically
config config system admin setting
config system backup all-setting
253
257
Example config system debug-filter
Example config system interface
Implementing RAID 5 on FortiDB 2000B
Implementing RAID on FortiDB 3000B
execute execute backup all-settings
Example execute backup configurations
Example execute backup fd-tcpdump
Example execute backup-remove fd-archive
execute backup-remove fd-report
Example execute backup-remove fd-tcpdump
Syntax execute restore all-settings
Example execute restore configurations
show show system admin setting
Syntax show system backup all-settings
Syntax diagnose counter packet
Syntax diagnose counter session
Syntax diagnose debug application control basic
diagnose debug application housekeep basic
Syntax diagnose debug application parser basic
Syntax diagnose debug application parser packet
diagnose debug application sniffer abnormal
Syntax diagnose debug application sniffer basic
Syntax diagnose debug application sniffer block-ip
diagnose debug application sniffer block-session
Syntax diagnose debug application sniffer ip-reassemble
Syntax diagnose debug application sniffer malformed-packet
diagnose debug application sniffer packet
Syntax diagnose debug application sniffer tcp-reassemble
Syntax diagnose log show|tail|remove
Example diagnose mapping debug
Syntax diagnose system coredump check
Example diagnose system coredump export
Example diagnose system export fd_log
Example diagnose system raid list
Syntax diagnose tcpdump start|stop
Example diagnose tcpdump status
Example diagnose network interface list
Syntax diagnose network interface detail
Introduction
Introduction
Welcome, and thank you for selecting Fortinet products for your network.
FortiDB software is a comprehensive database security and compliance platform that helps large enterprises and cloud-based service providers protect their databases and applications from internal and external threats. Its flexible policy framework allows you to quickly and easily implement internal IT control frameworks for database activity monitoring, IT audit and regulatory compliance.
15 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
What’s new
What’s new
The following features are new or have changed since FortiDB 5.1. For upgrade information, see the release notes available with the firmware and
Updating the firmware on page 49 .
FortiDB 5.1.11
l
Patch release only.
FortiDB 5.1.10
l l l l l
Disk partitioning requirement — If upgrading from a version older than 5.1.8, you MUST repartition the hard disk to ensure FortiDB works properly.
Support "Flashback" for oracle XML agent — Two metadata DAM alert policies have been added in Oracle
XML agent mode to cover the flashback table and the flashback database.
Update SqbaseIQ for VA — Twelve (12) VA policies have been added for SybaseIQ.
MongoDB VA SSL connection support — Support for SSL connection has been added to MongoDB VA.
MongoDB VA YAML-type configuration file support — Support for YAML-type configuration file has been added to MongoDB VA.
FortiDB 5.1.9
l l l
Fix for glibc vulnerability — This release fixes a bug in the glibc open source library that made the product vulnerable to denial of service and other types of attacks (CVE-2015-7547).
Software support for FortiDB 1000B — FortiDB 5.1.9 and higher software is not supported on model 1000B.
Software version support — This release is supported on hardware versions of the product only. (The glibc vulnerability (CVE-2015-7547) vulnerability does not affect the software versions of the product.)
FortiDB 5.1.8
l l l l
Vulnerability assessment (VA) for MongoDB and Oracle 12c — FortiDB now supports VA for MongoDB version 2.6 and Oracle 12c.
DAM using the TCP/IP sniffer supports Microsoft SQL RPC variables and commands — FortiDB can now match DAM policies by parsing values generated by remote call procedure (RPC) operations generated by rightclicking in client-side database tools (for example, SQL Studio) and translating SQL commands beginning with 'rpc executesql' to standard SQL commands.
Reconnect when target is offline and send email notification — When a target is offline, FortiDB now makes up to 5 attempts to reconnect. FortiDB sends an email notification to an administrator if a connection fails.
Disk usage detection and reserve — FortiDB now reserves 1% of free disk space to help prevent system crashes.
FortiDB 5.1.7
l l
Oracle 12c support for DAM — For Oracle 12c, FortiDB now supports Database Activity Monitoring (DAM) using both the TCP/IP packet sniffer and native, audit-based data collection methods.
Support for Oracle syslog data collection — Oracle syslog data collection is now available when you use sniffer-based data collection.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
16
17
What’s new
For more information, see
Using the SYSLOG utility to collect audit data on page 84 .
l l l l
Fdbagent supports AIX and Linux 6 — For DAM, you can now use the Oracle XML file agent or DB2 agent to monitor databases installed on AIX 6 and Linux 6.
Monitor synonyms — You can now monitor synonyms (an alternative name for a database element such as a table, view, sequence, or procedure) on Oracle databases.
PostgreSQL support for DAM — DAM can now monitor PostgreSQL databases when you use sniffer-based data collection.
Configuration backup via CLI — You can now back up your FortiDB configuration using CLI commands, without backing up audit and other data.
For more information, see
execute backup configurations on page 279
.
l l l l
Security enhancements — A number of security enhancements have been added to address current threats and
SSL-related issues.
Support for Microsoft SQL RPC (remote procedure call) in native audit mode — FortiDB now supports
RPC (remote procedure call) when it monitors a Microsoft SQL Server database using the native auditing featuring.
DB2 version 10.x support for both VA and DAM — DAM and VA now support newer versions of IBM DB2.
Troubleshooting enhancements — FortiDB now provides more CLI commands that retrieve diagnostic data.
For more information, see
diagnose system coredump check on page 304
and
diagnose system coredump export on page 304
.
FortiDB 5.1.6
l
HIPAA compliance reports — In addition to SOX and PCI reports, FortiDB now has pre-defined HIPAA (Health
Insurance Portability and Accountability Act) reports to help customers meet regulatory requirements.
See
PCI, SOX, and HIPAA reports on page 242
.
l
SQL string detection in Alert policies — You can now specify a SQL string to detect in a Table and Column
DAM alert policy. This is useful for detecting attacks that use SQL injection.
See
Configuring a table and column policy on page 154
.
l
Support for encrypted Oracle traffic for database activity monitoring (DAM) — FortiDB now can monitor encrypted Oracle traffic in sniffer mode.
See
Monitoring encrypted Oracle traffic on page 83
.
l
Exclude policies from vulnerability assessment (VA) scans — You can now exclude policies from VA scans of specific targets. This feature allows you to scan databases with different policy sets without creating new scans for each case.
See
Adding or modifying assessments on page 181
.
l
Sysbase IQ support for VA — FortiDB now supports SybaseIQ for VA. (Penetration test and DAM are not supported.)
See
Adding (or modifying) a target connection on page 107 .
l
Performance enhancement — FortiDB now has an internal alert policy pre-filter that speeds up alert data processing.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
What’s new
FortiDB 5.1.5
l l
Tomcat upgrade — Tomcat (one of FortiDB’s internal components) has been upgraded to eliminate vulnerabilities found in the older version.
Mitigate vulnerability related to Bash (CVE-2014-6271) — FortiDB used Bash to allow access to the shell in its debug builds. It has been replaced to eliminate the CVE-2014-6271 vulnerability.
FortiDB 5.1.4
l l l l
Support for SQL Server 2014 VA — You can now scan the latest MS SQL server platform for vulnerabilities.
TCP/IP sniffer optimized for better performance and stability — Throughput and performance for the snifferbased data collection method has been improved.
Enhanced diagnose mode — FortiDB has a new command set that allows you to troubleshoot more efficiently.
See
Using the command line interface (CLI) on page 257
.
Security enhancements — Enhanced protection for Cross Frame Scripting (XSS), and cache control to prevent data from being saved by the browser.
FortiDB 5.1.3
l l l l l
Internal message queuing mechanism enhancement — The internal message queuing mechanism was upgraded. This improves the stability of data collection in high transaction volume environments.
Support for online context in help — FortiDB now supports online context in Help. This allows more comprehensive searches and more up to date information for end-users.
Support for partitions larger than 2TB in FortiDB 3000D — The large partition size enables more efficient audit data storage in the 3000D appliances.
For information on adjusting the RAID level for the FortiDB 3000D and other models, see
config system raid on page 275
.
Email notification enhancement — This enhancement alleviates the problems associated with configuring reports in the notification section of the Monitor setup.
FortiDB 5.1.2
l
No design changes. Bug fixes only.
FortiDB 5.1.1
l l
Support for FortiDB-1000D appliance — FortiDB-1000D is a stronger, faster platform supporting up to 30 databases that replaces the FortiDB-1000C.
tcpdump — FortiDB now includes tcpdump, a packet analyzer that you access using the command-line interface
(CLI). The tcpdump provides a reliable way for FortiDB deployments that use the TCP/IP sniffer to collect traffic data for troubleshooting purposes.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
18
FortiDB tutorials
FortiDB tutorials
Tutorial: Generating a vulnerability assessment (VA) report
Use the FortiDB tutorials to quickly create a basic, working assessment and monitoring configuration for your environment and familiarize yourself with the web UI.
For initial installation instructions (for the software-only version) and initial product configuration, see
and
How to set up your FortiDB on page 48
.
See also
l l l l l
Tutorial: Generating a vulnerability assessment (VA) report
Tutorial: Monitoring a database table using the TCP/IP sniffer
Tutorial: Monitoring a database table using the native auditing feature
Tutorial: Monitoring changes to metadata
Tutorial: Generating PCI, SOX, and HIPAA compliance reports
Tutorial: Generating a vulnerability assessment (VA) report
The following example FortiDB configuration provides step-by-step instructions for creating a vulnerability assessment (VA) report for an Oracle target database.
To complete this example, the Oracle target database requires the following privileges: l l l
CREATE SESSION
SELECT_CATALOG_ROLE
SELECT ON: l
SYS.AUDIT$ l l l l
SYS.REGISTRY$HISTORY
SYS.USER$
SYS.LINK$
SYSTEM.SQLPLUS_PRODUCT_PROFILE
For requirements for other types of target databases, see
Privileges for VA assessments, privilege summaries, and penetration tests on page 95 .
Use the following steps to complete this tutorial: l l l l l
Create a FortiDB administrator
Run a vulnerability assessment of the target group
View the assessment results as a report
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
19
Tutorial: Generating a vulnerability assessment (VA) report FortiDB tutorials
Create a FortiDB administrator
The FortiDB admin account is required for administrative tasks related to vulnerability assessment (VA) (for example, making backups and creating new accounts). However, for general VA tasks, Fortinet recommends that you create additional administrators with appropriate roles to allow you to separate duties.
1. Log in to FortiDB using the following credentials:
User Name
Password
admin fortidb1!$
2. In the navigation menu (on the left side of the web UI), click Administration to expand it, and then click
Administrators.
3. On the Administrators page, click Add.
4. On General tab, enter information in the fields marked with an asterisk (*).
For this example, for User Name, enter vauser. For Password, enter fdb!23.
5. On the Roles tab, for Available Roles, select the following options, and then click
Assigned Roles list: l l l
Target Manager
Operations Manager
Report Manager
6. Click Save.
to add them to the
7. To log out the admin user, click ( Logout icon) at the top-right of the screen.
Create a target
A target specifies a database for FortiDB to assess.
1. Log in to FortiDB as the vauser user and the password fdb!23.
Because vauser cannot view or create other users,
Administration is not displayed in the navigation menu.
2. In the navigation menu, go to Target Database Server > Targets.
3. On the Targets page, click Add.
4. On the General tab, enter the following information. For this example, the target is an Oracle database:
Name
Type
DB Host Name/IP
vatarget
Oracle
The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
20 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
FortiDB tutorials Tutorial: Generating a vulnerability assessment (VA) report
Port
DB Name
User Name
Password
The number of the port the database uses; the default port is 1521
The name of the database (for example, orcl)
The database user name
The password for the database user
5. To verify that the connection parameters are correct, click Test Connection.
The message “Success” is displayed at the top of the page.
6. Click Save.
The vatarget item is displayed in the list of targets.
Create a target group
You configure FortiDB to assess target groups, not individual targets. A target group can consist of one or more targets.
1. In the navigation menu, click Target Database Server > Target Groups.
2. On the Target Groups page, select Add.
3. On the Targets page, for Group Name, enter a name for your group. For this example, enter mygroup.
4. To filter the list of targets, select the following values:
Column
Operator
Value
Name
Contains
All or part of the name of the target (for example, vatarget or targ)
5. Click Search.
6. Ensure that only the target you created (vatarget) is displayed in the list, and then, to the right of the
Group Name field, click Save Group.
7. To verify that the target group you created is in the list of target groups, click Target Database Server >
Target Groups.
Run a vulnerability assessment of the target group
1. In the left-side menu, go to Vulnerability Assessment > Assessments.
2. On the Assessments page, click Add.
3. For Assessment Name, enter a name for your new assessment. For this example, enter myscan.
4. To add a target group to your assessment, on the Assessment page, click the Targets tab.
5. In the Available Target Groups list , select mygroup (the target group that you just created), and then select to move mygroup to the
Assigned Target Groups list.
6. To add FortiDB policies to your assessment, click the Policies tab.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
21
Tutorial: Generating a vulnerability assessment (VA) report FortiDB tutorials
7. In the Available Policy Groups list, select Oracle Policy Group, and then select
Oracle Policy Group name to the Assigned Policy Groups list.
to move
When you select a policy group in the
Available Policy Groups or Assigned Policy Groups list, the group’s policies are displayed in the
Active Policies list.
Although you can select items in the Active Policies list, you cannot use this list to select policies to execute.
8. Click Save.
On the
Assessments page, the myscan assessment is displayed.
9. To run your newly created assessment, select the check box for the myscan item, and then click Run.
In this example, you run the assessment manually and view the results in the web UI. However, FortiDB also allows you to schedule assessments and configure email and SNMP-trap notifications of assessment results.
(See
Running an assessment at a specified date and time on page 182
and
Sending alert notifications on page 207 .)
After approximately a minute, a stop date and time is displayed in the Last Run Time column of the myscan item.
View the assessment results as a report
FortiDB provides several pre-defined reports that can help you analyze your assessments. This example uses the
Target Summary Failed Report to view the assessment results. This report summarizes failed policies by number and type.
1. In the navigation menu, go to Report > Pre-Defined VA Reports.
2. On the Pre-Defined Reports page, click Target Summary Failed Report.
3. On the Vulnerability Assessment Target Summary Failed Report page, select the following values:
Assessment Name
Assessment Time
Target
myscan
A date and time when FortiDB ran myscan
The target group associated with myscan (for this example, vatarget
)
On the
Target Information tab, the parameters of the selected assessment are displayed.
4. Click the Preview Report tab.
After FortiDB complies it, the report is displayed.
5. To view your report in another formats, at the bottom of the page, for Export as, select one of the following formats, and then click Export: l l
PDF (.pdf)
Excel (.xls)
22 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
FortiDB tutorials l l
Tab (.txt) (tab-delimited)
CSV (.csv) (comma-separated values)
See also
l l l l l l
Connecting to target databases
Adding or modifying a target group
Vulnerability assessment (VA) policies
Adding or modifying assessments
Tutorial: Monitoring a database table using the TCP/IP sniffer
Tutorial: Monitoring a database table using the TCP/IP sniffer
You can configure FortiDB to use a TCP/IP packet sniffer to monitor specific tables in a database and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report.
Database activity monitoring (DAM) using the TCP/IP sniffer is only available with
FortiDB appliance. DAM does not work for the software version of FortiDB.
This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see
Oracle target database pre-configuration on page 80 .
The TCP/IP sniffer for DAM requires the following network environment and connections: l
The database server and clients use the TCP/IP protocol and all database activity takes place on the LAN.
l
The network switch that FortiDB and the database server are connected to supports the port mirroring feature.
l
One of the FortiDB ethernet ports is connected to the switch’s mirror port (also known as SPAN port). This port allows FortiDB to receive copies of all network traffic that is associated with the database.
Create a target
A target specifies a database for FortiDB to monitor.
1. Log in to FortiDB using the following credentials (the default values):
User Name
Password
admin fortidb1!$
All DAM tasks require the user to log in as admin.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
23
Tutorial: Monitoring a database table using the TCP/IP sniffer FortiDB tutorials
2. In the navigation menu, go to Target Database Server > Targets.
3. On the Targets page, click Add.
4. On the General tab, enter the following information. For this example, the target is an Oracle database:
Name
Type
DB Host Name/IP
Port
DB Name
User Name
Password
DB Activity Monitoring
damtarget
Oracle
The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
The number of the port the database uses; the default port is 1521
The name of the database (for example, orcl)
The database user name
The password for the database user
Select Allow.
5. To verify that the connection parameters are correct, click Test Connection.
The message “Success” is displayed at the top of the page.
6. Click Save.
The damtarget item is displayed in the list of targets.
Configure an alert policy for a database table
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.
Your target database is listed on the Target Monitoring Management page.
2. Click damtarget (the name of the target you created).
3. On the General tab, use the following values to complete the Audit Configuration settings:
Collection Method
Version
Sniffer on Port
Enable Activity Auditing
Log All
Enable Activity Profiling
TCP/IP Sniffer
The database version (9, 10g, 11g, 12c)
The FortiDB appliance port that is connected to the switch's mirror port
Selected
Selected
Selected
When you create a target monitoring configuration, selecting Enable Activity Auditing, Log All, or Enable
Activity Profiling is optional.
4. Click Save.
24 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
FortiDB tutorials Tutorial: Monitoring a database table using the TCP/IP sniffer
5. Click the Alert Policies tab.
6. At the bottom-left of the page, for Data Policies, select Table, and then click Add.
7. On the Target Monitor:<target name> page, configure a table policy using the following values:
Policy Name
Description
Enable
Create new policy group for policy check box
Severity
Enter a policy name or use the default name
Enter an optional description
Selected
Selected
Informational (the default) or other value
When you create a table policy, selecting Enable or Create new policy group for policy check box is optional.
8. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by
Target.
9. For Schema, select a schema to use (for example, SCOTT).
10. In the Tables list, select a table to monitor (for example, EMP).
To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected.
11. Under Audit Actions, select Read, Write, or both.
12. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table.
13. Move any other tables you want to monitor to the Selected Objects table.
14. Beside Alert Rule, click the triangle icon to view the settings.
15. Select Issue alert if ANY of the enabled rules are triggered.
16. Select Security Violation (selected by default).
17. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings.
18. Select one or more user names, and then click > (right arrow) to move them to the Selected users list.
19. Select Alert any successful access if the database matches a selected entry.
20. Select Save.
On the
Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled.
Confirm the policy group was created and start monitoring
1. Click the Alert Policy Groups tab.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
25
Tutorial: Monitoring a database table using the TCP/IP sniffer FortiDB tutorials
2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created.
3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the
Selected Policy Group contents list.
4. To start monitoring the database, click the General tab, and then click Start Monitoring.
Monitor Status displays Starting and then Running.
View alerts generated by the policy and export them as a report
1. Using a database client-side application, execute one or more SQL statements that generate alerts.
2. To view alerts, click DB Activity Monitoring > Security Alerts.
3. In the Security Alerts list, click an item to display its details under Alert Details (below the list).
To hide the alert details, beside
Alert Details, click the triangle icon.
4. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.
5. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report.
6. Click the Table View tab
7. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list.
8. Click Save.
9. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click
Run.
10. After FortiDB has run the report, beside the report name, click [+] (plus sign).
A list of items with names created from the report name and run times is displayed.
11. Click a run report item to view the report.
12. To export the report, click one of the following file format icons: l l l l
TXT (tab-delimited)
XLS (Excel)
CSV (comma-separated values)
Your browser prompts you to download a file of the specified format.
View activity auditing and profiling
1. To view activity auditing, go to DB Activity Monitoring > Activity Auditing.
Database activity events for the specified dates are displayed.
2. Click an event to display its details under Activity Event Details (below the list).
3. To check activity profiling, click DB Activity Monitoring > Activity Profiling.
26 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
FortiDB tutorials Tutorial: Monitoring a database table using the native auditing feature
The Target DB Activity Profiling page lists the profiling status and summary information for the targets that FortiDB is monitoring.
4. To view details, click the name of the target.
See also
l l l l l l l
Connecting to target databases
Configuring monitoring using the TCP/IP sniffer (all database types)
Viewing audit records (activity auditing results)
Tutorial: Monitoring a database table using the native auditing feature
You can configure FortiDB to use your database’s auditing features to monitor specific database tables and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report
This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see
Oracle target database pre-configuration on page 80 .
FortiDB can use several different methods to collect information from the monitoring process. The value of your database’s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, the collection method is DB, EXTENDED.
For a description of other collection methods, see
Configuring Oracle monitoring on page 204
.
Create a target
A target specifies a database for FortiDB to monitor.
1. Log in to FortiDB using the following credentials (the default values):
User Name
Password
admin fortidb1!$
All DAM tasks require the user to log in as admin.
2. In the navigation menu, go to Target Database Server > Targets.
3. On the Targets page, click Add.
4. On the General tab, enter the following information. For this example, the target is an Oracle database:
Name
dam2target
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
27
Tutorial: Monitoring a database table using the native auditing feature FortiDB tutorials
Type
DB Host Name/IP
Port
DB Name
Oracle
The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
The number of the port the database uses; the default port is 1521
The name of the database (for example, orcl)
User Name
Password
DB Activity Monitoring
The database user name
The password for the database user
Select Allow.
5. To verify that the connection parameters are correct, click Test Connection.
The message “Success” is displayed at the top of the page.
6. Click Save.
The dam2target item is displayed in the list of targets.
Configure an alert policy for a database table
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.
Your target database is listed on the Target Monitoring Management page.
2. Click damtarget (the name of the target you created).
3. On the General tab, confirm that the following default Audit Configuration values are selected:
Collection Method
Polling Frequency
DB, EXTENDED
60 (default value)
4. To test the collection method, click Test.
The message "Success" is displayed the top of the page.
5. Click the Alert Policies tab.
6. At the bottom-left of the page, for Data Policies, select Table, and then click Add.
7. On the Target Monitor:<target name> page, configure a table policy using the following values:
Policy Name
Description
Enable
Enter a policy name or use the default name
Enter an optional description
Selected
28 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
FortiDB tutorials Tutorial: Monitoring a database table using the native auditing feature
Create new policy group for policy check box
Severity
Selected
Informational (the default) or other value
When you create a table policy, selecting
Enable or Create new policy group for policy check box is optional.
8. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by
Target (the default value).
9. For Schema, select a schema to use (for example, SCOTT).
10. In the Tables list, select a table to monitor (for example, EMP).
To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected.
11. Under Audit Actions, select Read, Write, or both.
12. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table.
13. Move any other tables you want to monitor to the Selected Objects table.
14. Select Issue alert if ANY of the enabled rules are triggered.
15. Select Security Violation (selected by default).
16. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings.
17. Select one or more user names, and then click > (right arrow) to move them to the Selected users list.
18. Select Alert any successful access if the database matches a selected entry.
19. Select Save.
On the
Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled.
Confirm the policy group was created and start monitoring
1. Click the Alert Policy Groups tab.
2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created.
3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the Selected Policy Group contents list.
4. To start monitoring the database, click the General tab, and then click Start Monitoring.
Monitor Status displays Starting and then Running.
View alerts generated by the policy and export them as a report
1. Using a database client-side application, execute several SQL statements that generate alerts.
2. To view alerts, click DB Activity Monitoring > Security Alerts.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
29
Tutorial: Monitoring changes to metadata FortiDB tutorials
3. In the Security Alerts list, click an item to display its details under Alert Details (below the list).
To hide the alert details, beside Alert Details, click the triangle icon.
4. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.
5. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report.
6. Click the Table View tab.
7. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the
Columns in Report list.
8. Click Save.
9. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run.
10. After FortiDB has run the report, beside the report name, click [+] (plus sign).
A list of items with names created from the report name and run times is displayed.
11. Click a run report item to view the report.
12. To export the report, click one of the following file format icons: l l l l
TXT (tab-delimited)
XLS (Excel)
CSV (comma-separated values)
Your browser prompts you to download a file of the specified format.
See also
l l l l
Connecting to target databases
Tutorial: Monitoring changes to metadata
You can configure FortiDB to use your database’s auditing features to monitor for metadata changes and generate alerts based on the policies you specify. For example, you can configure FortiDB to generate alerts when database tables or columns are created, deleted, or modified. You can then use the alert information to generate a report.
This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see
Oracle target database pre-configuration on page 80 .
FortiDB can use several different methods to collect information from the monitoring process. The value of your database’s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, so the collection method is DB, EXTENDED.
30 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
FortiDB tutorials Tutorial: Monitoring changes to metadata
For a description of other collection methods, see
Configuring Oracle monitoring on page 204
.
Create a target
A target specifies a database for FortiDB to monitor.
1. Log in to FortiDB using the following credentials (the default values):
User Name
Password
admin fortidb1!$
All DAM tasks require the user to log in as admin.
2. In the navigation menu, go to Target Database Server > Targets.
3. On the Targets page, click Add.
4. On the General tab, enter the following information. For this example, the target is an Oracle database:
Name
Type
DB Host Name/IP
Port
DB Name
User Name
Password
DB Activity Monitoring
dam3target
Oracle
The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
The number of the port the database uses; the default port is 1521
The name of the database (for example, orcl)
The database user name
The password for the database user
Select Allow.
5. To verify that the connection parameters are correct, click Test Connection.
The message “Success” is displayed at the top of the page.
6. Click Save.
The dam3target item is displayed in the list of targets.
Configure an alert policy for metadata
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.
Your target database is listed on the
Target Monitoring Management page.
2. Click dam3target (the name of the target you created).
3. On the General tab, confirm that the following default Audit Configuration values are selected:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
31
Tutorial: Monitoring changes to metadata FortiDB tutorials
32
Collection Method
Polling Frequency
DB, EXTENDED
60
4. To test the collection method, click Test.
The message "Success" is displayed the top of the page.
5. Click the Alert Policies tab.
6. Locate the policy item Tables, which has a Type value of
(metadata policy icon), and then select by selecting its check box.
7. Click Enable.
Under Status, a green icon with an arrow is displayed.
Start monitoring
1. To start monitoring the database, click the General tab, and then click Start Monitoring.
Monitor Status displays Starting and then Running.
2. If the message "NEED_RECONFIGURE" is displayed, click the Alert Policies tab, and then click the
Reconfigure* button.
View alerts generated by the policy and export them as a report
1. Using a database client-side application, execute several SQL statements that generate alerts.
For example, execute the following SQL statements: create table table1 (column1 int, column2 char); drop table table1;
2. To view alerts, click DB Activity Monitoring > Security Alerts.
3. In the Security Alerts list, click an item to display its details under Alert Details (below the list).
To hide the alert details, beside Alert Details, click the triangle icon.
4. To change the alert status from "Unacknowledged" to "Acknowledged", do the following:
a. Select the check box(es) of the alerts to change, and then select "Acknowledged" in the
Status dropdown list.
b. Click Apply.
The color of the status icon changes.
5. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.
6. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report.
7. Click the Table View tab.
8. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list.
9. Click Save.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
FortiDB tutorials Tutorial: Generating PCI, SOX, and HIPAA compliance reports
10. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run.
11. After FortiDB has run the report, beside the report name, click [+] (plus sign).
A list of items with names created from the report name and run times is displayed.
12. Click a run report item to view the report.
13. To export the report, click one of the following file format icons: l l l l
TXT (tab-delimited)
XLS (Excel)
CSV (comma-separated values)
Your browser prompts you to download a file of the specified format.
See also
l l l l
Connecting to target databases
Tutorial: Generating PCI, SOX, and HIPAA compliance reports
You can configure FortiDB to monitor a database and generate alerts based on the following regulatory compliance standards: l l l
Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
Health Insurance Portability & Accountability Act (HIPAA)
This example configures a Microsoft SQL Server database. Before you start the tutorial, ensure that the database has the required configuration. For more information, see
Microsoft SQL Server target database preconfiguration on page 94
.
Create a target
A target specifies a database for FortiDB to monitor.
1. Log in to FortiDB using the following credentials (the default values):
User Name
Password
admin fortidb1!$
2. In the navigation menu, go to Target Database Server > Targets.
3. On the Targets page, click Add.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
33
Tutorial: Generating PCI, SOX, and HIPAA compliance reports FortiDB tutorials
4. On the General tab, enter the following information. For this example, the target is a Microsoft SQL Server database:
Name
Type
DB Host Name/IP
Port
Connect At
DB Name
User Name
Password
DB Activity Monitoring
dam_pci_sox
Microsoft SQL Server
The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
The number of the port the database uses; the default port is 1433
Server Level (default)
The name of the database. Because this target connects at the server level, the database name is master and you cannot change it.
The database user name
The password for the database user
Select Allow.
5. To verify that the connection parameters are correct, click Test Connection.
The message “Success” is displayed at the top of the page.
6. Click Save.
The dam_pci_sox item is displayed in the list of targets.
Add the PCI, SOX, and HIPAA policy groups to the target
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.
2. Click dam_pci_sox (the name of the target you created).
3. On the General tab, confirm that the following default Audit Configuration values are selected:
Collection Method
Trace Folder
Polling Frequency
SQL Trace
Enter the full path of the existing trace folder (for example,
C:\SQLTrace
)
60 (default)
4. To test the collection method, click Test.
The message "Success" is displayed the top of the page.
5. Click the Alert Policy Groups tab.
6. Select PCI Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
7. Select Sox Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
8. Select HIPAA Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
34 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
FortiDB tutorials Tutorial: Generating PCI, SOX, and HIPAA compliance reports
9. Click Save.
Start monitoring
To start monitoring the database, click the General tab, and then click Start Monitoring.
Monitor Status displays Starting and then Running.
Configure and export PCI and SOX reports
1. Using a database client-side application, execute several SQL statements that generate data.
For example, to generate data that is captured in a History of Privilege Changes report, execute SQL statements that change privileges.
2. To create a PCI compliance report, click Report > PCI Reports.
3. For this example, select PCI - Successful/Unsucessful Database Logins.
4. On the Generate Audit PCI Report page, configure the report using the following values:
Export as
W/P Reference
Date Range
PDF (default)
Enter the work paper reference value, if required.
This value is a tracking mechanism customers can use to identify and place controls around reports.
Enter start and end dates for report (click the calendar icons to select dates using the date picking tool)
5. Confirm that the target database is displayed in the Targets list.
If there is no data, the database name does not appear in the box.
6. In the bottom-right corner of the page, select Export.
Your browser downloads the report file.
7. Repeat the compliance report steps to generate the following report types: l l
Sox Report: History of Privilege Changes.
HIPAA Report: Privilege Changes
See also
l l l
Connecting to target databases
PCI, SOX, and HIPAA alert policies
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
35
Installation (software-only)
Installation (software-only)
System requirements
The software-only version of FortiDB allows you to install FortiDB on hardware that you provide.
FortiDB software runs as a web application and uses Tomcat as the application server. You can install it on either
Windows or UNIX (Solaris, AIX, Linux) platforms.
FortiDB uses one of the following repositories for its internal data: l l l l
Apache Derby
PostgreSQL
Oracle
Microsoft SQL Server
The Apache Derby database is included with the FortiDB software. No manual setup is required.
Because the software-only version of FortiDB cannot monitor databases using the TCP/IP sniffer, the softwareonly version does not support the activity auditing and profiling features.
System requirements
To ensure both security and performance, install FortiDB on a dedicated computer that does not run any other memory or processor-intensive applications. Start with a clean installation of the operating system that has a minimum number of services running.
For a list of currently supported hardware and software, see the Supported Hardware section of the Release
Notes for your version of FortiDB.
Requirement Details
Disk space
300 MB of free disk space (minimum)
Additional space is required for the repository database, log files, reports and archives.
Memory
Processor
A minimum of 2048 MB of system memory, 1024 MB of which are dedicated to the FortiDB application
Windows and Linux: Intel-based platforms configured with one or more P4 (or higher) processors
Solaris: SPARC-based platform configured with one or more processors
These are minimum disk space and memory requirements. For optimal performance, consult with a FortiDB representative for recommendations that are best suited to your individual situation.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
36
Preparing to install Installation (software-only)
Preparing to install
Before you install FortiDB, ensure you have the following information:
Prerequisite Details
User account for
FortiDB installation
Windows: An Administrator-level account
Linux or Solaris: A non-root user account
Location for FortiDB
DB type for your repository database
You can install FortiDB in any directory.
Do not choose a path with a a name that contains one or more spaces. For example, because there is a space between Program and Files, do not use C:\Program Files\FortiDB.
Derby, Microsoft SQL Server, Oracle, or
PostgreSQL
Notes
If you choose a location where a previous version of FortiDB exists, the installation process upgrades the current installation.
The FortiDB installation process installs the compatible Derby database with the required configuration.
For Microsoft SQL
Server, Oracle, and
PostgreSQL, configure your repository database before you install
FortiDB. See
FortiDB repository database on page
.
Name of host machine for repository database
Port number for repository database
The hostname or IP address for the machine where the repository database resides
An available port number above 1024
37 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Installation (software-only) Configuring the FortiDB repository database
Prerequisite
Database name/SID for repository database
Username for repository database user
Password for repository database user account
Details
The name (or SID) of the repository database
The account name of the repository database user
The password for repository database user
Application Server
HTTP Port Number
Application Server
HTTPS Port Number
An available port number above 1024
An available port number above 1024
Application Server
Shutdown Port
Number
An available port number above 1024
Notes
Configuring the FortiDB repository database
When you use Derby for the FortiDB repository database, no configuration is required. For all other database types, follow the configuration instructions in this section.
For all repository types except Derby, verify that your character-encoding setting is UTF-8.
Do not use the FortiDB application to monitor or audit its own repository database.
To ensure best performance, do not install FortiDB and its repository database on the same computer. You cannot install the Derby repository that is included with
FortiDB software on the same computer as FortiDB.
See also
l l l
Configuring a PostgreSQL repository
Configuring an Oracle repository
Configuring an Microsoft SQL Server repository
Configuring a PostgreSQL repository
When you use a PostgreSQL 8.x repository, FortiDB requires a language pack for its archive feature.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
38
Configuring the FortiDB repository database Installation (software-only)
1. Create a database to use for the FortiDB repository (for example, “fortidb”) with UTF-8 encoding. Make note the following information, which is required for FortiDB installation: l l l
Database name
User name
Password
2. To create the language pack “plpgsql”, execute the following command: createlang -h 127.0.0.1 -d <database_name> -U <database_user> plpgsql where: l l
<database_name> is the name of the database
<database_user> is the name of the database user
3. To verify that the language pack is installed properly, execute the following command: psql -U <database_user> -c "select * from pg_language" where: l l
<database_user> is the name of the database
The row plpgsql is displayed in the pg_language table.
Configuring an Oracle repository
1. Create a tablespace for FortiDB with the following values:
Block Size (B)
Total SGA size
Total PGA size
Segment Space
Management
Extent Management
Minimum 16K
Minimum 500MB
Minimum 100MB
AUTO (Automatic)
LOCAL
2. Create a user for FortiDB that has the following privileges: l l l l
CREATE SESSION
CREATE TABLE
CREATE SEQUENCE
UNLIMITED QUOTA
for the FortiDB tablespace.
3. Make any changes to your configuration that can reduce the risk of competition for input/output resources (I/O contention).
For example, put your database and log files on separate disks.
4. Create a datafile for the FortiDB tablespace. For example:
39 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Installation (software-only) Configuring the FortiDB repository database
File Name
File Directory
Tablespace
File Size
AUTOEXTEND
FORTIDB.DBF
C:\oralce\product\10.2.0\oradata\orcl\
FORTIDB
500M
ON (automatically extends datafile when it is full)
Here is an example of the parameters in init.ora (for Oracle 10g):
*.db_name='fortidb'
*.db_block_size=8192
*.sga_target=584M
*.pga_aggregate_target=194M
*.db_create_file_dest='/home/oracle/product/10.2.0/db_1/oradata/fdb'
*.db_recovery_file_dest='/home/oracle/product/10.2.0/db_1/flash_recovery_area'
*.db_recovery_file_dest_size=2G
*.undo_management='AUTO'
*.undo_tablespace='UNDOTBS1'
*.audit_file_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/adump'
*.user_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/udump'
*.core_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/cdump'
*.background_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/bdump'
*.compatible='10.2.0.3.0'
*.control_files='/home/oracle/product/10.2.0/db_1/oradata/fdb/control01.ctl'
*.db_file_multiblock_read_count=16
*.job_queue_processes=10
*.open_cursors=300
*.processes=150
Configuring an Microsoft SQL Server repository
This procedure illustrates how to configure a repository using Microsoft SQL Server 2008 Management Studio.
The user ID and schema name must have the same name as the FortiDB repository.
Create a SQL database
1. Log in as sa.
2. Right-click Databases.
3. Click New Database.
4. For the database name, enter fortidb.
5. Configure the database using the following values:
Initial data-file size
300 MB (minimum)
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
40
Configuring the FortiDB repository database Installation (software-only)
Initial log-file size
Collation value
20 MB (minimum)
A value that supports case-sensitivity
The characters “CS” in a collation value indicate that it is casesensitive. For example, the collation value SQL_Latin1_General_
CP1_CS_AS is for U.S. English systems and is case-sensitive.
6. Click OK.
Create a SQL login
1. Go to Security.
2. Right-click Logins.
3. Click New Login.
4. For Login name, enter fortidb.
5. Select SQL Server authentication, and then enter and confirm a password.
6. Clear Enforce password expiration.
7. For Default database, select fortidb.
8. On the User Mapping page, for Users mapped to this login, select fortidb.
In the User column for the fortidb list item, fortidb is displayed.
9. Select the fortidb item in the list of users, and then, for Database role membership for: fortidb, select
db_owner.
10. Click OK.
Create the fortidb schema
Ensure that the schema uses the same name as login name that you created in the previous step.
1. Log in using the user (fortidb) and password.
2. Go to Databases > fortidb > Security.
3. Right-click Schemas, and then select New Schema.
4. For both Schema name and Schema owner, enter fortidb.
5. Click OK.
6. Go to Databases > fortidb > Security > Users.
7. Right-click the fortidb user, and then click Properties.
8. For Default schema field, enter fortidb.
9. Click OK.
41 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Installation (software-only) UNIX/Linux installation
Verify that the login is mapped to the correct schema and user
1. Log in as sa.
2. Go to Security > Logins.
3. Right-click fortidb, and then select Properties.
4. On the User Mapping page, verify that “fortidb” is both the user and default schema value for the fortidb item.
UNIX/Linux installation
You install FortiDB software on Unix and Linux using a console user interface, or command-line interface (CLI).
You can use a non-root user account to install FortiDB on the following operating systems: l l l
Solaris
AIX
Linux installations that use an Oracle repository database
To install FortiDB on UNIX/Linux, the following hardware and operating system are required: l l
Solaris with SPARC-based platform
64-bit Linux system with Intel-based platform, and 2.6 kernel
For detailed platform requirements, see the release notes for your version of FortiDB.
Obtain one of the following FortiDB installer files:
Solaris
Linux (without RPM Package Manager)
Unix
fdb-install-{version}-solaris-sparc.bin
fdb-install-{version}-linux-x64.bin
fdb-install-{version}-unix.bin
Execute the installer file supplied using the following command: sh <installer file>
For Linux installations that use RPM Package Manager, do the following: l l l
Obtain the FortiDB installer file fdb-install-{version}-linux-x64.rpm
Execute the installer file using the following command: rpm -ivh <installer file>
To install FortiDB on other UNIX systems like AIX, install the Java Runtime Environment version 1.6 or higher first, and then update FortiDB startup script. For details, please refer to the release notes for your version of
FortiDB or contact Fortinet.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
42
Windows installation
See also
l
Installation (software-only)
Windows installation
For detailed information on Windows installation requirements, see the release notes for your version of FortiDB.
To install FortiDB on Windows, you use the graphical user interface (GUI) and an Administrator account.
Obtain one of the following FortiDB installer files:
Windows 64-bit
Windows 32-bit
fdb-install-{version}-windows-x64.exe
fdb-install-{version}-windows-x86.exe
Log in as a user with administrator privileges, run the installer, and then follow the instructions provided by the installer.
Use the Add/Remove Programs control panel to uninstall FortiDB.
See also
l
Confirming the installation
To test whether your installation was successful, enter the following URL in your browser: http://<fortidb_ip>:<port_int>/fortidb where: l l fortidb_ip is FortiDB host name or IP address port_int is the port number on which the application server listens
If your installation is successful, the login page is displayed.
The default administrator user name is admin and the default password is fortidb1!$.
After you log in successfully, go to
Administration > Administrators to change the password for the admin account.For more information on changing passwords, see
Changing the “admin” account password on page 53
.
Starting or stopping FortiDB
In some situations, it is necessary to start and or stop FortiDB manually. For example, when you update or replace your FortiDB license file, or reboot UNIX.
43 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Installation (software-only) Installing a new license
When FortiDB stops, it saves state information in the internal database. When log in again, it retrieves this information and reopens the databases that were open at the time of the shutdown. Since state information is periodically saved during your session, FortiDB can restore most of the state, even if it goes down due to a power failure or similar problem.
To manually start FortiDB on Windows
Do one of the following: l l
Execute the <FortiDB install directory>\bin\start.bat batch file.
Click Start > Programs > FortiDB > Start FortiDB.
To manually start FortiDB on UNIX
Use the <FortiDB install directory>/bin/start script.
To manually stop FortiDB on Windows
Do one of the following: l l
Execute the <FortiDB install directory>\bin\stop.bat batch file.
Click Start > Programs > FortiDB > Stop FortiDB.
To manually stop FortiDB on UNIX
Use the <FortiDB install directory>/bin/stop script.
Installing a new license
FortiDB requires a license key in order to operate and ships with a temporary one. In some cases, a notice warning you that your license is about to expire is displayed about two weeks before your license expires. If this happens, contact your Fortinet sales representative to extend the license.
To install a new license
For information on starting and stopping FortiDB, see
Starting or stopping FortiDB on page 43
1. Stop FortiDB.
2. In <FortiDB install directory>/conf, replace license.properties with the new license file.
3. Restart FortiDB.
Managing disk space
FortiDB log, archive, and report files all consume disk space. To help conserve disk space, you can backup, delete, and restore these files, as required.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
44
Useful directories, files, and folders
See also
l l
Useful directories, files, and folders
Installation (software-only)
Useful directories, files, and folders
The folders that the FortiDB installation directory contains include the following:
FortiDB directories
Directory
<FortiDB install directory>/bin
<
FortiDB install directory>/conf
<FortiDB install directory>/data/archives/VA
Contents
Utility files, including the files that allow you to manual start and stop FortiDB
Your license file, encryption-key files, installationproperties file, and report logo files
Vulnerability assessment archive files
<FortiDB install directory>/data/reports
Report files
<FortiDB install directory>/doc
Administration, Quick Start, and Installation Guides
<FortiDB install directory>/etc/conf/pentest
Files related to penetration tests
<FortiDB install directory>/etc/snmp
SNMP-trap dictionary file for FortiDB
<FortiDB install directory>/logs
Error and other log files
<FortiDB install directory>/tomcat/logs
Log files for the Tomcat application server
<FortiDB install directory>/uninstall
Uninstall executable file
The files that the FortiDB installation directory contains include the following:
FortiDB files and folders
File or folder name
<FortiDB install directory>/conf/license.properties
Description
Specifies the length of, and number of targetdatabases allowed during, the FortiDB license period
45 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Installation (software-only) Log files for troubleshooting
File or folder name
<FortiDB install directory>/conf/
.keyFile
<FortiDB install directory>/conf/
.keystore
<FortiDB install directory>/conf/reportlogos
<FortiDB install directory>/etc
Description
Needed for the encryption of passwords and assessment archives
Needed for target-database connections involving
SSH
Vontains images for report logos
Contains: l
Pentest dictionary and db-type-specific files l
XML files with samples of information that can be imported from a target-database l
FortiDB-specific MIB file for SNMP notifications server.xml
(for internal FortiDB use only)
<FortiDB install directory>/etc/templates
See also
l l
Log files for troubleshooting
FortiDB produces the following log files that are useful for troubleshooting and can help Fortinet Technical
Support to assist you:
General logs
<FortiDB install directory>/logs/*.log
<FortiDB install directory>/tomcat/logs/*.log
Tomcat logs
You can troubleshoot installation problems by reviewing information in Tomcat log files that are located in the following directories:
<FortiDB install directory>/logs
<FortiDB install directory>/tomcat/logs
<FortiDB install directory>/tomcat/webapps/fortidb/WEB-INF/logs
See also
l
Useful directories, files, and folders
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
46
Upgrading FortiDB Installation (software-only)
Upgrading FortiDB
For supported upgrade versions, see the release notes for your version of FortiDB.
To upgrade from an earlier version of FortiDB
1. Backup your repository database.
This step is optional, but recommended.
2. Shut down your existing FortiDB process or service.
For detailed steps, see
Starting or stopping FortiDB on page 43
.
3. Execute the FortiDB installer file.
For detailed information, see
UNIX/Linux installation on page 42
or
Windows installation on page 43 .
4. Specify the directory that contains your existing FortiDB installation as the destination directory.
5. Follow the subsequent instructions to complete upgrade installation, follow the remaining steps provided for an initial installation.
47 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
How to set up your FortiDB
How to set up your FortiDB
Registering your FortiDB
The basic setup instructions include information on planning network connections for FortiDB, connecting to the web UI or command line interface, and ensuring you have the latest version of the firmware (for appliance versions).
After the inital set up is complete, for example configurations for assessing and monitoring databases, see
.
See also
l l l l l l
Planning the network topology for database activity monitoring (DAM)
Connecting to the web UI and CLI
Changing the “admin” account password
Configuring the network settings
Registering your FortiDB
Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site: https://support.fortinet.com
Many Fortinet customer services such as firmware updates, technical support, and FortiGuard services require product registration.
For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions .
Planning the network topology for database activity monitoring (DAM)
Database activity monitoring (DAM) using the TCP/IP sniffer (also known as packet capture or network analyzer) is available for the appliance version of FortiDB only. It provides functions like policy-based activity auditing, activity profiling, and security alerts.
To use DAM with the TCP/IP sniffer, connect one or more of your FortiDB appliance's ports to the SPAN port of the switch that is connected to your database server. This configuration allows the appliance to monitor all traffic passing to and from the server.
See also
l
Tutorial: Monitoring a database table using the TCP/IP sniffer
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
48
Connecting to the web UI and CLI How to set up your FortiDB
Connecting to the web UI and CLI
The default IP address and subnet of port1 is 192.168.1.99/255.255.255.0. To connect to the appliance's web UI on port1, for example, go to https://192.168.1.99/.
To connect to the appliance's CLI, connect your computer’s serial communications (COM) port to the FortiDB appliance’s console port. Use terminal emulation software to connect with the appliance using the following configuration:
Serial line to connect to
Speed (baud)
Data bits
Stop bits
Parity
Flow control
COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)
9600
8
1
None
None
The default administrator account name and password is admin and fortidb1!$.
See also
l
Changing the “admin” account password
Updating the firmware
Your new FortiDB appliance ships with the latest operating system (firmware). However, if Fortinet has released a new version since it shipped your appliance, install the new firmware before you continue the installation. Fortinet periodically releases FortiDB firmware updates with enhancements and to address issues.
Before you can download firmware updates for your FortiDB appliance, you must first register it with Fortinet
Technical Support. For details, go to https://support.fortinet.com/ or contact Fortinet Technical Support.
FortiDB firmware is available for download at: https://support.fortinet.com
New firmware can also introduce new features which you must configure for the first time.
For late-breaking information specific to the firmware release version, see the release notes for the release.
When you update the firmware image, FortiDB keeps existing data and configuration. However, Fortinet recommends that you back up all FortiDB data and configuration settings before you upgrade. The backup operation safeguards data and configuration settings in case power is lost during the upgrade. For information on backup and restore procedures, see
49 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
How to set up your FortiDB Updating the firmware
See also
l l
Upgrading the firmware
When installing firmware, FortiDB keeps existing data and configuration.
If you want to reset all device settings and configuration and delete log data on the hard drive, the execute format disk
CLI command. For details, see
execute format disk on page 284
.
To upgrade your firmware using the web UI
1. Download the firmware image file to your management computer.
For FortiDB appliances with a valid technical support contract, you can download firmware images from the
Fortinet Technical Support web site, https://support.fortinet.com.
2. Log in as admin.
3. Go to System > System Information.
4. Under System Information, in the Firmware Version information, click Update.
5. Do one of the following to select the firmware image file: l l
Enter the path and file name of the file.
Click Choose File to navigate to and select the file.
6. Click Update.
After your browser uploads the firmware image file, FortiDB upgrades to the new firmware version, and then restarts. This process takes a few minutes.
To upgrade your firmware using the CLI
When you upgrarding the firmware using the CLI, FortiDB requires a TFTP or FTP server that it can connect to.
1. Start the FTP or TFTP server.
2. Copy the new firmware image file to the FTP or TFTP server.
3. Log in to the CLI as admin.
4. Verify that FortiDB can connect to the FTP or TFTP server.
For example, if the IP address of the TFTP server is 192.168.1.168, enter the following command: execute ping 192.168.1.168
5. Enter the following command to copy the firmware image from the TFTP server to FortiDB: execute restore image ftp <filename> <ftp_ip> execute restore image tftp <filename> <tftp_ip> where:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
50
Updating the firmware How to set up your FortiDB l l
<filename> is the name and location of the firmware image file
<ftp_ip> or <tftp_ip> is the IP address of the FTP or TFTP server.
For example, if the firmware image file name is image.out and the IP address of the FTP or TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168
FortiDB responds with the following message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6. Type y .
FortiDB downloads the firmware image file, upgrades to the new firmware version, and then restarts. This process takes a few minutes.
7. Reconnect to the CLI.
8. To confirm that the new firmware image is successfully installed, enter: get system status
See also
l l
Installing FortiDB firmware
You can use the boot loader menu to install a specific firmware image and reset FortiDB to default settings. Use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version.
This procedure reverts the FortiDB system to its factory default configuration.
Installing a specific firmware image requires you to connect to the CLI using the FortiDB console port and a RJ-45 to DB-9 or null-modem cable. A TFTP server that you can connect from the FortiDB interface and that is on the same subnet as the internal interface is also required.
To install firmware using boot loader menu
1. Connect to the FortiDB CLI through your console port.
2. To get and copy your current network settings for reference, execute the following command: show
The process of installing a new image resets your network settings to the factory defaults. To access the web-based manager, re-configure network settings.
3. Verify that the TFTP server is running.
4. Copy the new firmware image file to the TFTP server.
51 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
How to set up your FortiDB Updating the firmware
5. Verify that the internal interface is connected to the same network as the TFTP server. To test the connection, enter the following command: execute ping <tftp_ip_address>
6. Enter the following command to restart FortiDB: execute reboot
The FortiDB system responds with the following message:
This operation will reboot the system !
Do you want to continue? (y/n)
7. Type y to display the boot loader menu.
As the FortiDB system starts, a series of system startup messages is displayed. When one of the following messages appears:
Press any key to display configuration menu.......
Immediately press any key to interrupt the system startup.
You have only 3 seconds to press any key. After 3 seconds, FortiDB reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, one of the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,C,Q,or H:
8. Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9. Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
10. Type an IP address that FortiDB can use to connect to the TFTP server.
The IP address can be any IP address that is valid for the network the interface is connected to. Verify that you do not enter the IP address of another device on this network.
The following message appears:
Enter firmware image file name [image.out]:
11. Enter the firmware image file name (and location) and press Enter.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
52
Changing the “admin” account password How to set up your FortiDB
The TFTP server uploads the firmware image file to the FortiDB unit. Some unit models may display the following message:
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]
12. Type
D .
FortiDB installs the new firmware image and restarts. The installation can take a few minutes to complete. If the installation is successfully, the FortiDB CLI prompt is displayed.
13. Configure your network settings. To configure your network settings, please refer to
Configuring network settings using the CLI on page 57 .
See also
l l
Changing the “admin” account password
1. Log in to the FortiDB web UI.
2. Select the Change Password link at the top of any page.
3. Enter your current password and new password, and then confirm your new password.
When you create a password, use the following rules:
Category
Mandatory Length
Mandatory contents
Prohibited contents
Description
By default, no mandatory length is set.
For information on setting the minimum length, see
Profile/Security properties on page 74 .
l
At least one number l
At least one special character from the following set: !@#$%^&*()_+|~-=\`
{}[]:";'<>?,./ l
Spaces l
User name l
User name reversed
For example, wru2rxy? is a valid password.
4. Click OK.
See also
l
53 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
How to set up your FortiDB Setting the system time
Setting the system time
Setting the system time ensure correct report time ranges, scheduling, and logging.
To set the system time using the web UI
1. In the left-side navigation menu, click System > System Information.
2. In the System Time information, click Change.
The Time Settings page is displayed.
3. Use the following options to change the time settings:
Refresh
Time Zone
Set Time
Synchronize with NTP
Server
Updates the display with the current FortiDB system date and time.
Select the FortiDB unit's time zone.
Select
Automatically adjust clock for daylight saving changes
to automatically switch the clock between daylight saving time and standard time.
Note: Changes to the time zone setting do not take affect until after you reboot FortiDB.
Sets the FortiDB system date and time using the values you specify for
Year, Month, Day, Hour, Minute and Second.
Configures FortiDB to automatically update its system date and time using an NTP server.
For Server, enter the IP address or domain name of an NTP server.
To find an NTP server that you can use, go to http://www.ntp.org.
For
Sync Interval, specify how often the FortiDB unit synchronizes its time with the NTP server, in minutes.
For example, to synchronize its time once a day, enter 1440.
4. Select OK.
To set the system time using the CLI
1. To set the time zone, execute the following command: config system global set daylightsavetime {enable | disable} end set timezone <timezone_number> where:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
54
Configuring the network settings How to set up your FortiDB l l
{enable | disable} specifies whether FortiDB automatically switches to daylight savings time
<timezone_number> is a number that specifies the time zone (enter ? to list time zones and their numbers)
For example, to turn daylight saving time and chooses the Eastern timezone for US & Canada: config system global set daylightsavetime enable end set timezone 12
2. To set a network protocol (NTP) server, execute the following command: config system ntp set server <server_ip> end set status {enable | disable} end set sync_interval <minutes> where: l l l
<server_ip> is the IP address or fully qualified domain name of the NTP server
{enable | disable} specifies whether the server is enabled
<minutes> is a value in minutes that specifies how often the FortiDB system synchronizes its time with the
NTP server
For example: config system ntp set server 172.30.62.81
end set status enable end set sync_interval 120
For information on manually setting the time using the CLI, see
See also
l
System information and settings
Configuring the network settings
You can configure the FortiDB unit to operate in your network using either the web UI
Network Configuration
page or the CLI. These basic network settings include interfaces, DNS settings and static routes.
You can use either of the following formats to specify IP address/networkmask pairs: l
Dotted-decimal (for example, 192.168.1.1/255.255.255.0) l
Bit representation (for example, 192.168.1.1/24)
55 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
How to set up your FortiDB Configuring the network settings
See also
l
Configuring network settings using the CLI
Configuring network settings using the web UI
To configure the network interfaces using the web UI
1. Go to System > Network Setting.
On
Network Configuration page, the Interfaces tab displays the current configuration of the network interfaces.
Interface
Device IP/Netmask
Access
Status
The name of the network interface on the FortiDB unit.
The IP address and network mask configured for the interface.
A list of the administrative access methods available on the interface.
A green arrow indicates that the network interface is up.
Modify
Select the edit button to disable the port.
A red arrow indicates the interface is down.
Select the edit button
Select the edit button to enable the port.
to change the interface settings.
2. For the interface you want to configure, in the Modify column, click
3. Configure the following options:
Enable check box
Interface Name
Device IP/Netmask
Access
(edit icon).
Specifies whether the interface is enabled or disabled
Cannot be changed
Enter an IP address and network mask (for example,
192.168.10.3/255.255.255.0
)
Select the methods of administrative access that are available on this interface.
l
HTTP allows HTTP connections to the FortiDB. HTTP connections are not secure and can be intercepted by a third party.
l
HTTPS allows secure HTTPS connections to the FortiDB.
l
PING allows FortiDB to respond to ICMP pings, which are useful for testing connectivity.
l
SSH allows SSH connections to the FortiDB CLI.
l
TELNET allows Telnet connections to the FortiDB CLI. Telnet connections are not secure, and can be intercepted by a third party.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
56
Configuring the network settings How to set up your FortiDB
4. Select the Save button to save the interface settings.
To configure DNS using the web UI
You can configure primary and secondary DNS servers to provide the name resolution required by FortiDB features.
1. Go to System > Network Setting, and then click the DNS tab.
2. Enter an IP address for a primary and secondary DNS server.
3. To save and apply the DNS settings, click the Apply button .
To configure static routes using the web UI
To forward packets from FortiDB to the default gateway through a specified interface, you add a default static route entry.
For example, to allow FortiDB to access Internet in your private subnet, add a static route with a destination address of 0.0.0.0/0.0.0.0 and specify the gateway address to forward the packet to.
1. Go to System > Router.
The Static Route page displays the current static routes configuration.
Destination IP/Netmask
Gateway
Interface
Modify
The destination IP address and netmask for packets that FortiDB sends to.
The IP address of the router where FortiDB forwards packets.
The name of the FortiDB interface through which intercepted packets are received and sent.
Click (edit icon) to change the route settings.
Click (delete icon) to deleting the route.
2. Cick Add, and then configure the following options:
Destination IP/Netmask
Gateway
Interface
Enter the destination IP address and netmask of packets that FortiDB intercepts.
Enter 0.0.0.0/0.0.0.0 to specify any and all destinations.
Enter the IP address of the next-hop router that FortiDB routes traffic to.
Select the FortiDB network interface for incoming and outgoing packet traffic.
3. Click Save.
Configuring network settings using the CLI
For details about each command, see
Overview of commands on page 264 .
1. To set the IP address and netmask of a network interface, execute the following command:
57 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
How to set up your FortiDB Configuring the network settings config system interface edit {port1 | port2 | port3 | port4 } end set ip <ip_address> <netmask> set allowaccess {http https ping ssh telnet} where: l l l l
{port1 | port2 | port3 | port4 } is the network interface
<ip_address> is the interface IP address
<netmask> is the interface netmask
{http https ping ssh telnet} specifies the types of administrative access that are permitted
For example: config system interface edit port1 end set ip 192.168.100.159 255.255.255.0
set allowaccess ping https ssh
2. To set the DNS servers, execute the following command. The secondary DNS server is optional: config system dns end set primary <dns_server_ip> set secondary <dns_server_ip> where <dns_server_ip> is the IP address of the primary or secondary DNS server.
For example: config system dns set primary 65.39.139.52
end set secondary 65.39.139.62
3. To create a static route, execute the following command: config system route edit <seq_num> set device <port> end set gateway <gateway_ip> where: l l l
<seq_num> is an unused routing sequence number (numbering starts at 1)
<port> is the port for this route
<gateway_ip> is the default gateway IP address for the network
For example: config system route edit 1 end set device port1 set gateway 172.30.62.254
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
58
Backups
Backups
A configuration backup file allows you to reset FortiDB to its default configuration, if required.
When you update the firmware image, FortiDB keeps existing data and configuration. However, Fortinet recommends that you back up all FortiDB data and configuration settings before you upgrade. The backup operation safeguards data and configuration settings in case power is lost during the upgrade.
You should also back up the configuration before you use the execute format disk CLI command, which resets all device settings and configuration and deletes log data on the hard drive.
Always backup the configuration before installing firmware or when you reset FortiDB to factory defaults.
To back up your configuration settings using the CLI
Backing up data and the current configuration using the CLI requires an FTP server.
1. Log into the CLI.
For more information, see
Connecting to the web UI and CLI on page 49
.
2. Enter the following command to back up your local database, system-configuration settings, archives and reports: execute backup all-settings <ftp server> <filepath> <username> <password>
[cryptpasswd]
For details on this command, see
execute backup all-settings on page 278 .
3. After successfully backing up your configuration files from the CLI, proceed with upgrading FortiDB firmware.
To restore your configuration settings using the CLI
The following steps restore your FortiDB configuration settings using the CLI.
1. Log into the CLI.
2. Enter the following command to copy the backup configuration settings to restore the file on the FortiDB unit: execute restore all-settings <ftp server> <filepath> <username> <password> [crptpasswd]
This operation replaces your current settings and requires you to reboot FortiDB. For details about backup and restore using the CLI, see
execute backup all-settings on page 278
and
execute restore all-settings on page 286 .
Use the show shell command to verify your settings are restored, or log into the web-based manager.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
59
Administrators
Administrators
The Administrators page allows you to add, delete, enable and disable FortiDB administration users. You can display administrators by roles using the View By Role dropdown list.
Column
<selection check box>
<status>
User Name
First Name
Last Name
Email Address
Description
Selects an administrator to modify or delete. Select column heading to select all administrators.
l indicates an enabled administrator. An administrator who has the
Security Administrator role can enable an account at any time l indicates a disabled administrator. An administrator who has the
Security Administrator role can disable an account at any time.
l indicates a locked administrator account. FortiDB locks out an account after unsuccessful login attempts
The FortiDB user name for the administrator
The user's first name
The user's last name
The user's email address
To add or modify an administrator
When you add FortiDB administrators, you assign them one or more roles. The built-in FortiDB roles determine which FortiDB operations the administrator can perform.
1. Go to Administration > Administrators.
2. Do one of the following: l l
To create an administrator, click Add.
To edit the settings for an existing administrator, click the appropriate user name.
3. On the General tab, for User Authentication Type, select one of the following options:
Normal
LDAP
Specifies an administrator that FortiDB authenticates using the password in the administrator settings
Specifies an administrator that FortiDB authenticates by connecting to the
LDAP server specified in Global Configuration
4. Complete or edit the remaining General tab settings as required. Settings marked with an asterisk (*) are mandatory.
5. If you are creating a new user and do not want the administrator to be able to log in after you save its settings, select Set user status as "disabled" immediately.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
60
Configuring permissions Administrators
To disable an existing user, on the Administrators page, select the check box to the left of the administrator, and then click Disable.
6. Click the Roles tab, and then, in the Available Roles list, select one or more items. Click >> (right arrows) to add selected items to the
Assigned Roles list.
To unassign roles, select the role in the
Assigned Roles list and click << (left arrows).
For a description of the roles, see
Configuring permissions on page 61 .
7. Click the Targets tab, and then do one of the following: l l
Select
Manage All Targets.
Select Manage Limited Targets, select one or more of the items in the Available Targets list, and then click
>> (right arrows) to add the selected items to the Assigned Targets list.
To unassign targets, select the target in the Assigned Targets list and click << (left arrows).
The targets that an administrator can manage also depends on its role. For example, to edit any target, an administrator requires the
Target Manager role.
8. Click Save.
See also
l l l
Privileges by license type (software-only FortiDB)
Viewing and exporting an administrator report
Configuring permissions
The FortiDB roles allow you to assign privileges to administrators. For information on assigning roles to administrators, see
To add or modify an administrator on page 60
.
If you are using the software-only version of FortiDB, the privileges that are available depends on the FortiDB license. For more information, see
Privileges by license type (software-only FortiDB) on page 63
.
61 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Administrators Configuring permissions
Administrator privileges by role
Role
Operations Manager
Privileges
l
Review target-database connection information.
l
Review target group connection information l
View pre-defined policies and user-defined policies l
View DAM Policies (Data, Metadata, Privilege, PCI, SOX, and HIPAA policies) l
Create, modify, delete, and run assessments l
Start/Stop monitoring l
View DAM Alerts l
Read results of FortiDB-shipped reports l
Read results of Custom reports l
Perform penetration tests l
View the Privilege Summary
Policy Manager
Report Manager
Security Administrator
l
Import/export and enable/disable pre-defined policies (pre-defined policies) for VA l
Import/export and enable/disable Metadata, Privilege, PCI, SOX, and
HIPAA policies for DAM l
Import/export and enable/disable user-defined policies for VA and Data
Policies for DAM l
Add policy groups for VA and DAM l
Create, modify and delete user-defined policies for VA and Data Policies for DAM l
Review target-database connection information.
l
Review target group connection information l
Review Assessment settings l
Read results of FortiDB-shipped reports l
Generate DAM PCI, SOX, and HIPAA compliance reports l
Read results of Custom reports l
View the Privilege Summary l
Create, modify, delete, and enable/disable FortiDB users l
Configure and modify user-role assignments l
View the Entitlement report
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
62
Privileges by license type (software-only FortiDB) Administrators
Role
System Administrator
Target Manager
Privileges
l
Import/export and enable/disable pre-defined policies (pre-defined policies) l
Import/export and enable/disable user-defined policies l
Archive and restore assessment results l
Change system properties l
Enable/View Audit trail l
Create, modify, and delete and import/export connections to target databases l
Create, modify , and delete target groups l
Perform Auto Discovery of target databases l
Review Assessment settings l
Review the Privilege Summary
See also
l l l
Privileges by license type (software-only FortiDB)
Viewing and exporting an administrator report
Privileges by license type (software-only FortiDB)
For the software-only version of FortiDB, the type of license that you use determines which privileges are available.
Privileges by license type
License Type
VA Only
Privileges
l
Policy Manager: View/Modify VA policies l
Operations Manager: Create, modify, delete, and run assessments l
Report Manager: Generate VA reports l
Target Manager: All privileges for this role enabled l
System Administrator: All privileges privileges for this role enabled l
Security Administrator: All privileges for this role enabled
63 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Administrators Viewing and exporting an administrator report
License Type
DAM Only
Privileges
l
Policy Manager: View/Modify DAM policies l
Operations Manager: start/stop monitoring, view DAM Alerts, view/edit
DAM Alert Groups l
Report Manager: Generate DAM reports l
Target Manager: All privileges for this role enabled l
System Administrator: All privileges for this role enabled l
Security Administrator: All privileges for this role enabled l
All privileges for the different roles enabled
VA and DAM
See also
l l l
Viewing and exporting an administrator report
Viewing and exporting an administrator report
The
Entitlement Report tab displays all FortiDB administrators, their account status, and their roles.
To sort the entitlement report, click any column header. The header is used as your sort key.
For example, to sort by status value, click
Status.
The sorted result is preserved when you export a report.
To export the entitlement report as a PDF, Excel, comma-delimited, or tab-delimited file, for Export as, select a format and then click
Export.
Entitlement Report tab
Column
Status
Description
Username
First Name
indicates an enabled administrator indicates a disabled administrator indicates a locked administrator
Displays the user name from the
Administrator tab
Displays the first name from the Administrator tab
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
64
Viewing and exporting an administrator report Administrators
Column
Last Name
Other
Description
Displays the last name from the
Administrator tab
Displays other information specified for administrator
System Administrator role indicates that the user is assigned the role.
indicates that the user is not assigned the role.
Security Administrator role indicates that the user is assigned the Security Administrator role.
indicates that the user is not assigned the Security Administrator role.
Target Manager role indicates that the user is assigned the role.
indicates that the user is not assigned the role.
Policy Manager role indicates the user has the Policy Manager role.
indicates the user does not have the Policy Manager role.
Operations Manager role indicates the user has the Operations Manager role.
indicates the user does not have the Operations Manager role.
Report Manager role indicates the user has the Report Manager role.
indicates the user does not have the Report Manager role.
See also
l l l
Privileges by license type (software-only FortiDB)
65 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Administrators FortiMonitor administrator
FortiMonitor administrator
You can configure FortiDB to collect audit and alert data for FortiMonitor and transmit it via SSH File Transfer
Protocol (SFTP).
To enable FortiMonitor integration with FortiDB, create a FortiDB administrator with the name fortisiem.
Ensure that the fortisiem administrator password and the FortiMonitor password that the FortiDB FTP server uses are the same.
By default, FortiMonitor uses the password fortidb1!$ for the FortiDB FTP server.
Because FortiDB ignores any settings for this administrator other than the name and password, you can enter any value for the other mandatory administrator settings.
For information on additional FortiMonitor settings for FortiDB, see
config system mapping on page 273 .
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
66
Advanced/optional system settings
Advanced/optional system settings
System information and settings
The System Information page displays basic information and settings for the FortiDB appliance, including the setting that allows you to view and change the FortiDB host name.
The
Global Configuration page allows you to change general assessment and monitoring settings. For example, you can specify settings that are used for any assessment that FortiDB performs.
See also
l l l
System information and settings
Changing the FortiDB host name
System information and settings
The
System Information page displays basic information and settings for the FortiDB appliance. FortiDB administrators have access profiles that permit read and write access for maintenace tasks and change the
FortiDB firmware.
Item
Host Name
Description
The name of the host name of FortiDB. For details on changing the name, see
Changing the FortiDB host name on page 68 .
Firmware Version
Serial Number
The version of the firmware installed on the FortiDB unit. Click Update to upload a new version of the firmware. For details on updating the firmware, see
Updating the firmware on page 49
.
The serial number of the FortiDB unit. The serial number is specific to the
FortiDB unit and does not change with firmware upgrades. Use this number to register your FortiDB appliance with Fortinet.
System Time
Uptime
The current time according to the FortiDB internal clock. Click
Change to change the time. For details on changing the time, see
Setting the system time on page 54 .
The time in days, hours, and minutes since the FortiDB was last started or rebooted.
Hard Disk RAID
The RAID information.
Check your hardware specification for RAID support
For raid creation and information, see
config system raid on page 275 .
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
67
Changing the FortiDB host name Advanced/optional system settings
Changing the FortiDB host name
1. In the navigation menu, go to System > System Information.
2. Under System Information, in the Host Name information, click Change.
The Edit Host Name dialog box is displayed.
3. For Host Name field, enter the new host name.
4. Click OK.
The new host name is displayed in the Host Name field.
See also
l
System information and settings
Global configuration
The Global Configuration page allows you to change FortiDB system property values using the following tabs.
To make changes to the global properties, log in as an administrator who is assigned the
System Administrator
role.
Tab Description
All
Displays properties as read-only. Select a tab to add or change property values.
Assessment
Notification
Properties related to assessment
Properties related to Email, SNMP and Syslog
Reporting
User profile/Security
Target
LDAP Server
Monitor
Properties related reports generation
Properties related to user profile and security
Properties for additional JDBC settings for each database type
Properties related LDAP server for user authentication
A property that specifies the number of the records that each SOX Audit
File contains
To restore the default values of global properties, on the appropriate tab, select one or more items using their checkbox, and then click
Restore Defaults(s).
68 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Advanced/optional system settings Global configuration
You cannot restore default values for the properties on the LDAP and Monitor tabs.
See also
l l l l l l l
User Profile/Security properties
Assessment properties
Property Description
Enable
Localhost Auto
Discovery
Enables FortiDB to run auto discovery on the machine where the FortiDB application resides.
Valid values are
true or false.
Number of
Concurrent
Assessments
Total number of assessments which can run simultaneously.
The optimum value of this parameter depends on your environment but tuning this parameter affects assessment performance and CPU usage by FortiDB.
Note: Assuming that each assessment has at least one target database, the value of
Number of Concurrent
Assessments can never exceed the
Number of Concurrent Target
Assessments value.
Default false
5
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
69
Global configuration Advanced/optional system settings
Property
Number of
Concurrent
Target
Assessments
Description
Total number of target databases that can be assessed simultaneously during assessments.
The optimum value of
Number of
Concurrent Target Assessments
depends on your environment, but tuning this parameter affects assessment performance and CPU usage by FortiDB.
Note: Assuming that each assessment has at least one target database, the value of
Number of Concurrent
Assessments can never exceed the
Number of Concurrent Target
Assessments value.
SSH Key
File
(appliance version)
For Oracle OSVA and DB2 databases only, the file that contains the private key used for all SSH connections.
Click
Browse to select your SSH key file, and then click
Save.
You can upload an RSA or DSA private key file type.
If you upload a key file and a key file already exists in the appliance, FortiDB replaces the old key with the new key.
Uploaded key files are renamed id_rsa or id_dsa, depending on the type of key that was uploaded.
Warning: If you click Restore Default(s) and then Save button, FortiDB deletes your key file. Please keep a copy of the file in a safe place.
MSSQL Server
Level
Exclusions
A comma-separated list of databases that
FortiDB does not scan when it performs a
Server Level scan of a Microsoft SQL database.
Sybase Server
Level
Exclusions
A comma-separated list of databases that
FortiDB does not scan when it performs a
Server Level scan of a Sybase database.
Default
20
model,tempdb,pubs,msdb,Northwind model, tempdb, pubs2, pubs3,jpubs, sybsyntax,sybsecurity,sybsystemdb, sybsystemprocs
70 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Advanced/optional system settings
Property
Enable Pen
Test
Description
When set to
true, the penetration test
(pentest) capability is enabled.
When set to false, the pentest capability is disabled.
For more information on penetration tests, see
.
Default false
Enable Pen
Test For All
Users in
Database
(software-only version)
Pen Test
Method
Specifies whether FortiDB uses the user names in <dbtype>user.txt.
For more information on the file, see
Files used for penetration tests on page 138
true
Specifies the method that FortiDB uses to connect to databases to perform penetration tests (pentests).
Caution: If the penetration test login attempts are unsuccessful, the database may prevent any users, including valid users, from logging in.
Valid values are: l
1 - FortiDB logs in to your target databases to perform pentests.(login method) l
2 - FortiDB uses the hash-based method. A
'hash' is the value obtained after encrypting a clear-text string.
l
3 - FortiDB attempts the best available method. FortiDB uses the hash-based method is available.
For more information on these methods, see
Connection options for penetration tests on page 137
3 (hybrid)
Global configuration
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
71
Global configuration Advanced/optional system settings
Property
Pen Test
Password
Dictionary
Description
Specifies either the default password dictionary or a file that contains the passwords to check when the penetration test uses the Dictionary policy.
Click
Choose File to select your dictionary file, and then click
Save button to complete your selection.
FortiDB does not display the name of the uploaded file.
To restore the default dictionary, select the
Pen Test Password Dictionary item, click
Restore Default(s), and then click
Save. Your dictionary file is deleted.
Note: When you restore the default dictionary by checking the checkbox, and selecting Restore Default(s) and then
Save, FortiDB deletes your dictionary file.
For more information on the password dictionary file, see
Files used for penetration tests on page 138
.
See also
l l l l l
Adding or modifying assessments
Configuring SSH connections to Oracle and DB2 databases
Adding (or modifying) a target connection
Notification properties
Property Description
Email Server
Host Name
The SMTP email server hostname or IP address.
If no value is specified, FortiDB does not send email notifications.
Email Server
Port
The server port number associated with
Server Host Name.
Default
Default
<no value>
25
72 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Advanced/optional system settings Global configuration
Property
Email Server
User Name
Email Server
Password
Description
The user name associated with
Email Server
Host Name.
The user name and password are required if the email server requires authentication to send email.
The password associated with
Email Server
Host Name.
The user name and password are required if the email server requires authentication to send email.
The SNMP community name.
Default
-
-
SNMP
Community
String
SNMP Receiver
Host
The SNMP receiver host name.
If no value is specified, FortiDB cannot send
SNMP-trap notifications.
The SNMP receiver port number.
SNMP Receiver
Port
Syslog Receiver
Host
The Syslog receiver host name or IP address.
If no value is specified, FortiDB cannot send
Syslog notifications.
public
-
162
-
Syslog Receiver
Port
The Syslog receiver port number.
ArcSight Syslog
Receiver Host
ArcSight Syslog
Receiver Port
The ArcSight Syslog receiver host name or IP address.
The ArcSight Syslog receiver port number.
From Address
514 partner.arcsight.com
514
The email address FortiDB uses in the 'From' field in email notification.
-
See also
l
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
73
Global configuration Advanced/optional system settings
Reporting properties
Property Description
Company Name
The company name to display on VA reports.
Company Logo
An image file that is included in the layout of generated reports.
Click Choose File to select the image file, and then click Save.
FortiDB places the image file that you select in
<FortiDB-
.
install directory>/conf/reportlogo
DAM Report
Encoding
The charactor encoding that FortiDB uses when it generates DAM reports.
See also
l
User Profile/Security properties
Property Description
Idle Account
Expiration
The number of days an administrator account can be inactive before FortiDB locks the account.
When the value is -1 (the default), FortiDB does not lock administrator accounts because of inactivity.
This expiry mechanism does not apply to the admin account.
An administrator that is assigned the
Security
Administrator role can unlock an expired account.
Default
Fortinet
-
UTF-8
Default
-1
74 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Advanced/optional system settings Global configuration
Property
Max Number of
Failed Login
Attempts
Days Until
Password
Expiration
Description
The number of login attempts FortiDB allows before it locks an administrator account.
When the value is -1 (the default), FortiDB allows an unlimited number of login attempts.
This limitation does not apply to the admin account.
The number of days that a password remains valid. After the password expires, administrators are required to change their password.
FortiDB displays messages to warns administrators that their password is going to expire.
When the value is -1 (the default), passwords do not expire.
The minimum length of an administrator password.
Minimum
Password Length
When the value is -1 (the default), passwords can be any length.
To be valid, passwords are required to have the minimum number of characters and satisfy all other rules for passwords. For more information, see
Changing the “admin” account password on page 53 .
Enable Local
Audit Trail
When the value is true, the FortiDB local audit trail is enabled.
When the value is false, the local audit trail is disabled.
For more information on the local audit trail, see
.
Default
-1
-1
-1
false
See also
l l
Target properties
FortiDB uses JDBC to connect to target databases. You can configure the JDBC settings for a target using the
Target page General tab. (For more information, see
Adding (or modifying) a target connection on page 107
.)
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
75
Global configuration Advanced/optional system settings
If you do not specify JDBC settings on the General tab, FortiDB uses the values of the following properties:
Property Description
Additional Oracle JDBC
Settings
A list of one or more key-value pairs to use for Oracle database connections.
Use a semicolon to separate list entries.
Additional SQL Server
JDBC Settings
Additional Sybase JDBC
Settings
Additional DB2 JDBC
Settings
Additional MySQL JDBC
Settings
A list of one or more key-value pairs to use for Microsoft SQL database connections.
Use a semicolon to separate list entries.
If you use NTLM version 2 authentication, in the list, enter useNTLMv2=true
.
In some cases, for Microsoft SQL server,
ForceEncryption is set to
No. To force the server to use SSL encryption, in the list, enter
SSL=require
.
Enter one or more additional key-value pairs to use for Sybase database connections.
Use a semicolon to separate list entries.
To use a Sybase Encrypted Password connection (in Sybase server, set net password encryption reqd to 1 or 2), enter:
ENCRYPT_PASSWORD=true;RETRY_WITH_NO_
ENCRYPTION=true;
JCE_PROVIDER_
CLASS=org.bouncycastle.jce.provider.BouncyCastleProvider
To support an SSL-encrypted connection to the Sybase database, enter the following:
SYBSOCKET_
FACTORY=com.fortinet.fortidb.target.internal.connection.SybaseSSL
Note: Database activity monitoring (DAM) using the TCP/IP sniffer is not available when FortiDB connects to Sybase using SSL.
A list of one or more key-value pairs for DB2 database connections.
Use a semicolon to separate list entries.
A list of one or more additional key-value pairs for MySQL database connections.
Use a semicolon to separate list entries.
See also
l
Adding (or modifying) a target connection
76 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Advanced/optional system settings Global configuration
LDAP Server properties
The
LDAP Server properties specify the server that authenticates FortiDB administrators when User
Authentication Type is LDAP.
Click Test Connection to test the LDAP server configuration.
Property Description Default
Server Name/IP
LDAP server name or IP address -
LDAP server port 389
Port
Common Name
Identifier
Name of user identifier in LDAP user path.
For example, if the path to the user is cn=username,ou=dept,dc=com
, enter cn
.
If the user path is un=username,ou=dept,dc=com
, enter un
.
Distinguished
Name
Distinguished name of LDAP user, which identifies its unique path.
For example, if the path to the user is cn=username,ou=dept,dc=com
, enter ou=dept,dc=com
.
Bind Type
LDAP authentication type.
Valid values are none or Simple.
Use Secure
Connection(SSL)
Use SSL for secure connection.
Valid values are
True or False.
-
Simple
False
See also
l
Monitor properties
Property Description
Records contained by single
Compliance
Audit File
The number of the records that each
Compliance Audit File contains.
Enter a value between 100,000 and 400,000.
400000
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
77
Global configuration
See also
l
Advanced/optional system settings
78 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases
Connecting to target databases
Pre-configuration for monitoring target databases
To allow FortiDB to assess and monitor your databases, you first pre-configure the target database, and then configure the connection between FortiDB and the database. FortiDB can also look for databases on the network automatically.
See also
l l l l l
Pre-configuration for monitoring target databases
Privileges required by the FortiDB database user
Adding (or modifying) a target connection
Pre-configuration for monitoring target databases
The pre-configuration that is required for target databases is determined by the type of database and the method that FortiDB uses for monitoring.
See also
l l l l l l
Network requirements for monitoring using the TCP/IP sniffer
Oracle target database pre-configuration
Microsoft SQL Server target database pre-configuration
Sybase target database pre-configuration
DB2 target database pre-configuration
MySQL target database pre-configuration
Network requirements for monitoring using the TCP/IP sniffer
For more information about the TCP/IP sniffer, see
Tutorial: Monitoring a database table using the TCP/IP sniffer on page 23 .
l l
Your target database and its clients connect via TCP/IP protocols.
Both FortiDB and the target databases are connected to the same switch. FortiDB is connected to the switch's mirroring (SPAN) port. For example: l port1 on FortiDB and the machines of FortiDB administrators are connected to a LAN, which is also the LAN that the target databases use for management connections.
l port2 on FortiDB is connected to the switch's mirror port, where it receives copies of all network traffic associated with the target databases.
See also
l
Configuring monitoring using the TCP/IP sniffer (all database types)
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
79
Pre-configuration for monitoring target databases Connecting to target databases
Oracle target database pre-configuration
Required privileges for monitoring or auditing Oracle databases
To prepare for database monitoring, ensure the FortiDB database user has the following privileges:
Policy type
Data
Required privileges
For DB, EXTENDED and XML File Agent collection methods: l
CREATE SESSION l
SELECT_CATALOG_ROLE l
DELETE_CATALOG_ROLE l
AUDIT ANY l
AUDIT SYSTEM l
SELECT SYS.AUD$ l
SELECT on the monitored tables or SELECT ANY TABLE
For
TCP/IP Sniffer collection method (privileges required for browsing database to define data policy): l
CREATE SESSION l
SELECT_CATALOG_ROLE l
SELECT on the monitored tables or SELECT ANY TABLE
Privilege
Metadata l
CREATE SESSION l
SELECT_CATALOG_ROLE l
DELETE_CATALOG_ROLE l
AUDIT SYSTEM l
CREATE SESSION l
SELECT_CATALOG_ROLE
For activity auditing: l
CREATE SESSION l
AUDIT SYSTEM l
SELECT_CATALOG_ROLE
To grant privileges to your database user, use a GRANT statement. For example:
GRANT SELECT_CATALOG_ROLE TO username
GRANT DELETE_CATALOG_ROLE TO username
See also
l l l
Configuring an Oracle database for PCI, SOX, and HIPAA policies
Enabling FortiDB to delete audit records
Oracle XML file agent installation and configuration (UNIX, Windows, AIX)
80 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Pre-configuration for monitoring target databases l l
Adding (or modifying) a target connection
Configuring an Oracle database for PCI, SOX, and HIPAA policies
Regulatory compliance policies capture all types of activities and store the data in FortiDB's repository.
In some cases, this information does not appear in alerts as expected. To avoid this problem, you can execute
"create trigger" commands.
1. On your Oracle target database, add a file that contains the following script:
CREATE OR REPLACE TRIGGER FORTIDB_get_application AFTER LOGON ON DATABASE WHEN (user !=
'SYS')
DECLARE l_program VARCHAR2(50); l_computer VARCHAR2(50);
BEGIN
SELECT substr(program, 1, 43), substr(computer, 1, 20) INTO l_program, l_computer FROM v$session
WHERE audsid = sys_context('USERENV','SESSIONID'); dbms_session.set_identifier(l_program || ':' || l_computer);
EXCEPTION WHEN OTHERS THEN ROLLBACK;
END;
/
2. Log into your Oracle instance as sys as sysdba.
3. Execute the file.
See also
l
PCI, SOX, and HIPAA alert policies
Enabling FortiDB to delete audit records
To delete audit records from the SYS.AUD$ table, the FortiDB database user requires delete privileges on the
SYS.AUD$ table.
Because the SYS.AUD$ contains all audit records, when FortiDB deletes audit records, it deletes all audit records, not only the audit records generated for FortiDB monitoring. Therefore, grant this privilege to the FortiDB user only if you understand the implications.
Use the following statement to grant the FortiDB user delete privileges on the SYS.AUD$ table: grant delete on SYS.AUD$ to <username>
For more information on deleting audit records, see
Oracle audit management on page 213
.
See also
l
Adding (or modifying) a target connection
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
81
Pre-configuration for monitoring target databases Connecting to target databases
Oracle XML file agent installation and configuration (UNIX, Windows, AIX)
You can use FortiDB's Oracle XML file agent to monitor multiple Oracle databases. When it is active, the agent periodically transmits Oracle's audit log data to FortiDB for further processing.
To configure and run the Oracle XML file agent
1. Obtain login credentials for a user that has read and write access for the Oracle database audit log directories that you want to monitor.
Using the SQL*Plus utility, run show parameters audit_file_dest to view the location of the
Oracle database audit directory.
If Oracle is installed on Windows, ensure that the user is a member of the Administrators group. You can remove the user from this group after installation is complete.
2. Ensure that Java Virtual Machine (JVM) 1.6 or greater is installed, the JAVA_HOME environment variable is correctly configured, and that the bin directory is first on the execution path.
3. Complete the Oracle target database pre-configuration. See
Oracle target database pre-configuration on page 80 .
4. Configure a target that connects to the Oracle database. See
Adding (or modifying) a target connection on page 107 .
5. As the user with the credentials specified earlier, log in to the machine where the Oracle database is located, and then unpack a copy of the FortiDB Oracle XML file agent installer into a directory.
6. Copy the agent.properties.sample file from agent's doc directory to the agent's conf directory, and then change the file name to agent.properties.
7. Open the agent.property file in a text editor and edit the following values:
Parameter agentType brokerAddress brokerPort
Description
Enter ORA_XML.
Required?
Yes
Enter IP address or resolvable host name for FortiDB.
Yes
Enter the port FortiDB uses to listen for transmissions from the agent.
The default value is 9116.
No
agentDBAddress
Enter the IP address of the target database.
Use the same value that is specified by the target configuration (
General
tab).
Yes
82 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Pre-configuration for monitoring target databases
Parameter agentDBPort
Description
Enter the listening port on the target database.
Use the same value that is specified by the target configuration (
General
tab).
pollingInterval
Enter a positive integer that specifies the polling interval in milliseconds.
For the Oracle XML file agent, the default value is 60000 (60 seconds).
removeAuditFile
Not used for Oracle databases.
Required?
Yes
No
No
8. If Oracle is installed on Windows, do the following:
a. In the agent's bin directory, execute the following command:
b. fdbagent install
c. In the Windows Services Control Panel, configure the FortiDB Database Monitoring Agent to run using the same login credentials that you used to unpack the FortiDB agent installation file.
9. To start the FortiDB agent, do one of the following: l
For Windows, Linux, or Solaris: l
In the agent's bin directory, execute the following command: l
$ fdbagent start l l
To stop the agent, execute the following command:
$ fdbagent stop l
For other platforms (for example, AIX): l
In the agent's bin directory, execute the following command: l
$ nohup ./fdbagentapp &
10. Configure target monitoring for the database where the agent is installed. For detailed instructions, see
Configuring Oracle monitoring on page 204
.
Monitoring encrypted Oracle traffic
FortiDB can monitor encrypted Oracle database activity using its TCP/IP sniffer.
To make the database’s SSL configuration compatible with FortiDB DAM, ensure that Advanced Security is enabled and generate the security credentials using Oracle Wallet Manager.
In addition, ensure the cipher suite RSA 3DES_EDE_CBC SHA and one or more of the following cipher suites are enabled in the SSL configuration for the Oracle client: l l l
AES_256_CBC_SHA
AES_128_CBC_SHA
RSA_DES_CBC_SHA
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
83
Pre-configuration for monitoring target databases Connecting to target databases l l
RSA_RC4_128 SHA
RSA RC4_128 MD5
When you configure monitoring using the TCP/IP sniffer, you upload to FortiDB the self-signed certificate that you exported from the Oracle server wallet manager and imported into the wallet manager on the Oracle client machine. Depending on your SSL configuration, the certificate information is stored in PKCS #12 or X.509
format.
See
Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .
Using the SYSLOG utility to collect audit data
If required, you can configure the Oracle auditing feature to use the SYSLOG utility to write audit records to the system audit log.
In SQL*Plus, you can use the show parameter audit command to view the current audit option values.
To enable SYSLOG data collection, set the audit options in the following table to the specified values:
Parameter
audit_file_dest
Value
Specify the operating system directory into which the audit trail is written.
audit_sys_operations audit_syslog_level audit_trail
TRUE
LOCAL1.DEBUG
OS
MySQL target database pre-configuration
To set the MySQL general log table
1. To add the required parameters to server configuration file, go to the %MYSQL_HOME directory, open my.cnf (for UNIX) or my.ini (for Windows) in a text editor, and then add the following parameters under
[mysqld]
: general_log=1 log_output=TABLE
2. Restart the MySQL database.
3. To change the definition of the mysql.general_log table, use the following command to change the storage engine to MyISAM: mysql> SET GLOBAL general_log = 'OFF'; mysql> ALTER TABLE mysql.general_log ENGINE = MyISAM; mysql> SET GLOBAL general_log = 'ON';
4. To view the definition of the mysql.general_log table, use the following SQL command: mysql> show create table mysql.general_log;
The structure of the log table is displayed. For example:
84 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Pre-configuration for monitoring target databases
+-------------+-----------------------------------------------------------------
-----------------------------------------+
| Table | Create Table
-----------------------------------------+
| general_log | CREATE TABLE `general_log` (
`event_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`user_host` mediumtext NOT NULL,
`thread_id` int(11) NOT NULL,
`server_id` int(11) NOT NULL,
`command_type` varchar(64) NOT NULL,
`argument` mediumtext NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='General log' |
+-------------+--------------------------------------------
5. To verify that the database is logging data, use the following command: mysql> select * from mysql.general_log;
Logging data is displayed. For example:
+---------------------+------------------------------------+-----------+--------
---+--------------+----------------------------------+
| event_time | user_host | thread_id | server_ id | command_type | argument |
+---------------------+------------------------------------+-----------+--------
---+--------------+----------------------------------+
| 2009-07-29 16:44:23 | root[root] @ localhost [127.0.0.1] | 1 |
0 | Connect | root@localhost on mysql |
| 2009-07-29 16:44:23 | root[root] @ localhost [127.0.0.1] | 1 |
0 | Query | select @@version_comment limit 1 |
| 2009-07-29 16:44:37 | root[root] @ localhost [127.0.0.1] | 1 |
0 | Query | show create table general_log |
| 2009-07-29 16:45:19 | root[root] @ localhost [127.0.0.1] | 1 |
0 | Query | set global general_log='OFF' |
| 2009-07-29 16:46:18 | root[root] @ localhost [127.0.0.1] | 1 |
0 | Query | select * from mysql.general_log |
+---------------------+------------------------------------+-----------+--------
---+--------------+----------------------------------+
5 rows in set (0.00 sec)
See also
l
Required privileges for monitoring via SQL Trace
The following privileges are required when you monitor a Microsoft SQL Server database using the
SQL Trace
collection method and privilege and metadata policies.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
85
Pre-configuration for monitoring target databases Connecting to target databases
Policy type
Privileges
Metadata
Required privileges
SELECT on: l sys.columns
l sys.database_role_members
l sys.database_permissions
l sysobjects l sys.database_principals
l sys.sql_logins
EXECUTE on: l sp_helpsrvrolemember
SELECT on: l information_schema.columns
l sysindexes l sysobjects l information_schema.routines
l sys.objects obj l sys.sql_modules
information_schema.views
See also
l l
Adding (or modifying) a target connection
Configuring Microsoft SQL Server monitoring
Sybase target database pre-configuration
FortiDB’s database activity monitoring (DAM) features require you to pre-configure a Sybase target database but not a Sybase IQ database.
For Sybase IQ databases. FortiDB supports vulnerability assessment only, and not DAM. Therefore, Sybase IQ targets do not require pre-configuration.
Configuring the Sybase audit system and FortiDB database user
To create the sybsecurity database
Execute the following command. The physname parameter specifies the sybase path (in this example,
C:\sybase\data\
): disk init name = "auditdev", physname = "C:\sybase\data\sybaud.dat", size = 5120 go disk init name = "auditlog", physname = "C:\sybase\data\sybaudlog.dat", size = 1024 go create database sybsecurity on auditdev log on auditlog go
86 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Pre-configuration for monitoring target databases
To install the installsecurity script
The installsecurity SQL script contains all required stored procedures and audit tables.
1. Go to the scripts directory. For example, $SYBASE/ASE-15_0/scripts.
2. Execute the following command: isql -Usa -P<password> < instsecu
3. Restart the database.
To grant the mon_role role to the FortiDB database user
To grant the mon_role role to the FortiDB database user, use the following script: grant role mon_role to <username>
The mon_role role is applied the next time the user logs in. If you are currently logged in with that account, log out and log in again to allow the new privileges to take effect.
See also
l l l
Configuring the Sybase Monitoring and Diagnostic (MDA) tables
Adding (or modifying) a target connection
Configuring the Sybase Monitoring and Diagnostic (MDA) tables
To set the size of tempdb for MDA
For best results, ensure the temporary database (tempdb) has more than 100MB of free space.
1. Connect to the master database as the sa user.
2. Check the size of tempdb.
For example, execute the following command: sp_helpdb go name db_size owner dbid created status
-------------- ------------- ----- ------ ------------------
-------------------------------------------------------------------master 13.0 MB sa 1 Dec 07, 2007 mixed log and data model 4.0 MB sa 3 Dec 07, 2007 mixed log and data sybmgmtdb 75.0 MB sa 4 Dec 07, 2007 select into/bulkcopy/pllsort, trunc log on chkpt, mixed log and data sybsystemdb 3.0 MB sa 31513 Dec 07, 2007 mixed log and data sybsystemprocs 120.0 MB sa 31514 Dec 07, 2007 trunc log on chkpt, mixed log and data tempdb 4.0 MB sa 2 Nov 11, 2008
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
87
Pre-configuration for monitoring target databases Connecting to target databases select into/bulkcopy/pllsort, trunc log on chkpt, mixed log and data text_db 5.5 MB sa 5 Dec 07, 2007 trunc log on chkpt, mixed log and data
3. Allocate an appropriate amount of disk space to tempdb.
For example, to allocate 500 MB, which is 256000 pages, execute the following command: disk init name = "tempdb_data01", physname = "/export/home/sybase/data/tempdb_data01.dat", size = 256000 go
4. Allocate disk space on the new device to tempdb.
For example, execute the following command: alter database tempdb on tempdb_data01 = 500 go
Extending database by 256000 pages (500.0 megabytes) on disk tempdb_data01
To configure the login trigger for session policies
Login triggers execute a specified stored procedure every time a user logs in.
1. Drop any existing FortiDB_audit table.
For example, to drop the table FortiDB_audit, use the following command: drop table master.dbo.FortiDB_audit
go
2. Create a table to store login information in.
For example, to create the table FortiDB_audit in the master database, use the following command: create table master.
dbo.FortiDB_audit
( spid smallint, kpid int, suid int, loginname varchar(30), dbusername varchar(30), dbid smallint, dbname varchar(30), program_name varchar(30) null, hostprocess varchar(30) null, ipaddr varchar(64) null , loggedindatetime datetime
) go
3. Create a procedure for the login trigger.
For example, to create the procedure login_proc, use the following script: use master go drop procedure login_proc go
88 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Pre-configuration for monitoring target databases create procedure login_proc as begin insert into master.dbo.FortiDB_audit
select
S.spid,
S.kpid,
S.suid, suser_name(), user_name(),
S.dbid, db_name(),
S.program_name,
S.hostprocess,
S.ipaddr,
S.loggedindatetime
from master.dbo.sysprocesses S where S.spid = @@spid end go
4. Create the login trigger.
For example, use the following command: sp_logintrigger 'master.dbo.login_proc' go
Global login trigger updated.
If sp_logintrigger is not installed, recreate the master database procedures.
For example, for UNIX, execute the following script: isql -Usa -P<password> -i$SYBASE/ASE-15_0/scripts/installmaster
For Windows, execute the following script: isql -Usa -P<password> -i$SYBASE/ASE-15_0/scripts/installmstr
If you need to drop the global trigger, execute: sp_logintrigger 'drop' go
5. Grant permission to execute login_proc to public.
For example: grant execute on dbo.login_proc to public go
To set the MDA parameters
1. Configure MDA parameters.
For example, for Linux, use the following commands (for Windows, enter "go" for each execution): sp_configure "enable cis", 1 sp_addserver loopback, null, @@servername (not required for 15.0.2 or later) set cis_rpc_handling on (not required for 15.0.2 or later)
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
89
Pre-configuration for monitoring target databases Connecting to target databases exec loopback...sp_who (note: 3 dots) sp_configure "errorlog pipe active", 1 sp_configure "deadlock pipe active", 1 sp_configure "wait event timing", 1 sp_configure "process wait events", 1 sp_configure "object lockwait timing", 1 go
For the monSysStatement table: sp_configure "statement statistics active",1 sp_configure "statement pipe max messages",30000 sp_configure "per object statistics active",1 sp_configure "statement pipe active" ,1 go
For the monSysSQLText table: sp_configure "max SQL text monitored" , 8192 sp_configure "SQL batch capture", 1 sp_configure "sql text pipe max messages", 30000 sp_configure "sql text pipe active", 1 go
Additional parameter values to set: sp_configure "max memory" , 256000 sp_configure "event buffers per engine", 2000 sp_configure "plan text pipe max messages", 100 sp_configure "errorlog pipe max messages", 30000 sp_configure "deadlock pipe max messages", 100 go
2. Restart the database.
3. To configure the monitoring table to collect data, use the following command: sp_configure "enable monitoring" , 1 go
To connect to the Sybase database and clear the MDA buffer
Clear the MDA buffer only after the FortiDB database user has made an initial connection to the database.
1. Connect to the Sybase database that you have configured for monitoring by FortiDB.
See
Adding (or modifying) a target connection on page 107
.
2. To clear the MDA buffer, use the following commands: select top 1 * from dbo.monSysSQLText
go select top 1 * from dbo.monSysStatement
go
See also
l l
Configuring the Sybase audit system and FortiDB database user
Adding (or modifying) a target connection
90 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Pre-configuration for monitoring target databases l
DB2 target database pre-configuration
Users and privileges required by the DB2 agent
The FortiDB DB2 agent periodically sends a request to the DB2 database to transmit its audit data to a file system location that belongs to the agent’s temporary directory. The agent then transmits the audit files to the
FortiDB repository You can also configure the agent to remove the audit data from the DB2 database.
To perform these tasks, the FortiDB DB2 agent requires read and write access to the audit data files. To give the agent this access, you configure it to run using the login credentials of the database instance owner (which are the credentials used to run the DB2 server).
In addition, to install the agent on Windows, the database user that runs the DB2 agent is required to be a member of the DB2ADMINS user group. You can remove the user from this group after installation is complete.
Required DB2 users Purpose Required privileges
DB2 instance owner DB2 instance owner Default DB2 instance owner privileges
FortiDB DB2 database user
Connects FortiDB to the DB2 target database
Security administration authority (SECADM), which is required to configure and manage database auditing
For databases installed on
Windows: l
DB2 instance owner l
Membership in DB2ADMNS or
DB2USERS user group
DB2 user for installing and running the agent
Runs the DB2 agent
DB2 instance owner
For installing on Windows, be a member of the DB2ADMNS user group
See also
l l l
Configuring the DB2 database and installing the agent
Adding (or modifying) a target connection
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
91
Pre-configuration for monitoring target databases Connecting to target databases
Configuring the DB2 database and installing the agent
To configure the DB2 target database to work with the DB2 agent
1. If the database already has an audit configuration, to reset the instance level audit, use the following command: db2audit configure reset
2. To start the audit facility administrator tool, use the following command: db2audit start
3. To configure the audit facility to audit for failed logins, use the following command: db2audit configure scope context status failure
4. To set the size of the audit buffer, use the following command: db2 update dbm cfg using AUDIT_BUF_SZ 10000
The default audit buffer is 0 (no setting).
5. To grant security administration authority (SECADM) to the user FortiDB uses to connect to the database, use the following command: db2=> GRANT SECADM ON DATABASE TO USER <user name> where <user name> is the user name specified by the target configuration (
General tab).
For Windows, the FortiDB connection user needs to belong to the DB2ADMNS or
DB2USERS group. For UNIX, AIX, or Linux, the FortiDB connection user does not need to be an instance owner.
By default, the db2admin user does not have the SECADM authority.
To configure and run the DB2 agent
1. Ensure that Java Virtual Machine (JVM) 1.6 or greater is installed, the JAVA_HOME environment variable is correctly configured, and that the
bin directory is first on the execution path.
2. Obtain a copy of the FortiDB agent installer. For information on obtaining the installer, contact Fortinet technical support.
3. Ensure that the DB2 target database has the required configuration. See
To configure the DB2 target database to work with the DB2 agent on page 92 .
4. As the database user that runs the agent, log in to the machine where the DB2 database is located, and then unpack a copy of FortiDB agent installer to a directory.
For information on the premissions this user requires, see
Users and privileges required by the DB2 agent on page 91 .
92 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Pre-configuration for monitoring target databases
5. Copy the agent.properties.sample file from <agent install directory>/doc to
<agent install directory>/conf
, and then change the file name to agent.properties.
6. Using a text editor, change the agent.properties.sample properties to the following values:
Parameter
agentType brokerAddress brokerPort agentDBAddress agentDBPort pollingInterval removeAuditFile
Description
Enter DB2.
Enter the IP address or resolvable host name for
FortiDB.
Enter the port FortiDB uses to listen for transmissions from the agent.
The default value is 9116.
Enter the IP address of the target database.
Use the same value that is specified by the target configuration ( General tab).
Enter the listening port on the target database.
Use the same value that is specified by the target configuration ( General tab).
Enter the listening port on the target database.
Use the same value that is specified by the target configuration (
General tab).
Enter true or false.
To remove DB2 audit file outputs after the agent sends them to FortiDB, enter true (the default value).
Required?
Yes
Yes
No
Yes
Yes
No
No
7. To install the DB2 agent, go to <agent install directory>/bin, and then execute the following command:
DB2AgentSetup
8. If DB2 is installed on Windows, do the following:
a. In <agent install directory>/bin, execute the following command:
b. fdbagent install
c. In the Windows Services Control Panel (for example, in
Start > Control Panel > Administrative
Tools), configure the FortiDB Database Monitoring Agent to run using the same login credentials that you used to unpack the FortiDB agent installation file.
9. To start the FortiDB agent, do one of the following: l
For Windows, Linux, or Solaris: l
In <agent install directory>/bin, execute the following command: l
$ fdbagent start
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
93
Privileges required by the FortiDB database user Connecting to target databases l l
To stop the agent, execute the following command:
$ fdbagent stop l
For other platforms (for example, AIX): l
In <agent install directory>/bin, execute the following command: l
$ nohup ./fdbagentapp &
10. To confirm that the audit data path and audit archive path are correct, execute the following command: db2audit describe
The audit settings are displayed. For example:
DB2 AUDIT SETTINGS:
Audit active: "TRUE"
Log audit events: "FAILURE"
Log checking events: "FAILURE"
Log object maintenance events: "FAILURE"
Log security maintenance events: "FAILURE"
Log system administrator events: "FAILURE"
Log validate events: "FAILURE"
Log context events: "FAILURE"
Return SQLCA on audit error: "FALSE "
Audit Data Path: "C:\DB2\fdbagent\bin\..\tmp\db2audit\flush\"
Audit Archive Path: "C:\DB2\fdbagent\bin\..\tmp\db2audit\archive\"
AUD0000I Operation succeeded.
11. Configure target monitoring for the database where the agent is installed. For detailed instructions, see
Configuring DB2 monitoring on page 202 .
See also
l
Users and privileges required by the DB2 agent
Microsoft SQL Server target database pre-configuration
Database user account requirement
To monitor a Microsoft SQL Server database, FortiDB requires a database user that is a member of the sysadmin server role.
Use the following query to add a databaser user that is a member of sysadmin: sp_addsrvrolemember 'username', 'sysadmin'
See also
l
Adding (or modifying) a target connection
Privileges required by the FortiDB database user
When you configure a target that allows FortiDB to connect to a target database, you specify a database user.
This user requires specific privileges to allow it to perform assessments or monitor database activity.
94 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Privileges required by the FortiDB database user
To grant privileges to the FortiDB user, use the GRANT statement. For example:
GRANT SELECT_CATALOG_ROLE TO <username>
GRANT SELECT ON dbo.syscolumns TO <username>
GRANT SELECT ON SYSIBM.SYSCOLAUTH TO <username>
GRANT ROLE SSO_ROLE TO <username>
For Microsoft SQL Server, use the following command to add a login as a member of sysadmin: sp_addsrvrolemember '<user name>', 'sysadmin'
See also
l l l l l
Privileges for VA assessments, privilege summaries, and penetration tests
Privileges for monitoring data
Privileges for monitoring privileges
Privileges for monitoring metadata
Adding (or modifying) a target connection
Privileges for VA assessments, privilege summaries, and penetration tests
The FortiDB database user for a target database requires the following privileges to run assessments and related tasks:
Task Required privileges
DB2
Run VA Assessment (except penetration test)
CREATE TABLE
SELECT on the following SYSIBM tables: l
SYSCOLAUTH l
SYSDBAUTH l
SYSINDEXAUTH l
SYSPLANAUTH l
SYSSCHEMAAUTH l
SYSTABAUTH l
SYSTBSPACEAUTH
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
95
Privileges required by the FortiDB database user
Task
View a Privilege Summary
Run Penetration Test
Required privileges
SELECT on the following SYSCAT tables: l
COLAUTH l
DBAUTH l
INDEXAUTH l
PACKAGEAUTH l
SCHEMAAUTH l
TABAUTH l
TBSPACEAUTH
SELECT on the following SYSIBM tables: l
SYSCOLAUTH l
SYSDBAUTH l
SYSINDEXAUTH l
SYSPLANAUTH l
SYSSCHEMAAUTH l
SYSTABAUTH l
SYSSYSTABLESPACES l
SYSTBSPACEAUTH l
SYSUSERAUTH
SELECT on the following SYSCAT tables: l
COLAUTH l
DBAUTH l
INDEXAUTH l
PACKAGEAUTH l
SCHEMAAUTH l
TABAUTH l
TBSPACEAUTH
SELECT on the following SYSIBM tables: l
SYSCOLAUTH l
SYSDBAUTH l
SYSINDEXAUTH l
SYSPLANAUTH l
SYSSCHEMAAUTH l
SYSTABAUTH l
SYSTBSPACEAUTH l
SYSUSERAUTH
Microsoft SQL Server 2000
Connecting to target databases
96 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Privileges required by the FortiDB database user
Task
Run VA assessment (except penetration test)
View a Privilege Summary
Required privileges
SELECT on: l
MASTER.DBO.SPT_VALUES
l
MASTER.DBO.SYSALTFILES
l
MASTER.DBO.SYSDATABASES
l
MASTER.DBO.SYSLOGINS
l
MASTER.DBO.SYSXLOGINS
l
SYSCOLUMNS l
SYSMEMBERS l
SYSOBJECTS l
SYSPROTECTS l
SYSUSERS
EXECUTE on: l
MASTER.DBO.XP_CMDSHELL
l
MASTER.DBO.XP_INSTANCE_REGENUMVALUES
l
MASTER.DBO.XP_INSTANCE_REGREAD
l
MASTER.DBO.XP_LOGINCONFIG
l
MASTER.DBO.XP_LOGININFO
l
MASTER.DBO.XP_REGENUMVALUES
l
MASTER.DBO.XP_REGREAD
The database user requires the MS-SQL sysadmin role to use the following policies in assessments: l
DVA MSSQL 01.01 password field empty l
DVA MSSQL 01.02 password is the same as login name
For each individual MS-SQL 2000 database you want to connect to,
SELECT on: l
MASTER.DBO.SYSDATABASES
(for MS-SQL 2000 server-level connections) l
SYSMEMBERS l
SYSOBJECTS l
SYSPROTECTS l
SYSUSERS
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
97
Privileges required by the FortiDB database user Connecting to target databases
Task
Run Penetration Test
Required privileges
SELECT on: l
MASTER.DBO.SYSDATABASES
(for MS-SQL 2000 server-level connections) l
MASTER.DBO.SYSXLOGINS
l
SYS.DATABASE_ROLE_MEMBERS
l
SYSMEMBERS l
SYSOBJECTS l
SYSPROTECTS l
SYSUSERS
(for each individual MS-SQL 2000 database you want to connect to)
Microsoft SQL Server 2005 or 2008
98 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Privileges required by the FortiDB database user
Task
Run VA Assessment (except penetration test)
View Privileges Summary
Required privileges
SELECT on: l
MASTER.DBO.SPT_VALUES
l
MASTER.DBO.SYSALTFILES
l
MASTER.DBO.SYSDATABASES
l
MASTER.DBO.SYSLOGINS
l
MASTER.DBO.SYSXLOGINS
l
SYS.COLUMNS
l
SYS.MEMBERS
l
SYS.OBJECTS
l
SYS.PROTECTS
l
SYS.USERS
EXECUTE on: l
MASTER.DBO.XP_CMDSHELL
l
MASTER.DBO.XP_INSTANCE_REGENUMVALUES
l
MASTER.DBO.XP_INSTANCE_REGREAD
l
MASTER.DBO.XP_LOGINCONFIG
l
MASTER.DBO.XP_LOGININFO
l
MASTER.DBO.XP_REGENUMVALUES
l
MASTER.DBO.XP_REGREAD
The database user requires the MS-SQL sysadmin role to use the following policies in assessments: l
DVA MSSQL 01.01 password field empty l
DVA MSSQL 01.02 password is the same as login name l
DVA MSSQL 05.36 List database logins that are part of the local
Administrators group l
DVA MSSQL 05.37 Verify SQL Server not run as local System
Administrator l
DVA MSSQL 05.42 Default Microsoft SQL Listener Port Report
SELECT on: l
MASTER.SYS.DATABASES
(for Microsoft SQL 2005 Server server-level connections)
For each individual Microsoft SQL 2005 Server database that you want to connect to, SELECT on: l
SYS.DATABASE_PERMISSIONS
l
SYS.DATABASE_PRINCIPALS
l
SYS.DATABASE_ROLE_MEMBERS
l
SYS.OBJECTS
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
99
Privileges required by the FortiDB database user Connecting to target databases
Task
Run Penetration Test
Required privileges
SELECT on: l
MASTER.SYS.DATABASES
(for Microsoft SQL 2005 Server server-level connections) l
SYS.DATABASE_PERMISSIONS
l
SYS.DATABASE_PRINCIPALS
(for each individual Microsoft SQL 2005
Server database that you want to connect to) l
SYS.DATABASE_ROLE_MEMBERS
l
SYS.OBJECTS
l
SYS.SQL_LOGINS
Oracle
Run VA Assessment (except penetration test)
View Privilege Summary
Run Penetration Test
CREATE SESSION
SELECT_CATALOG_ROLE
SELECT on: l
SYS.AUDIT$ l
SYS.LINK$ l
SYS.REGISTRY$HISTORY
(Oracle 10g only) l
SYS.USER$ l
SYSTEM.SQLPLUS_PRODUCT_PROFILE
SELECT on: l
ALL_USERS l
DBA_COL_PRIVS l
DBA_ROLE_PRIVS l
DBA_ROLES l
DBA_SYS_PRIVS l
DBA_TAB_PRIVS
SELECT on: l
ALL_USERS l
DBA_COL_PRIVS l
DBA_ROLE_PRIVS l
DBA_ROLES l
DBA_SYS_PRIVS l
DBA_TAB_PRIVS l
SYS.USER$
Sybase and Sybase IQ
100 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Privileges required by the FortiDB database user
Task
Run VA Assessment (except for penetration test)
View a Privilege Summary
Run Penetration Test
Required privileges
SSO_ROLE
If the Sybase server is using SybSecurity: l
On the MASTER database, add the FortiDB user to the database and grant it SELECT permission on the following tables: l
SYSSRVROLES l
SYSLOGINROLES l
SYSSECMECHS l
SYSDATABASES (AUDFLAGS column) l
SYSLOGINS (AUDFLAGS column) l
On any user-defined databases, add the FortiDB user to the database and grant it SELECT permission on the following table: l
SYSUSERS
If the Sybase server is not using SybSecurity, grant the database user
SELECT permission on the following tables: l
SYSSRVROLES l
SYSLOGINROLES l
SYSSECMECHS l
SYSDATABASES
(AUDFLAGS column)
For each individual database you want to connect to, grant SELECT on: l
MASTER.DBO.SYSDATABASES
(for server-level connections) l
SYSOBJECTS l
SYSPROTECTS l
SYSUSERS
Grant SELECT on: l
MASTER.DBO.SYSDATABASES
(for server-level connections) l
SYSOBJECTS l
SYSPROTECTS l
SYSUSERS
(for each individual database that you want to connect to)
MySQL
Run a VA Assessment
(including penetration test)
SELECT on: l mysql.user
l mysql.db
l mysql.columns_priv
l mysql.tables_priv
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
101
Privileges required by the FortiDB database user Connecting to target databases
Task
View a Privilege Summary
Required privileges
SELECT on: l
`INFORMATION\_SCHEMA`.* l mysql.user
SHOW DATABASES
See also
l l l
Adding or modifying assessments
Viewing and exporting a privilege summary
Privileges for monitoring data
To monitor data, the FortiDB user for your target database requires the following privileges:
RDBMS Type
Oracle
Required Privilege(s)
For DB, EXTENDED and XML File Agent collection methods: l
CREATE SESSION l
SELECT_CATALOG_ROLE l
DELETE_CATALOG_ROLE l
AUDIT ANY l
AUDIT SYSTEM l
SELECT SYS.AUD$ l
SELECT on the monitored tables or SELECT ANY TABLE
For the
TCP/IP Sniffer collection method (to support browsing database to define data policy): l
CREATE SESSION l
SELECT_CATALOG_ROLE l
SELECT on the monitored tables or SELECT ANY TABLE
Microsoft SQL Server
Sybase
Member of sysadmin
For the MDA collection method: l
No privilege is required for the MDA table
For the
TCP/IP Sniffer collection method (to support browsing database to define data policy): l
User who can browse database object
102 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Privileges required by the FortiDB database user
RDBMS Type
DB2
Required Privilege(s)
For the
DB2 Agent collection method: l
SECADM privilege
For the TCP/IP Sniffer collection method (to support browsing database to define data policy): l
User who can browse database object
See also
l l
Configuring target database monitoring
Privileges for monitoring privileges
To monitor privileges, the FortiDB user for your target database requires the following privileges:
RDBMS Type Required Privilege(s)
Oracle l
CREATE SESSION l
SELECT_CATALOG_ROLE l
DELETE_CATALOG_ROLE l
AUDIT SYSTEM
Microsoft SQL Server
Sybase
DB2
For the SQL Trace collection method:
SELECT on: l sys.columns
l sys.database_role_members
l sys.database_permissions
l sysobjects l sys.database_principals
l sys.sql_logins
EXECUTE on: l sp_helpsrvrolemember
For
TCP/IP Sniffer and Net Agent collection methods: l
No privilege is required
No privilege is required for the MDA table or TCP/IP Sniffer
SECADM privilege for DB2 Agent
No privilege is required for TCP/IP Sniffer
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
103
Privileges required by the FortiDB database user Connecting to target databases
See also
l l
Configuring target database monitoring
Privileges for monitoring metadata
To monitor metadata, FortiDB target database users need the following privileges:
RDBMS Type Required Privilege(s)
Oracle l
CREATE SESSION l
SELECT_CATALOG_ROLE for use with auditing: l
CREATE SESSION l
AUDIT SYSTEM l
SELECT_CATALOG_ROLE
Microsoft SQL Server
Sybase
For the
SQL Trace collection method:
SELECT on: l information_schema.columns
l sysindexes l sysobjects l information_schema.routines
l sys.objects obj l sys.sql_modules
l information_schema.views
For the TCP/IP Sniffer and Net Agent collection methods: l
No privilege is required
No privilege is required for the MDA table or TCP/IP Sniffer
DB2 UDB
SECADM privilege for DB2 Agent
No privilege is required for TCP/IP Sniffer
See also
l l
Configuring target database monitoring
104 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Managing targets
Managing targets
To assess and monitor your databases using FortiDB, you first create connections to them. The completed configuration is called a target. Use the Targets page to organize your targets.
Columns
The
Target page displays the following columns:
Column Description
Status (Connection status)
l l indicates a target database for which the information is not complete indicates a target database for which the information is complete
Name
DB Name
DB Host Name/IP
Port
DB Type
Action
User defined target connection name. Clicked to display the target configuration settings ( General tab).
The name of the target database
Database host name or IP address the computer where the target database is located
Port number to use for the connection
One of the following types of databases: ORACLE, MSSQL, DB2,
SYBASE, or MYSQL
Click the Edit icon to modify the target, same as click the DB Name.
Buttons and fields
The Target page displays the following buttons and fields:
Buttons and Fields Descriptions
View dropdown
Filters the list of targets by database type
Search / New Group
Add
Delete
Import
Search the list of targets and, optionally, create a new target group using the search results
Create a target
Delete one or more selected targets
Import targets using an XML-format file
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
105
Managing targets Connecting to target databases
Buttons and Fields
Export selected to XML
Export all to XML
Export all to PDF
Descriptions
Export selected targets as XML-format file
Export all targets as XML-format file
Export the target list as a PDF file
See also
l l l
Searching or filtering the target list
Adding (or modifying) a target connection
Searching or filtering the target list
You can search the list of targets or to create a filtered list of targets that you can place in a named group.
1. Do one of the following: l l
Click Target Database Server > Targets, and then click Search/New Group.
Click
Target Database Server > Target Groups, and then click Add.
2. For Column, Operator, and Value, select and enter values that specify the targets that you want in the list.
To add additional filtering criteria, click + (plus sign) and complete the settings for the new row.
Click - (minus sign) to delete a row.
The value you enter for Value is case-sensitive.
You cannot use the same
Column value in multiple rows. For example, you cannot create a row for Location = 'London' and a row for Location = 'New York'.
For example:
Attribute
Location
Database Type
Operator
Contains
Equals
Value
nd
DB2
Return Possibilities
all databases in London all DB2 databases
3. Click Search to apply the criteria.
4. Continue working with the filtered list, as required.
For example, click the name of a target to edit its properties. To use the list to create a target group, enter a name and click
Save Group.
See also
l l
Adding (or modifying) a target connection
106 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Adding (or modifying) a target connection
Adding (or modifying) a target connection
1. Go to Target Database Server > Targets.
2. Do one of the following: l l
To create a target, click Add.
To modify a target, click the name of a target database.
3. On the General tab, complete the following settings:
Name
Type
Do not use spaces in the name.
If you select
Oracle, complete the settings on the SSH tab.
If you select DB2, on the DB2 Options tab, do one of the following: l
Select SSH, and then complete the settings on the SSH tab.
For more information on
SSH tab settings, see
Configuring SSH connections to Oracle and
l
Select an option other than SSH. For more information on these settings, see
.
Enter the DB host name or IP address of the computer where the target database is located.
DB Host
Name/IP
Port
Connect
At
Enter the number of the port the database uses; the default port is 1521
Displayed for Microsoft SQL Server or Sybase only.
Select
Database Level or Server Level.
Select
Server Level to exclude the databases specified by the
or
Sybase Server Level Exclusions
global properties.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
107
Adding (or modifying) a target connection Connecting to target databases
Additional
JDBC
Settings
By default, the target uses the additional JDBC settings values that you set in the
Target
global properties. For more information on these properties, see
.
To use different values, enter one or more key-value pairs separated by a semicolon.
For Microsoft SQL Server or Sybase databases only, you can also do the following: l
Microsoft SQL Server — To support an SSL-encrypted connection, in SQL Server, set
ForceEncryption to Yes. Then, for Additional JDBC Settings, enter SSL=require.
(To connect without encryption, in SQL server, set ForceEncryption to No.)
If you use NTLM version 2 authentication, enter useNTLMv2=true.
l
Sybase — To support an SSL-encrypted connection, enter SYBSOCKET_
FACTORY=com.fortinet.fortidb.target.internal.connection.SybaseSS
LSQL
Note: Database activity monitoring (DAM) using the TCP/IP sniffer is not available when
FortiDB connects to Sybase using SSL.
DB
Activity
Monitorin g
Select to monitor this database.
4. (Optional) Enter information on the Classification and Contact Info tabs.
You can use this information to filter the list of targets when you search the list of targets or create target groups.
5. To test your connection, select Test Connection.
6. Click Save.
See also
l l l l l l
Configuring SSH connections to Oracle and DB2 databases
SSH environment requirements (software-only version)
Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX
Configuring DB2 options
When you configure a connection to a DB2 database, on the DB2 Options tab, for Retrieval Method, select one of the following options. After you have completed the required settings, click Test Connection to verify them.:
108 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Adding (or modifying) a target connection
SSH
DB2 Level Command
Use SQL query for connection
Select to configure FortiDB to connect to the database using Secure
Shell (SSH), and then complete the settings on the
SSH tab.
For more information on the
SSH tab, see
Configuring SSH connections to Oracle and DB2 databases on page 109 .
Select to configure FortiDB to connect to the database using the output from DB2 commands. Then, complete the following settings: l
db2level Output — Enter the output of the db2level command
(show DB2 service level command).
l
dbm cfg Output — Enter the output of the db2 get dbm cfg command (get database manager configuration command).
Select to configure FortiDB to use a SQL query to connect to the DB2 server.
To use this option, ensure that the FortiDB database user is granted
EXECUTE permission on the stored procedure.
Configuring SSH connections to Oracle and DB2 databases
You can configure FortiDB to connect to Oracle and DB2 target databases using Secure Shell (SSH).
If you are using the software-only version of FortiDB and connecting using SSH, additional configuration is required. For more information on these requirements, see
SSH environment requirements (software-only version) on page 110
.
To configure a SSH connection
1. On the Target page, click the SSH tab.
2. Specify a port number.
The default port is 22.
3. For Access Method, select one of the following values:.
Password
Implicit Key Pair
Select to connect using the name of the database user and a password, and then enter the user information.
Select to connect using the name of the database user and the SSH key file specified by the
global property, and then enter the user name.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
109
Adding (or modifying) a target connection Connecting to target databases
Explicit Key Pair
(software-only version)
Select to connect using a private key and passphrase (if you provided one when you generated the key), and then complete the following settings: l
User Name — Enter the FortiDB SSH user.
l
Key Path — Enter the directory on your SSH client computer where the private key is located. Then, in the specified directory, create the directory
./ssh and copy the private key to it.
l
Pass Phrase — Enter an optional passphrase. You enter a passphrase when you generate a private key.
4. If you want to use the operating system vulnerability assessment (OSVA) feature and the target is an Oracle database running on Solaris or AIX, select
Enable OSVA, and then compete the required settings.
For more information on these settings, see
Enabling operating system vulnerability assessment (OSVA) for
5. To test the connection, click Test SSH Connection.
SSH environment requirements (software-only version)
When you use the software-only version of FortiDB, the following SSH environment is required to allow FortiDB to connect to target databases using a SSH connection.
In addition, for some Oracle databases, additional configuration is required to use the operating system vulnerability assessment (OSVA) feature.
If you need help setting up a working SSH environment, contact your System Administrator.
The target configuration SSH tab provides two Access Method options: Implicit Key Pair (key pair is specified by the
global property) and
Explicit Key Pair (the key pair information is specified on the SSH tab). For more information on the SSH tab, see
Configuring SSH connections to Oracle and DB2 databases on page 109
.
Item Description
Public Key handling
For either the
or
methods, use secure copy (SCP) to copy the public key that you generate on the SSH client to your SSH server. Then, append the key to the authorized_keys file located in the .ssh directory within the home directory of the FortiDB SSH user.
Private Key handling
SSH Client Location
For either the
or
methods, generate id_dsa or id_rsa private keys and copy them to the .ssh directory under user's home directory on the SSH client machine.
In a Windows environment, the private key resides in the /.ssh
directory under the user's home directories. The exact directory depends on the OS version. For example, C:\Documents and
Settings\All Users
.
The SSH client runs on your FortiDB machine.
110 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Adding (or modifying) a target connection
Item
SSH Server Location
Description
The SSH server runs on your target database machine.
User account for SSH User
To configure a SSH connection, a user account on your target database machine is required.
DB2 Target Specific
Instructions
In some cases, additional configuration is required for the FortiDB OS user that you created on a DB2 target database machine.
For example, if the user is db2inst3 and you use the
bash shell, add the following entry to your .bashrc file: if [ -f /home/db2inst3/sqllib/db2profile ]; then
. /home/db2inst3/sqllib/db2profile fi
Operating system vulnerability assessment
(OSVA) with Oracle targets
If the target is an Oracle database on Solaris, to use the FortiDB operating system vulnerability assessment (OSVA) feature, specify the
Home Directory, Owner, and owner's Group of your target database.
For more information on these settings, see
Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page
.
Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX
If the target is an Oracle database running on Solaris or AIX, additional configuration is required to use the
FortiDB operating system vulnerability assessment (OSVA) feature.
For information on other SSH settings, see
Configuring SSH connections to Oracle and DB2 databases on page
.
To enable operating system vulnerability assessment (OSVA)
1. On your target computer, ensure that the opatch command path is included in the $PATH environment variable.
2. On the SHH tab, select Enable OSVA, and then complete the following settings. If you do not have this information, contact your Oracle administrator:
Operating System
Home Directory
Owner
Group
Select Solaris or AIX.
Enter the Oracle home directory ($ORACLE_HOME).
Enter the name of the Oracle owner.
Enter the name of the Oracle user group. In most cases, it is dba or oinstall
.
3. Click Save.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
111
Exporting target information Connecting to target databases
Exporting target information
You can use the
Targets page to export all targets or targets you select. You can also use the page to import targets using an XML format file.
When you export target information in PDF format, the file contains only parts of the target information and you cannot use it to import targets.
To export information for all targets as an XML or PDF file
1. On the Targets page, for View, select All.
2. Do one of the following: l l
Click
Export all to XML.
Click Export all to PDF.
To export one or more selected targets as an XML file
1. On the Targets page, do one of the following: l l
For
View, select a target group.
Click Search/New Group and use the filters to search for targets.
For information on using the filter options, see
Searching or filtering the target list on page 106 .
2. Do one of the following: l l l
Select the checkbox beside one or more target names, and then click
Export selected to XML.
Select the checkbox in the column heading to select all list items.
Click
Export all to XML.
See also
l l
Importing targets
You can use the Targets page to import target information in XML format. For example, you can import targets that you exported from another FortiDB appliance.
When you export target information in PDF format, the file contains only parts of the target information and you cannot use it to import targets.
To view an example of a file that you can import, export an existing target. The software-only version of FortiDB provides example files in the following directory:
<FortiDB install directory>/etc/import-target
Before you import a target, do the following:
112 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Managing target groups l l
Ensure that the target name is unique. If you import a target with the same name as an existing target, FortiDB overwrites the existing target information with the information in the imported file.
Ensure that the file provides values for all required elements. If an imported XML file does not have all the required values, FortiDB displays it in the list of targets with an incomplete status icon .
Do not change any encrypted values. For passwords, use clear text. FortiDB encrypts this text during the importing process.
Do not change the value of <databaseType>.
To import a target
1. In the navigation menu, go to Target Database Server > Targets.
2. Click Import.
The Target Import page is displayed.
FortiDB imports target information based on the value of Name. If the Name value already exists in the target list, FortiDB overwrites the existing target with the imported data.
3. Click Choose file, and then navigate to the file and select it.
4. Select Import.
The following information is displayed.
Column
Name
Results
Complete
Message
Description
The value of the <name> elements
Indicates the status of the imported target: New, Updated, or Failed
Indicates whether one or more required elements are missing a value
Indicates the reason why Failed is displayed in the Results column
5. Click the Continue button to complete the import.
See also
l l
Managing target groups
The
Target Database Server > Target Groups page displays all pre-defined and user-defined target groups.
Use it to complete the following tasks:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
113
Pre-defined target groups Connecting to target databases l l l
To add a target group, select Add. For more information, see
Adding or modifying a target group on page 114 .
To modify a target group, click its name.
To delete a user-defined target group, select it, and then click Delete.
You can select more than one target group for deletion.
You can modify or delete a pre-defined target group. However, you cannot revert a target group to its original content or restore a target group you deleted.
See also
l l
Adding or modifying a target group
Pre-defined target groups
FortiDB provides the following pre-defined target groups: l l l l l l l
DB2 Database Group
MySQL Database Group
Oracle Database Group
Microsoft SQL Server Database Group
Sybase Database Group
Sybase IQ Database Group
MungoDB Database Group
See also
l l
Adding or modifying a target group
Adding or modifying a target group
1. On the navigation menu, go to Target Database Server > Targets.
2. Do one of the following: l l
To create a target group, click Add.
To modify a target group, click the name of the group.
3. On the Targets page, complete the required settings.
For Group Name, enter or edit the name that is displayed in the list of target groups.
For Description, enter an description. For example, your filtering or grouping criteria.
To cancel the target group creation process, click
Cancel.
114 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases
4. Use the filtering options to display the targets you want in the group in the list of targets.
For information on filtering the list, see
Searching or filtering the target list on page 106
.
5. Click Save Group.
The new group is displayed in the
Target Groups page.
See also
l l
Auto-discovery
Auto-discovery
Auto-discovery facilitates the creation of target-database connections by searching your network for potential target databases.
Auto-discovery scans for potential target databases according to your specified IP address range, database-type specification, and port numbers.
See also
l l l l
How to discover Microsoft SQL Server
Adding targets from auto-discovery
How to discover DB2 databases
When attempting to discover DB2 target databases: l l
The FortiDB appliance must be able to connect to TCP port 523. If the connection fails, examine firewall policies, router rules, and other causes.
The DB2 Administration Server (DAS) must be running.
How to discover Microsoft SQL Server
When attempting to discover Microsoft SQL Server target databases, in order to display the correct database version, verify that: l l
Your SQL Server instance is running.
Your SQL Server Browser service is running.
Running auto-discovery
This topic describes how to perform auto-discovery.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
115
Auto-discovery Connecting to target databases
To run auto-discovery, the FortiDB Administrator (the admin user that ships with
FortiDB) or an administrator with the Target Manager role is required.
1. Go to
Target Database Server > Auto Discovery of the left-side menu.
2. In order to discover a single database, enter the IP address in the From field and leave the To field blank. If you want to discover multiple databases, enter a range of IP addresses by using both the
From field and To field.
3. Select the
Add button. The discovered IP address(es) should be added to the list of IP addresses.
In order to delete an IP address (or address range) already on the list, select the check box on the left of the IP address or range and select the Remove button
4. Specify database types to attempt discovery for and their respective port ranges to discover from the list.
a. Select or clear the check box(es) on the left of the list.
b. Add or edit the port ranges in the
To
and
From
fields.
5. Select one or more IP address rows and then select the Begin Discovery button. One of the following status messages will be displayed at the top of the screen.
Status
Running...
No databases found
Idle
Meaning
This status appears on the right side of the view header next to the
"Status". The "processing" icon appears next to the page title. The
Discovery Result page will display.
There was no database of the specified IP address found.
Has one of these meanings: l
User cancelled the auto-discovery process before completion.
l
This is the status after Running...
l
This is the status after No databases found
To stop running auto-discovery before the process is complete, select Abort.
6. The Auto Discovery Results page is displayed.
l l indicates that this database was discovered.
indicates that this database was added to the targets list.
116 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Connecting to target databases Auto-discovery
Adding targets from auto-discovery
This topic describes how to add target-database configuration to the
Targets page from the Auto Discovery
Results.
1. Run auto-discovery.
2. Mark the check box(es) next to the targets you want to add to your list of target databases.
3. Select the Add to Targets button at the bottom.
4. Go to the Targets page where you should see that the auto-discovered targets databases have been added to the Targets list.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
117
Vulnerability assessment (VA) policies
Vulnerability assessment (VA) policies
Vulnerability assessment (VA) policies are best-practice business rules that FortiDB uses to assess databases.
FortiDB has hundreds of pre-defined policies that address industry and governmental compliance requirements, as well as security best practices.
See also
l l l l
Managing VA pre-defined policies
Types of VA policies
You can use the following two types of policies for database vulnerability assessments: l l
Pre-defined policies — Fortinet adaptation of best practice database security policy. In addition to numerous database vulnerability policies, Fortinet also provides policies that help you perform OS-level assessments, such as making sure that your OS version is appropriate for the version of your target database.
User-defined policies — Customer or third-party adaptation of an industry or company-specific security policy.
You create these types of policies using conventional or procedural SQL.
You can use the policy groups that ship with FortiDB or create your own.
See also
l l
Managing VA pre-defined policies
Updates to VA policies
Fortinet updates its policies several times a year with an XML file containing new or enhanced policies. Fortinet recommends that you import this list to keep your policies current. You can download the latest policies from
FortiGuard Center . For more information, see
Managing VA pre-defined policies on page 120
.
Exporting and importing VA policies
If you want to move FortiDB policies to another computer, you can export the source from the FortiDB repository as XML files and then import them into the target FortiDB repository.
Before you import policies, verify that the XML file contains the correct elements.
FortiDB does not validate Database Type, Severity, and Classification when it imports policies. To view a sample of correct content, export one or more policies.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
118
Vulnerability assessment (VA) policies
See also
l l
Exporting user-defined policies
Importing user-defined policies
VA policy version
The policy version tracks the following information: l
Pre-defined policies you imported and used for assessments.
l
The policy version number is incremented when you import pre-defined policies updates.
User-defined policies you updated.
When you use the
Modify User Defined Policy page to update a user-defined policy, FortiDB does not change the policy version number. To update the policy version number, export your user-defined policy, change the policy version number, and then import the policy. You cannot import a user-defined policy that has a policy number that is equal to or lower than the original policy number.
When you restore data restored from an old archive (prior to FortiDB version 3.2.1), the data has the latest version of policies at the time you restored.
See also
l l
Exporting user-defined policies
Importing user-defined policies
VA policy groups
You add policies to assessments using policy groups. A policy group must contain at least one policy.
FortiDB has the following pre-configured policy groups: l l l l l l l
DB2 Policy Group
MySQL Policy Group
Oracle Policy Group
Pen Test Policy Group
SQL Server Policy Group
Sybase Policy Group
Sybase IQ Policy Group
See also
l
VA policy states
A FortiDB policy can have one of the following states:
119 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies Managing VA pre-defined policies
State and icon
Enabled (
)
Description
FortiDB is currently using this policy when it runs assessments.
Disabled ( )
FortiDB is currently not using this policy when it runs assessments.
Modified and Enabled
( ) The policy has been modified and FortiDB is currently using it when it runs assessments.
Modified and Disabled ( )
The policy has been modified but FortiDB is not currently using it when it runs assessments.
New and Enabled (
)
New and Disabled ( )
The policy is new and FortiDB is currently using it when it runs assessments.
The policy is new but FortiDB is not currently using it when it runs assessments.
See also
l
Managing VA pre-defined policies
Keywords and user keywords for VA policies
Keywords are read-only, pre-defined policy keywords.
User Keywords are keywords specified by you. You can use keywords to help you create policy groups.
See also
l
Managing VA pre-defined policies
Use the
Pre-Defined Policies tab to manage pre-defined policies. To view only certain policies, you can use the
View dropdown list at the top of the page. You can also import additional polices or updates to existing policies.
The pre-defined policies list has the following columns:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
120
Managing VA pre-defined policies Vulnerability assessment (VA) policies
Columns
Status
Name
DB Type
Severity
Classification
Descriptions
Enabled ( )
Disabled ( )
New and Enabled ( )
New and Disabled ( )
Modified and Enabled ( )
Modified and Disabled ( )
Pre-defined policy name
Oracle, Sybase, DB2, Microsoft SQL Server, MySQL, or SYBASEIQ.
User defined severity level. There are 5 levels of severity: l
Informational (default) l
Cautionary l
Minor l
Major l
Critical
Unclassified, Configuration, Password, Privilege, Database server, Host
System.
l l l l l
To view policies in a specific policy group only, for View, select the name of the group.
Click
Search/New Group to create a new policy group.
To enable or diable a policy, select the policy in the list and then click Enable or Disable.
Click
Import button to import new or updated policies into the FortiDB repository.
Click Export to export the all policies in the current list as an XML file.
To export pre-defined policies
1. In the navigation menu, go to Policy > VA Policies.
2. On the Pre-Defined Policies tab, for View, select All or a policy group you want to export.
The state of the checkboxes next to the individual policies does not effect which policies FortiDB exports. FortiDB always exports all items in the current list.
3. Click Export.
Your browser downloads the XML file.
121 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies Managing VA pre-defined policies
See also
l l l
Importing pre-defined policies (appliance)
Importing pre-defined policies (software-only FortiDB)
Importing pre-defined policies (appliance)
To keep your policy sets current and effective, you can use the the Fortinet Distribution Network (FDN) to import new and updated policies that FortiDB periodically offers its customers.
1. In the navigation menu, go to Policy > VA Policies.
Alternatively, go to Policy > VA Policy Groups, and then click the name of a policy group.
2. Click Import.
The Pre-Defined Policy Update page is displayed.
3. Do one of the following: l l
To automatically disable any new or modified policies you import, select the
Disable new and modified
rules after import.
To automatically enable any new or modified policies you import, clear the
Disable new and modified rules
after import.
4. Do one of the following: l l
To use icons that identify whether a policy is new or modified with the imported policies, select
Identify new
and modified rules with icons.
To use icons that do not indicate whether a policy is new or modified with the imported policies, clear
Identify
new and modified rules with icons.
Fortinet recommends that you select
Identify new and modified rules with icons.
5. Select Import Updates from FortiGuard Center.
FortiDB connects to FortiGuard Center and downloads any updates. Then, a message like “Updated 12 policies of 544 found in file” is displayed.
The downloaded update file contains all policies. However, FortiDB only updates modified policies. For example, in the sample message, the downloaded update file contains a total of 544 policies only 12 of which needed to be updated in your system. The other 532 policies in the update file are identical to those already in your system.
Appliance users can also import policy updates by using the
Select XML file to be
uploaded field. After clicking the Browse button and selecting the xml file to upload, and select the Import button.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
122
Managing VA pre-defined policies Vulnerability assessment (VA) policies
See also
l l
Managing VA pre-defined policies
Importing pre-defined policies (software-only FortiDB)
Importing pre-defined policies (software-only FortiDB)
You can import pre-defined policies (pre-defined policies) by uploading XML files containing these policies.
Before performing this task, you may need to download one or more XML files from a designated FortiDB web or
FTP site.
This task includes importing those new and updated policies that FortiDB periodically offers its customers in order to keep their policy sets current and effective.
1. In the navigation menu, go to Policy > VA Policies.
Alternatively, go to
Policy > VA Policy Groups, and then click the name of a policy group.
2. Click Import.
The Pre-Defined Policy Update page is displayed.
3. For Select XML file to be uploaded, click Choose File, and then navigate to and select the update file.
4. Do one of the following: l l
To automatically disable any new or modified policies you import, select the
Disable new and modified
rules after import.
To automatically enable any new or modified policies you import, clear the
Disable new and modified rules
after import.
5. Do one of the following: l l
To use icons that identify whether a policy is new or modified with the imported policies, select
Identify new
and modified rules with icons.
To use icons that do not indicate whether a policy is new or modified with the imported policies, clear
Identify
new and modified rules with icons.
Fortinet recommends that you select Identify new and modified rules with icons.
6. Select Import.
The policies are added to the list on the
VA Policies page.
See also
l l
Managing VA pre-defined policies
Importing pre-defined policies (appliance)
123 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies Managing VA pre-defined policies
OS-Level pre-defined policies
The FortiDB OS-Level pre-defined policies gather and evaluate information about the target database's operating system (OS). They use SSH and a client-side script that contains OS commands.
To assess Oracle target computers using OS-Level pre-defined policies, see
Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 111 .
The OS-Level pre-defined policies require the following permissions:
Guarded Item Description (proposed change)
Purpose
OSVA ORCL 01.01 Oracle Critical
Patches (opatch)
Returns: l opatch version l applied critical patch numbers
Required Permissions
Oracle 9i, 10g, 11g, 12c: l
The SSH user needs execute permission on opatch l
The SSH user's PATH variable should include the location of opatch
Oracle 10g, 11g, 12c: l
The SSH user needs read, write, and execute permissions on opatch l
The SSH user needs read, write, and execute permissions on $ORACLE_
HOME/cfgtoollogs/opatch/lsin v
SVA ORCL 01.02 Oracle Owner-
Login Check
OSVA ORCL 01.03 Oracle DBA-
Group Check
OSVA ORCL 01.04 Oracle DBA-
Group-Member List
OSVA ORCL 01.05 Oracle Process-
Owner Check
Alerts if Oracle owner, which is specified on the FortiDB
Database Connection GUI, is not in /etc/passwd.
The SSH user needs read permission on /etc/passwd with cat and grep commands
Alerts if dba is not in
/etc/group file
Returns a list of members of the dba group from
/etc/passwd and /etc/group
The SSH user needs read permission on /etc/group with cat and grep command
The SSH user needs read permission on /etc/passwd and
/etc/group with cat and grep command
Alerts if Oracle process is being run by a non-Oracle user such as root, or bin.
The SSH user needs execute permission ps and grep command
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
124
Managing VA pre-defined policies Vulnerability assessment (VA) policies
Guarded Item Description (proposed change)
Purpose Required Permissions
OSVA ORCL 01.06 Oracle Excessive
Directory & File Permissions Check
Alerts if other permissions, on the Oracle Home directory
(and its contents) specified on the Create/Modify Database
Connection screen, include both read and write (and not execute)
The SSH user needs other read and execute permissions on the
$ORACLE_HOME directory.
For example setup instructions, see Using Minimally-Privileged
User with an ACL.
OSVA ORCL 01.07 Oracle Correct
Directory/File Owner & Group Check
Alerts if files and directories under the
Oracle Home directory specified on the
Create/Modify Database
Connection screen, do not have correct owner and group permissions.
Exempt from this check are: l
$ORACLE_
HOME/bin/oracle l
$ORACLE_
HOME/bin/oradism l
$ORACLE_
HOME/bin/dbsnmp
The SSH user needs other read and execute permissions on the
$ORACLE_HOME directory.
For example setup instructions, see Using Minimally-Privileged
User with an ACL.
OSVA ORCL 01.08 Oracle setuid/setgid File Check
Alerts if setuid or setgid permissions are assigned to files and directories under the
Oracle Home directory specified on the
Create/Modify Database
Connection screen.
Exempt from this check are: l
$ORACLE_
HOME/bin/oracle l
$ORACLE_
HOME/bin/oradism l
$ORACLE_
HOME/bin/dbsnmp
The SSH user needs other read and execute permissions on the
$ORACLE_HOME directory.
For example setup instructions, see see Using Minimally-
Privileged User with an ACL.
125 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies Managing VA pre-defined policies
Guarded Item Description (proposed change)
Purpose
OSVA ORCL 01.09 Oracle Database-
Configuration-Change Check
This policy checks if these database configuration files change between the previous and current assessments: l init.ora
l spfle.ora
OSVA ORCL 01.10 Oracle Network-
Configuration-Change Check
This policy check if network configuration files changed between between the previous and current assessments l listener.ora
l tnsnames.ora
l sqlnet.ora
Required Permissions
l l l l
The SSH user needs execute permission on ls for the
$ORACLE_HOME/dbs/ directory
The SSH user needs read permission on the $ORACLE_
HOME/dbs/ directory
The SSH user needs execute permission for ls on the
$ORACLE_
HOME/network/admin/ directory
The SSH user needs read permission on the $ORACLE_
HOME/network/admin/ directory
OSVA ORCL 01.11 Oracle Installed-
Operating-System Info
Returns OS name and version l
The SSH user needs execute permission for cat on the
/etc/release file l
The SSH user needs read permission on the /etc/release file
OSVA ORCL 01.12 Oracle External-
Procedure Processes Running
Check
Alert if external-procedure process is running on target server.
The SSH user needs execute permission for ps and grep
OSVA ORCL 01.13 Oracle EXTPROC
Alerts if any EXTPROC settings are listed in listener.ora.
For example:
(SID_NAME = PLSExtProc) l
The SSH user needs execute permission for cat on the listener.ora file l
The SSH user needs read permission on the listener.ora
file
OSVA ORCL 01.14 Oracle Missing-
Listener-Password Check
Alerts if a PASSWORD setting is missing in listener.ora.
l
The SSH user needs execute permission for cat on the listener.ora file l
The SSH user needs read permission on the listener.ora
file
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
126
Managing VA pre-defined policies Vulnerability assessment (VA) policies
Guarded Item Description (proposed change)
Purpose
OSVA ORCL 01.15 Oracle Missing-
Listener- ADMIN_RESTRICTIONS
Check
OSVA ORCL 01.16 Oracle Default-
Listener Check
OSVA ORCL 01.17 Oracle Default-
Port (1521) Check
Alerts if a ADMIN_
RESTRICTIONS setting is missing in listener.ora.
Required Permissions
l
The SSH user needs execute permission for cat on the listener.ora file l
The SSH user needs read permission on the listener.ora
file
Alerts if default LISTENER is set in listener.ora.
l
The SSH user needs execute permission for cat on the listener.ora file l
The SSH user needs read permission on the listener.ora
file
Alerts if default PORT is set in listener.ora.
l
The SSH user needs execute permission for cat on the listener.ora file l
The SSH user needs read permission on the listener.ora
file
Alerts if any Oracle
Advanced Security settings are missing in sqlnet.ora.
OSVA ORCL 01.18 Oracle Advanced-
Listener-Security Settings Check
For example, the presence of the following would not cause an alert:
SQLNET.ENCRYPTION_
SERVER = Requested
OSVA ORCL 01.19 Oracle
Configured Listener List
Display all listener names l l
The SSH user needs execute permission for grep the sqlnet.ora file
The SSH user needs read permission on the sqlnet.ora
file l
The SSH user needs execute permission for cat on the listener.ora file l
The SSH user needs read permission on the listener.ora
file
127 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies Managing VA pre-defined policies
Guarded Item Description (proposed change)
Purpose
OSVA ORCL 01.20 Oracle
Unencrypted Listener Password
Check
Alerts if password in listener.ora is unencrypted. Encrypted passwords should be 16 characters long and consist only of uppercase letters from A to F or numbers.
For example, the following is an acceptably encrypted password and would not generate an alert:
PASSWORDS_LISTENER =
F56401ADBA6810DS
Required Permissions
l
The SSH user needs execute permission for cat on the listener.ora file l
The SSH user needs read permission on the listener.ora
file
Use your known_hosts file to give access to certain hosts only.
See also
l
Setting an access control list (ACL) for minimally-privileged users
Setting an access control list (ACL) for minimally-privileged users
To provide more secure access to target databases, create an access control list (ACL). For example, an ACL that enables a minimum-permission user to perform, via SSH, the OS-level operations used by the FortiDB OS-level pre-defined policies.
In general, you create a user, belonging to the nobody group, on your target database machine. Then, use
ACL to give that user only the specific permissions necessary to execute the OS-level pre-defined policies that you are interested in.
The following examples grant the SSH user read and execute permissions on the $ORACLE_HOME directory, which is required by some operating system vulnerability assessment (OSVA) pre-defined policies.
Example one: Set ACL on an Oracle 10g target server for OSVA ORCL 01.01
1. Assume the SSH user is fortidb.
$setfacl -m user:fortidb:rwx,mask:rwx $ORACLE_HOME/cfgtoollogs/opatch/lsinv
2. To confirm permissions:
$getfacl $ORACLE_HOME/cfgtoollogs/opatch/lsinv
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
128
Managing VA pre-defined policies Vulnerability assessment (VA) policies
This command returns something like the following response:
# file: /export/home/ora1020/product/10.2.0/Db_1/cfgtoollogs/opatch/lsinv
# owner: ora1020
# group: oinstall user::rwx user:fortidb:rwx #effective:rwx <--- Please check it group::r-x #effective:r-x mask:rwx other:r-x
Example two: Set ACL on an Oracle 9, 10g, 11g, or 12c target server for OSVA ORCL 01.06,
01.07, and 01.08
This example describes how to set ACL on an Oracle 10g target server for OSVA ORCL 01.01.
1. In order to find the directories within $ORACLE_HOME for which the required permissions do not exist, execute the following, as the Oracle owner (see o_owner), on your target-database machine:
$ find $ORACLE_HOME \( -type d \) -a \( ! -perm -o+rx \)
-ls|awk '{print $3,$11}' which might return something like: drwx------ /oracle/db1/Apache/Apache/conf/ssl.key
drwxr-x--- /oracle/db1/.patch_storage
2. Using the File Access Control List program, grant the appropriate permissions to sshuser:
$ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/Apache/Apache/conf/ssl.key
$ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage
3. (Optionally) confirm that correct permissions were granted with:
$ getfacl /oracle/db1/Apache/Apache/conf/ssl.key
$ getfacl /oracle/db1/.patch_storage
which would return something like:
# file: /export/home/ora1020/product/10.2.0/Db_1/.patch_storage
# owner: ora1020
# group: oinstall user::rwx user:mitagaki:rwx #effective:r-group::r-- #effective:r-mask:r-other:---
4. (Optionally) you can revoke permissions with:
$ setfacl -d user:sshuser:r-x,mask:r-x oracle/db1/Apache/conf/ssl.key
$ setfacl -d user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage
If you can not give read(r)/exec(x) permission to the directory, FortiDB VA will produce a "Permission denied" error on the report which you can ignore.
129 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies
See also
l
VA user-defined policies
VA user-defined policies
On the
Policies page, you can manage user-defined policies in the User-Defined Policies tab. Use the View list at the top of the page to filter the list. You can also import additional polices or updates to existing policies.
Columns Descriptions
Status
l
Enabled ( ) l
Disabled ( ) l
New and Enabled ( ) l
New and Disabled ( ) l
Modified and Enabled ( ) l
Modified and Disabled ( )
User-defined policy name
Name
DB Type
Severity
Oracle, Sybase, DB2, Microsoft SQL Server, MySQL or SYBASEIQ
User defined severity level. There are 5 levels of severity: l
Informational (default) l
Cautionary l
Minor l
Major l
Critical
Classification
Unclassified, Configuration, Password, Privilege, Database server, Host
System.
l
The
View dropdown enables you to limit the policies that you view to only those within a certain policy group l l l l l l l
The button enables you to create a new policy group.
The
Add button enables you to create your own User-Defined policy.
The Delete button enables you to delete the policies for which a check box has been checked.
The
Enable button enables you to activate the policies for which a check box has been checked.
The Disable button enables you to deactivate the policies for which a check box has been checked.
The
Import button enables you to import new or updated policies into the FortiDB repository.
The Export button enables you to export all policies on the screen as an XML file.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
130
VA user-defined policies Vulnerability assessment (VA) policies
See also
l l l l
Deleting user-defined policies
Exporting user-defined policies
Importing user-defined policies
Adding user-defined policies
1. Go to Policy> VA Policies of the left-side menu.
2. Select the User-Defined Policies tab.
3. Select the Add button.
4. Fill in the appropriate fields. Some of the fields to note are:
Field Name
ID
SQL query
Result Column Name(s)
Descriptions
Enter a unique designator that can include any character, including alphanumerics, special characters, and white spaces.
Enter the query that will be used when this User-Defined Policy is applied during an assessment.
Entries in this field are the column names referred to in the
SQL
query field. Multiple entries are delimited by semicolons.
The names can either be actual column names in your query, like empno in 'SELECT empno FROM scott.emp' or aliases like enumber in 'SELECT empno AS " enumber" FROM scott.emp
'
Leading or trailing spaces in the alias expression must also be specified in this field for the column's values to appear in your report.
For example, if there are two leading spaces in " enumber", include both spaces in the Result Column Name(s) value.
You can use the '*' column wild card in your queries; however, you must separately specify the name of each column for which you want report results. If, for example, you use 'SELECT * FROM scott.emp
' against an Oracle target database, you must enter
"empno;ename;job;mgr;hiredate;sal;comm;deptno" in this field in order to get a report on all columns in scott.emp
Note: Do not put spaces before or after the semicolons unless your aliased column names also have leading or trailing spaces, respectively.
131 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies VA user-defined policies
Field Name
Result Column Label(s)
Descriptions
Entries in this field are the column names that you would like to see in your reports. Multiple entries are delimited by semicolons.
Note: If you don't populate this field, your report's column headers will be the entries used for the Result Column Name(s) field.
Entries in this field can be used when using a filter to create policy groups.
Keywords
5. Select the Save button.
Here is an Oracle example, which assumes you have access to the SCOTT schema:
a. Create a policy with these entries: l
ID: unique designator l l l l l l
Database type
:
Oracle
SQL query
:
SELECT empno, ename from scott.emp
Result Column Name(s)
: empno
;
ename
Result Column Label(s)
:
Employee Number
;
Employee Name
Severity
:
Informational
Classification
:
Unclassified
b. Select Save to save
myOracleUDP1
.
c. Create a policy group,
myUDPGroup
, containing the new policy.
d. Create an assessment that runs against an Oracle target group and which uses
myUDPGroup
.
e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of
Scan
Results like this in the Informational Vulnerabilities section: l
Employee Number 7369 Employee Name
:
SMITH
Here is another, slightly different, Oracle example, which uses column-name aliasing and, again, assumes you have access to the SCOTT schema:
a. Create a policy with these entries: l
ID
:
can be any value
l
Name
:
myOracleUDP2
l l l l
Database type
:
Oracle
SQL query
:
SELECT empno as "EmpID", ename as "Worker" from scott.emp
Result Column Name(s)
:
EmpID
;
Worker
Result Column Label(s)
:
Employee Number
;
Employee Name l l
Severity
:
Informational
Classification
:
Unclassified
b. Select the Save in order to save
myOracleUDP1
.
c. Create a policy group,
myUDPGroup
, containing the new policy.
d. Create an assessment that runs against an Oracle target group and which uses
myUDPGroup
.
e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of
Scan
Results like this in the Informational Vulnerabilities section: l
Employee Number 7369 Employee Name
:
SMITH
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
132
VA user-defined policies Vulnerability assessment (VA) policies
See also
l l l l
Deleting user-defined policies
Exporting user-defined policies
Importing user-defined policies
Deleting user-defined policies
This topic describes how to delete user-defined policies.
1. Go to Policy > VA Policies of the left-side menu.
2. Select the User-Defined Policies tab.
3. Mark the check box(es) corresponding to the user-defined policy you want to delete.
4. Select the Delete button.
See also
l l l l
Exporting user-defined policies
Importing user-defined policies
Exporting user-defined policies
This topic describes how to export user-defined policies.
1. Go to Policy > VA Policies of the left-side menu.
2. Select the User-Defined Policies tab.
3. In the View dropdown list, select All or a policy group you want to export.
The checkboxes next to the individual policies have no effect when exporting. FortiDB exports all policies in the list regardless of whether the checkbox for an item is selected.
4. Select the Export button.
5. Save the XML file.
See also
l l l l
Deleting user-defined policies
Importing user-defined policies
133 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies VA policy groups
Importing user-defined policies
This topic describes how to import user-defined policies.
1. Go to Policy > VA Policies of the left-side menu.
2. Select the User-Defined Policies tab.
3. Select the Import button.
4. Enter the path to the XML file you want to import, or select the Browse button and select the XML file you want to import.
To successfully import your policies, you mustincrease the value of the version attribute (for example, you must change from version="3" to version="4") which can be found in <VaPolicy> element.
5. Select or clear the Deactivate new and modified rules after import check box.
l l
If you select this, the new and modified rules after import are deactivated.
If you clear this, the new and modified rules after import are activated.
6. Select or clear the Identify new and modified rules with icons check box.
l l
If you select this, you can identify new and modified rules with icons.
If you clear this, you cannot identify new and modified rules with icons.
7. Select the Import button.
See also
l l l l
Deleting user-defined policies
Exporting user-defined policies
VA policy groups
The
Policy Groups page displays all policy groups with groups names and descriptions.
Use the Policy Groups page to perform the following tasks: l l l
Add a new policy group by selecting Add. See
Adding VA policy groups on page 135 .
Modify the policy group by selecting the group name. See
Modifying VA policy groups on page 136
Delete policy groups by selecting the group check box, and click Delete.
The following pre-defined policy groups are available:
Groups/Policies
DB2 Policy Group
Policies included
DB2 policies
MySQL Policy Group MySQL policies
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
134
VA policy groups Vulnerability assessment (VA) policies
Groups/Policies
Oracle Policy Group
SQL Server Policy Group
Sybase Policy Group
Pen Test Policy Group
CIS Policy Group
Sybase IQ Policy Group
See also
l l l
Policies included
Oracle policies
SQL Server policies
Sybase policies
CIS benchmark policies
Sybase IQ policies
Adding VA policy groups
This topic describes the task of creating groups for predefined or user-defined policies by using filtering criteria.
1. Go to Policy > VA Policy Groups of the left-side menu.
2. Select the Add button.
3. On the subsequent Policies page, choose either the Pre-Defined Policies tab or the User-Defined
Policies tab and then fill in the text boxes
a. Use the Policy Type dropdown in order to create a group consisting of just pre-defined policies, userdefined policies, or both (All).
b. Use the
Group Name text box to enter a name that will show up in the saved policy-group list. Use the optional Description text box to describe your filtering/grouping criteria.
c. To create a filtering condition, enter an Column on which you would like to filter, an Operator that associates the
Column with a Value, and a Value that the Column must match.
d. You can add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.
You cannot use the same Column in multiple rows. For example, you cannot establish a criteria that includes all the policies with a Severity of Minor and all the policies with a Severity of Major.
In order to cancel creating a new policy-group filter and go back to the main
Policies page, select the icon.
Here are some examples of filtering criteria:
135 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies VA policy groups
Attribute
Severity
Database Type
Operator
Equals
Equals
Value
Minor
DB2
Return Possibilities
all policies with a Severity of
Minor all policies associated with DB2 databases
4. To test your filtering criteria, select the Apply button.
5. To save the group you created, select the icon.
In order to modify an existing group, select the Name of the group on the Policy
Groups page.
See also
l l l
Modifying VA policy groups
This topic describes modifying the existing policy group.
1. Go to Policy > VA Policy Groups from the left-side menu.
2. In the Policy Groups page, click the name of a policy group that you want to modify.
3. Modify the policy name or description if necessary.
4. Select the Policy Type from the dropdown list (All, Pre-efined, or User)
5. To create a filtering condition, enter an Column on which you would like to filter, an Operator that associates the Column with a Value, and a Value that the Column must match .
6. You can add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.
You cannot use the same
Column in multiple rows. For example, you cannot establish a criteria that includes all the policies with a Severity of Minor and all the policies with a Severity of Major.
In order to cancel modifying the policy-group filter and go back to the main
Policies page, select the icon.
7. To test your filtering criteria, select the Apply button.
8. Click to save.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
136
Penetration tests Vulnerability assessment (VA) policies
See also
l l l
Deleting VA policy groups
This topic describes how to delete a policy group.
1. Go to Policy > VA Policy Groups of the left-side menu.
2. Check the check box(es) corresponding to the policy group(s) you want to delete.
3. Click the Delete button.
See also
l l l
Penetration tests
A penetration test (or pentest) examines your target databases for weak passwords.
Like any other type of assessment, you can run pen tests either immediately or schedule them for a convenient time.
FortiDB does not support penetration tests for Sybase IQ target databases.
See also
l l l
Connection options for penetration tests
Files used for penetration tests
Configuring and running penetration test assessments
Connection options for penetration tests
For penetration tests, FortiDB uses one of the following options to connect to target databases: l l l
Login — The login connection method is available for all target database types.
Hash-based — A 'hash' is the value that is the result of encrypting a clear-text string. The hash-based method is a safer, offline approach, but it is available for Oracle and Microsoft SQL target databases only. If you use the hashbased method for Sybase or DB2 targets, FortiDB cannot apply any of the pentest polices, the assessment result is essentially empty, and no error is reported.
Hybrid — FortiDB uses the hash-based method if it is available (that is, when the database is Oracle or Microsoft
SQL). Otherwise, it uses the login method.
137 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies Penetration tests
If the penetration test login attempts are unsuccessful, the database may prevent any users, including valid users, from logging in.
See also
l
Configuring and running penetration test assessments
Files used for penetration tests
Penetration test policies use username and password information stored in a set of text files to assess databases.
For the Dictionary pen test policy, FortiDB allows you to select a password dictionary text file to use instead of the default dictionary.
In addition, if you are using the software version of FortiDB, you can customize the other pentest policy text files.
The custom files allow you to specify the usernames and passwords to use in the test instead of testing all database usernames. These files are <dbtype>default.txt and <dbtype>user.txt, where
<dbtype> specifies the type of database using one of the following strings: l l l l l ora for Oracle sql for MS-SQL db2 for DB2 syb for Sybase mysql for MySQL
If you are using either the appliance or software version of FortiDB, you can use the Assessment properties to select an alternative password dictionary file. However, appliance version users cannot access or change the default dictionary.txt, <dbtype>default.txt and <dbtype>user.txt files.
Policy name
Default Password
File
<dbtype>default.txt
Content evaluated
All the username-password pairs in the file.
The values in
<dbtype>default.txt
represent system accounts that ship with a RDBMS and their default passwords. For example, for Oracle,
SYS, SYSTEM, and SCOTT, and for
Microsoft SQL, SA.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
138
Penetration tests Vulnerability assessment (VA) policies
Policy name
Dictionary
Number Following
Username
Same as Username
Username Following
Number
Username Reversed
File
<dbtype>user.txt, dictionary.txt
<dbtype>user.txt
<dbtype>user.txt
<dbtype>user.txt
<dbtype>user.txt
See also
l
Configuring and running penetration test assessments
Configuring and running penetration test assessments
Content evaluated
The pairing of each username in the
<dbtype>user.txt
file with every password in dictionary.txt
file.
Note: When FortiDB executes the pentest Dictionary policy, it automatically adds the domain name to the password list.
The paring of usernames in the file with a password created by adding one or more numbers to the end of the username.
The pairing of usernames in the file with a password that is the same as the username.
The pairing of usernames in the file with a password created by adding one or more number to the begining of the username.
The pairing of usernames in the file with a password created by spelling the username backwords.
To configure and run penetration testing against target databases
1. Ensure that the FortiDB database user specified in the target configuration for the database you want to test has the required privileges.
For more information see
Privileges for VA assessments, privilege summaries, and penetration tests on page
.
2. In the navigation menu, go to Administration > Global Configuration, and then click the Assessment tab.
3. Complete the following settings:
Enable Pen Test
Select True.
139 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies Penetration tests
Enable Pen Test For All
Users in Database
(software-only version)
Pen Test Method
Pen Test Password
Dictionary
When set to false, all pentest policies except Default
Password test the database using the usernames in
<dbtype>user.txt
only.
When set to true, the policies test using all database usernames.
For information on creating the <dbtype>user.txt
file, see step
For more information on the file, see
Files used for penetration tests on page 138 .
Specify the method that FortiDB uses to connect to databases for penetration tests using one of the following values: l
1 - Login method l
2 - Hash-based method (available for Oracle or Microsoft
SQL databases only) l
3 - Hybrid method (FortiDB uses the hash-based method when it is available)
For more information on these settings, see
Connection options for penetration tests on page 137 .
Specify the file that contains the passwords that the
Dictionary policy checks.
If you do not select a file, the policy uses the default dictionary.
The
Browse button allows you to select a dictionary file. Click
Save to complete your selection.
FortiDB does not display the name of the uploaded file.
To restore the default dictionary, select the
Pen Test
Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted.
For software-only versions of FortiDB, for information on creating the dictionary.txt file, see step
For more information on the password dictionary file, see
Files used for penetration tests on page 138
.
4. To make your pentest settings take effect, restart FortiDB.
5. For software version users: l
If you set
Enable Pen Test For All Users in Database to false, copy the <dbtype>user.txt file from
<FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest
, where <dbtype> is the string that specifies the type of database to
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
140
Data discovery policies and policy groups Vulnerability assessment (VA) policies l l l l assess. Replace the system account and password values in the file with the values that you want the pentest policies to use (except the Default Password policy).
For the oradefault.txt file, ensure that the system account and password values are in uppercase.
If you want the Default Password policy to use a custom list of system accounts with default passwords instead of the default list, copy the <dbtype>default.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the usernames and password values in the file with the values that you want the Default Password policy to use.
For the orauser.txt file, ensure that the usernames and passwords are in uppercase.
If you did not use the
Pen Test Password Dictionary property to select a password dictionary file and want the Dictionary policy to use a custom dictionary, copy the dictionary.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest
. Replace the password values in the file with the values that you want the
Dictionary policy to use.
For more information on the files, see
Files used for penetration tests on page 138
.
6. Go to Policy > VA Policy Groups, and then click Pen Test Policy Group.
7. To enable or disable pentest policies, select the checkbox for one or more polices, and then click Enable or
Disable.
8. Optionally, to edit a policy, click the policy name, edit the settings, and then click Save.
9. Assign the Pen Test Policy Group to a new or existing assessment.
For detailed instructions, see
Adding or modifying assessments on page 181
.
10. Run the assessment.
For detailed instructions, see
Running assessments on page 182
.
11. Evaluate the results of your assessment.
"Failed" means your passwords are weak and may not protect you from malicious login attempts.
See also
l l
Connection options for penetration tests
Files used for penetration tests
Data discovery policies and policy groups
The FortiDB sensitive data discovery feature uses the data discovery policies to search a target database for sensitive information located in tables and columns. You use data discovery policy groups to add these policies to the sensitive data discovery configuration for a target database.
For information on running sensitive data discovery, see
Sensitive data discovery on page 193 .
141 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment (VA) policies Data discovery policies and policy groups
Managing data discovery policies
Go to
Policy > Data Discovery Policies to perform data discovery policy tasks such as adding or enabling a policy.
To edit a policy, click its name.
To create a policy, click Add.
The
Data Discovery Policies and Edit Alert Policy pages display the following columns and settings.
Column/settings Descriptions
Status (policy list only)
(enabled)
(disabled)
To enable or disable policies, select the checkbox for one or more policies, and then click
Enable or Disable.
Policy name
Policy Name
Policy Type
Either BUILT_IN or USER_DEFINED.
You cannot delete built-in policies.
Match Rule
Column Name Pattern
Data Pattern
Specifies the type of data FortiDB searches for: l
TEXT — Simple text l
CREDIT_CARD — 16-digit number l
EMAIL — Email address l
SSN — 9-digit Social Insurance number (SSN)
FortiDB searches for this criteria after any specified
Column Name
Pattern and Data Pattern criteria.
Specifies the pattern FortiDB searches for in table column names.
Can be a specific value or a regular expression.
If left blank, FortiDB does not search table column names.
Specifies the pattern FortiDB searches for in the first 40 rows of the database.
Can be a specific value or a regular expression.
If left blank or the value is .+ (decimal followed by plus sign),
FortiDB does not search the sample set of rows.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
142
Data discovery policies and policy groups Vulnerability assessment (VA) policies
Column/settings
(checkbox)
If checked, either column name pattern or data pattern matched lead to result. Or, both matched lead to result.
(edit policy only)
Description (edit policy only)
Descriptions
Specifies whether search results include matches for either the value of
Column Name Pattern and Data Pattern, or matches for both patterns.
A description of the policy.
To export a policy as an XML format file, select the checkbox for one or more policies, and then click
Export.
Your web browser downloads the file.
To import a policy, click Import, use the file selection option to navigate to and select an XML format file, and then click Import.
Data discovery policy groups
You add data discovery policy groups to a target’s Sensitive Data Discovery configuration to specify the types of data FortiDB searches for.
Go to
Policy > Data Discovery Policy Groups to manage data discovery policy groups.
Click a group name to edit group or
Add to add new group.
To delete a group, select the check box for one or more groups, and then click Delete.
See also
l
143 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies
Database Activity Monitoring (DAM) policies
Types of DAM policies
Database activity monitoring policies specify the database activities that can generate security alerts or audit records.
See also
l l
Types of DAM policies
There are two types of DAM policies: l l
Alert — Policies that generate an alert when database activity violates a policy rule.
Audit — Policies that generate an audit record when FortiDB detects the database activity specified in the policy rules. FortiDB uses these policies only when it monitors target databases with the TCP/IP sniffer.
The following sub-types are available for both alert and audit policies: l l l l
Metadata Policies — Pre-defined policies that generate alerts or audit logs when FortiDB detects metadata activity.
Privilege Policies — Pre-defined policies that generate alerts or audit logs when FortiDB detects privilege activity.
Sys Operations Policy — Pre-defined policy that generate alerts or audit logs when FortiDB detects SYS user operations.
Data Policy — Policies that you create to generate alert or audit logs when FortiDB detects data manipulation activity.
The following table describes the differences between the two types of DAM policy.
Used For
Alert Policy
Generates an alert if an activity violates a policy rule
Audit Policy
Logs the specified activity
Available
With
All DAM collection methods
Types of Data
Policies
Table
Table and Column
Session
User
Database Query Policy
TCP/IP sniffer collection method only
Database
Table
Table and Column
Session
User
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
144
Managing DAM policies Database Activity Monitoring (DAM) policies
Alert Policy
"Read and Write" audit actions for Table, Table and
Column
Data Policy
Configuration
Options
"Alert Rule" for violations
“SQL query” for "Database
Query Policy"
PCI, SOX, and HIPAA
Policies
Severity
Attribute
Yes
Yes
See also
l l l l l l
PCI, SOX, and HIPAA alert policies
Audit Policy
"Select/Insert/Update/Delete/Truncate" audit actions for Table
"Select/Insert/Update/Delete" audit actions for Database, Table and
Column
No "Alert Rule" settings
No
No
Managing DAM policies
The DAM Alert Policy and DAM Audit Policy pages display all policies with status, policy name, and supported databases information.
Use these pages to perform the following tasks: l l l l l l
Use the Data Policies list at the bottom of the page to create a new policy (see
).
Modify the pre-defined policies by clicking the policy name (see
Privilege policies on page 166
,
,
Delete user-defined policies by selecting the policy's check box, then clicking Delete.
Filter the view by selecting an option from the
View list.
Navigate to the modifying the group page by clicking the Edit button.
Search and create a new group page by clicking the
Search / New Group button.
The following table describes each icon in the policy table list.
145 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies
Columns
Type
Status
Policy Name
Severity
Supported Databases
Descriptions
Managing DAM policies
Data Policy: l
Table Policy monitors/audits suspicious reads and writes on specific tables l
Table and Column Policy monitors/audits suspicious reads and writes on specific table columns l
Session Policy monitors/audits suspicious session behavior l
User Policy monitors/audits suspicious reads and writes by specific users l
Database Policy(for Auditing) audits activities reads and writes on specific databases l
Database Query Policy(for Alert) queries database data value at intervals that you specify indicates a privilege policy indicates a metadata policy indicates a PCI, SOX, and HIPAA l l l indicates the policy has a problem.
indicates the policy is disabled.
indicates the policy is enabled.
User defined policy name, or pre-defined name
User configurable severity level (Not available for Audit Policy). There are 5 levels of severity: l
Informational (default) l
Cautionary l
Minor l
Major l
Critical
All, or specify database type, or have fixed setting for each database
Configuring policy information for a policy
When you add or edit a policy, complete the following settings under Policy Info: l l l
Policy Name — Enter unique name for policy, duplicate with exist policy name is not allowed.
Description — Enter a description if necessary.
Enable — Select to enable the policy.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
146
Automatically generating alert policies Database Activity Monitoring (DAM) policies l l l
Create new policy group for policy — FortiDB automatically creates a policy group and adds it to the monitoring configuration for the target database (This option is available for the target-based configuration: Data
Access Monitoring > Monitors > click on the target name > Alert/Audit Policies tab > Data Policies dropdown).
Severity — For alert policies only. Specifies a severity.
Supported Database — For data policies, select the type of target database the policy is used with. PCI, SOX, and HIPAA policies are supported on all database types. Privilege and metadata policies are restricted to specific database types.
You cannot change the value of
Supported Database if FortiDB is currently using the policy to monitor a target database. Use the target monitoring settings (
DB Activity
Monitoring > Monitoring Management) to stop monitoring, change the value of
Supported Database, and then re-start monitoring.
See also
l l l l l l
PCI, SOX, and HIPAA alert policies
Automatically generating alert policies
You can use the
Start Generate Alert Policies option to automatically create table, session, and user policies for Oracle and Microsoft SQL Server target databases. The policies work with all the collection methods that are available for these database types.
When you activate the option, FortiDB starts to track target database activity. When you stop the option, FortiDB analyzes the information it has gathered. It considers the activity it observed during the monitoring period to be normal activity and generates policies that are appropriate for the target.
The
Start Generate Alert Policies option creates a DAM Alert policy group that has the same name as the target database. You can manage and modify these policies and policy groups the same way you manage other used-defined policies.
The names of the user and session policies in the group use the following format:
<target name>_<username>_<policy type> where <policy type> is UserDataPolicy or SessionPolicy.
The table policies use the following format:
<target name>_<username>_TableDataPolicy_<monitored objects> where <monitored objects> is either inclusive or exclusive. If the policy name contains inclusive, the policy monitors the objects that are specified under
Audit Settings. For exclusive, the policy monitors all objects except those specified under
Audit Settings.
147 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
Because it monitors all users and tables, the generation process can affect the performance of the monitored database.
To automatically generate data policies
1. Go to DB Activity Monitoring > Monitoring Management, and then click a target name.
2. On the General tab, click Start Generate Alert Policies.
3. After FortiDB has monitored the target for an appropriate length of time, click Stop Generate Alert
Policies.
4. To view the generated policies, go to Policy > DAM Alert Policy Groups.
See also
l l l
Data policies
FortiDB uses data policies to monitor or audit reads and writes on specific database objects. It also uses them to monitor database access that takes place via your application server, location, or OS user.
To configure a data policy
1. Do one of the following: l l
To configure a policy that is available to add to multiple target monitoring configurations, go to
Policy > DAM
Alert Policies or Policy > DAM Audit Policies.
To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the
Alert Policies or Audit Policies tab.
2. In the Data Policies list, select a type of data policy.
3. Click Add, and complete the policy settings: l l l
For detailed information about the Policy Info settings, see
Managing DAM policies on page 145
.
For information on
Audit Settings settings, see the topic for the appropriate data policy type. For example, for a table policy, see
Configuring audit settings for a table policy on page 149
.
For information on Alert Rule settings, see the topic for the appropriate data policy type. For example, for a table policy, see
Configuring alert rules for a table policy on page 149 .
4. Click Save to save the policy configuration.
See also
l l l l
Automatically generating alert policies
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
148
Data policies Database Activity Monitoring (DAM) policies l l l
PCI, SOX, and HIPAA alert policies
Configuring a table policy
For basic policy configuration information, see
.
See also
l l l
Configuring audit settings for a table policy
Configuring alert rules for a table policy
Table policy alert rules for different databases
Configuring audit settings for a table policy
1. Click the triangle icon of the Audit Settings section to expand it.
2. Select one of the following options: l l
Manually Select Object: You enter the specific object name.
Browse Object by Target: You can select one from the dropdown list (default).
3. If you are configuring the policy using Policy > DAM Alert/Audit Policies and selecting an object by browsing, for
Target, select a target.
4. Do one of the following: l l
For policies for Oracle and DB2 databases, for Schema, enter a schema name or select a name from the list.
For policies for Microsoft SQL Server and Sybase databases, for
Database, enter a database name or select a name from the list. Then, for
Schema, enter a schema name or select a name from the list.
5. In the Tables list, select one or more tables.
For Oracle databases, you can also select a synonym.
6. Under Audit Actions, do one of the following: l l
For an alert policy, select the
Read (Select), Write (Insert/Update/Delete), or both.
For an audit policy, select one or more of the following options: Select, Insert, Update, Delete, Truncate.
7. Click > (right arrow) to move your selection to the Selected Objects table.
If you want to remove the objects from the Selected Objects list, select the object you want to remove and then click < (left arrow). To remove all objects, click << (double left arrow).
See also
l l
Configuring alert rules for a table policy
Table policy alert rules for different databases
Configuring alert rules for a table policy
1. Click the triangle icon of the Alert Rules section to expand it.
149 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
2. In the Combination Rule field, select one from the dropdown list:
Options
Issue alert if ANY of the enabled rules are triggered
Issue alert if ALL of the enabled rules are triggered
Descriptions
if you select this, each rule generates alerts individually.
If you select this, the combination of selected policies generates alerts.
3. Mark the check box of your interests from the following rules:
Options
Security Violation
Suspicious OS User
Suspicious Location
Descriptions
Alert any failed attempt to access selected object without proper permission.
Alert any successful access to selected object by certain OS users.
You can specify one or more OS usernames by typing the specific name or using a regular expression.
1. Click
Add
2. Select an operator from the dropdown list.
3. Enter OS username depending on the operator you selected.
l
To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
l
To generate alerts for the OS user(s) you didn't specified in the list, check
"Alert any successful access if the OS user is not specified in the list" check box.
Alert any successful access to selected object from certain locations.
You can specify one or more locations by typing the specific location or using a regular expression.
1. Click Add.
2. Select an operator from the dropdown list.
3. Enter a location name depending on the operator you selected.
4. Repeat steps 1 to 3 if necessary.
l
To generate alerts for any successful access from locations you specified in the list, check "Alert any successful access from locations in the list" check box.
l
To generate alerts for any successful access from locations not in the list, check "Alert any successful access from locations in the list Alert any successful access from locations not in the list" check box.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
150
Data policies Database Activity Monitoring (DAM) policies
Options Descriptions
Suspicious Database Users
Alert any successful access to selected object by certain database users.
You can specify one or more users as follows:
1. Select one or more users from the Users list.
2. Click the right arrow to move the selections the Selected Users list.
Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
l
To generate alerts for the database user(s) you specified in the list, check
"Alert any successful access if the database user is in the list" check box.
l
To generate alerts for the database user(s) you didn't specified in the list, check "Alert any successful access if the database user is not in the list" check box.
Suspicious Login Names
Suspicious Client
Application (Client Id)
Alert any successful access to selected object by certain login users.
You can specify one or more users as follows:
1. Select one or more users from the
Users list.
2. Click the right arrow to move the selections the Selected Users list.
Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
l
To generate alerts for login user(s) you specified in the list, check "Alert any successful access if the login user is in the list" check box.
l
To generate alerts for login user(s) you didn't specified in the list, check
"Alert any successful access if the login user is not in the list" check box.
Alert any successful access to selected object by certain client applications.
You can specify one or more client applications by typing the specific client application or using a regular expression.
1. Click Add.
2. Select an operator from the dropdown list.
3. Enter a client application depending on the operator you selected.
4. Repeat steps 1 to 3 if necessary.
l
To generate alerts for the client application you specified in the list, check
"Alert any successful access if the client application is in the list" check box.
l
To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
151 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
Options Descriptions
Excessive Access Violation
Alert excessive access to selected object within the specified time slot.
You can specify the maximum accesses allowed within a certain time period.
1. Enter the number of accesses allowed.
2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list.
Tracking Strategy - Tracking rule selection for time violation.
l
The threshold you set for time violation can be incremented by OS User,
Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
Time Range Violation
Alert any access to selected object by certain time range.
You can specify one or more time range.
1. Click Add.
2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format.
3. Repeat above if necessary.
l
To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".
l
To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".
Suspicious Client IP (only for Collection Method "TCP/IP
Sniffer")
Alert any successful access to selected object by certain client IPs.
This rule only has effect for monitoring with Collection Method
"TCP/IP Sniffer".
You can specify one or more IP address, IP address Range or subnet.
1. Click Add.
2. Enter Start/End IP address, or IP/Netmask. For example, "192.168.1.1"
- "192.168.1.254" for IP range, "192.168.2.0/255.255.255.0" for subnet.
3. Repeat above if necessary.
l
To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
l
To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
4. Select Save.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
152
Data policies Database Activity Monitoring (DAM) policies
See also
l
Table policy alert rules for different databases
Table policy alert rules for different databases
The alert rules that are available for a table policy are determined by the database type.
DB
Oracle
Available Alert Rules
l
Security Violation l
Suspicious OS User l
Suspicious Location l
Suspicious Database Users (Login Name) l
Suspicious Client Application (Client Id) l
Excessive Access Violation l
Time Range Violation l
Suspicious Client IP (only for "TCP/IP Sniffer")
Microsoft SQL Server
DB2
l
Security Violation l
Suspicious OS User l
Suspicious Location l
Suspicious Database Users l
Suspicious Login Names l
Suspicious Client Application l
Excessive Access Violation l
Time Range Violation l
Suspicious Client IP (only for "TCP/IP Sniffer") l
Security Violation l
Suspicious OS User l
Suspicious Location l
Suspicious Database Users l
Excessive Access Violation l
Time Range Violation l
Suspicious Client IP (only for "TCP/IP Sniffer")
Sybase
l
Security Violation l
Suspicious OS User l
Suspicious Location l
Suspicious Login Names l
Excessive Access Violation l
Time Range Violation l
Suspicious Client IP (only for "TCP/IP Sniffer")
153 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
DB
MySQL
Available Alert Rules
l
Security Violation l
Suspicious Location l
Suspicious Login Names l
Excessive Access Violation l
Time Range Violation
See also
l
Configuring alert rules for a table policy
Configuring a table and column policy
For basic policy configuration information, see
.
For information on setting rules for alert policies, see
Configuring alert rules for a table policy on page 149 .
To configure audit settings for a table and column policy
1. Click the triangle icon of the Audit Settings section to expand it.
2. Select one of the following options: l l
Manually Select Object: You enter the object parameters.
Browse Object by Target: You can select an object from the dropdown list (default).
3. If you are configuring the policy using Policy > DAM Alert/Audit Policies and selecting an object by browsing, for Target, select a target.
4. Do one of the following: l l
For policies for Oracle and DB2 databases, for
Schema, enter a schema name or select a name from the list.
For policies for Microsoft SQL Server and Sybase databases, for Database, enter a database name or select a name from the list. Then, for Schema, enter a schema name or select a name from the list.
5. In the Tables list, select a table.
For Oracle databases, you can also select a synonym.
6. In the Column list, select one or more columns for the table you selected.
7. If you are configuring an alert policy, for MatchSQL, enter a SQL string that generates alerts when FortiDB detects it.
8. Under Audit Actions, do one of the following: l l
For an alert policy, select the
Read (Select), Write (Insert/Update/Delete), or both.
For an audit policy, select one or more of the following options: Select, Insert, Update, Delete, Truncate.
9. Click > (right arrow) to move your selection to the Selected Objects table.
If you want to remove the objects from the Selected Objects list, select the object you want to remove and then click < (left arrow). To remove all objects, click << (double left arrow).
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
154
Data policies Database Activity Monitoring (DAM) policies
10. Repeat steps
through
to add additional columns to the Selected Objects table, if required.
Configuring a session policy
For basic policy configuration information, see
.
See also
l l
Configuring audit settings for a session policy
Configuring alert rules for a session policy
Configuring audit settings for a session policy
1. Click the triangle icon at Audit Settings to expand it.
2. Select the Any User or Specify Users radio button
3. For Specify Users, input username in Enter user input box. Or click the Browse by target dropdown list, select one or more users from the Users selection box, and click the right arrow to move the selection to the
Selected Users table.
If you want to remove the user from the selected users list, select the user you want to remove and click the left arrow.
See also
l
Configuring alert rules for a session policy
Configuring alert rules for a session policy
1. Click the triangle icon at Alert Rules to expand it.
2. In the Combination Rule field, select one from the dropdown list: l l
Issue alert if ANY of the enabled rules are triggered
Issue alert if ALL of the enabled rules are triggered
3. Mark the check box of your interests from the following rules:
Options
Login/Logout Activity
Descriptions
Generate alerts for login/logout activity. Select option "Alert Login Failure" to alert for failure login only, or select option "Alert All Login/logout Activity".
155 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
Options
Suspicious Login Time
Extremely Long Session
Excessive Read Activities
High Read Ratio
Suspicious Os User
Descriptions
Time of login is beyond specified normal hours.
You can specify the time, entering numbers:
1. In the From and To field, enter the starting and ending times you want to specify as suspicious login time.
2. If necessary, click + sign to add more time range, or - sign to remove the time range.
l
To generate alerts for the login time you specified in the list, check "Alert if login time is within one of the time ranges in the list" check box.
l
To generate alerts for the login time you didn't specified in the list, check
"Alert if login time is NOT within one of the time ranges in the list" check box.
Generate alerts when duration of session is abnormally long.
You can specify the threshold by entering how many hours allowed for a session.
Generate alerts when number of logical page reads is abnormally high.
You can specify the threshold by entering how many page reads are allowed for a session.
Generate alerts when number of logical reads/minute is abnormally high.
You can specify the threshold by entering how many page reads are allowed for a session.
Alert any successful access to selected object by certain OS users.
Note: For Microsoft SQL Server, this rule is applicable for only
Windows authentication.
You can specify one or more OS usernames by typing the specific name or using a regular expression.
1. Click Add.
2. Select an operator from the dropdown list.
3. Enter OS username depending on the operator you selected.
4. Repeat steps 1 to 3 if necessary.
l
To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
l
To generate alerts for the OS user(s) you didn't specified in the list, check
"Alert any successful access if the OS user is not specified in the list" check box.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
156
Data policies
Options
Suspicious Location
Suspicious Client
Application
Database Activity Monitoring (DAM) policies
Descriptions
Alert any successful access to selected object from certain locations.
You can specify one or more locations by typing the specific location or using a regular expression.
1. Click Add.
2. Select an operator from the dropdown list.
3. Enter a location name depending on the operator you selected.
4. Repeat steps 1 to 3 if necessary.
l
To generate alerts for location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.
l
To generate alerts for location(s) you didn't specified in the list, check
"Alert any successful access from locations not in the list" check box.
Alert any successful access to selected object by certain client applications.
You can specify one or more client applications by typing the specific client application or using a regular expression.
1. Click Add.
2. Select an operator from the dropdown list.
3. Enter a client application depending on the operator you selected.
4. Repeat steps 1 to 3 if necessary.
l
To generate alerts for the client application you specified in the list, check
"Alert any successful access if the client application is in the list" check box.
l
To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
157 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
Options Descriptions
Excessive Access Violation
Alert excessive access to selected object within the specified time slot.
You can specify the maximum accesses allowed within a certain time period.
1. Enter the number of accesses allowed.
2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list.
Tracking Strategy - Tracking rule selection for time violation.
The threshold you set for time violation can be incremented by OS
User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
Suspicious Client IP (only for Collection Method
"TCP/IP Sniffer")
Alert any successful access to selected object by certain client IPs.
This rule only has effect for monitoring with Collection Method
"TCP/IP Sniffer".
You can specify one or more IP address, IP address Range or subnet.
1. Click Add.
2. Enter Start/End IP address, or IP/Netmask. For example,
"192.168.1.1" - "192.168.1.254" for IP range,
"192.168.2.0/255.255.255.0" for subnet.
3. Repeat above if necessary.
l
To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
l
To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
4. Click Save.
See also
l
Configuring alert rules for a session policy
Configuring a user policy
For basic policy configuration information, see
.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
158
Data policies Database Activity Monitoring (DAM) policies
See also
l l l
Configuring audit settings for a user policy
Configuring alert rules for a user policy
User policy alert rules for various databases
Configuring audit settings for a user policy
1. Click the triangle icon of the Audit Settings section to expand it.
2. Select the Any User or Specify Users radio button.
3. In Specify Users, input the account name in Enter user input box. Alternatively, click the Browse by target dropdown list to browse available users from target.
4. For Alert Policy, select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit
Actions field.
5. For Audit Policy, select the Select,Insert,Update, Delete, Truncate checkboxes in the Audit Actions field.
6. Click the right arrow to move the selection to the Selected Users table.
If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.
7. Configure Alert Rule (for Alert Policy).
See also
l l l
Configuring alert rules for a user policy
User policy alert rules for various databases
Configuring alert rules for a user policy
1. Click the triangle icon of the Alert Rules section to expand it.
2. In the Combination Rule field, select one from the dropdown list:
Options
Issue alert if ANY of the enabled rules are triggered
Descriptions
if you select this, each rule generates alerts individually.
Issue alert if ALL of the enabled rules are triggered
If you select this, the combination of selected policies generates alerts.
3. Mark the check box of your interests from the following rules:
159 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
Options
Security Violation
Suspicious OS User
Suspicious Object Access
Descriptions
Alert any failed attempt to access selected object without proper permission.
Alert any successful access to selected object by certain OS users.
You can specify one or more OS usernames by typing the specific name or using a regular expression.
1. Click
Add.
2. Select an operator from the dropdown list.
3. Enter OS username depending on the operator you selected l
To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
l
To generate alerts for the OS user(s) you didn't specified in the list, check
"Alert any successful access if the OS user is not specified in the list" check box.
Alert any successful access to selected object(s). There are the following options to select objects: l
Manually Select Object l
Browse Object by Target (default)
You can specify one or more objects as follows:
1. Select a target from the Target dropdown list.
2. Select a schema from the dropdown list.
3. Select one or more tables from the Tables list.
4. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field.
5. Click the right arrow to move the selections the Selected Objects list.
Note: If you want to remove the users from the selected objects list, select the objects you want to remove and click the left arrow.
l
To generate alerts for the object(s) you specified in the list, check "Issue alert if the accessed object is specified in the list" check box.
l
To generate alerts for the object(s) you didn't specified in the list, check
"Issue alert if the accessed object is not specified in the list" check box.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
160
Data policies Database Activity Monitoring (DAM) policies
Options
Suspicious Location
Descriptions
Alert any successful access to selected object from certain locations.
You can specify one or more locations by typing the specific location or using a regular expression.
1. Click Add.
2. Select an operator from the dropdown list.
3. Enter a location name depending on the operator you selected.
4. Repeat steps 1 to 3 if necessary.
l
To generate alerts for the location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.
l
To generate alerts for the location(s) you didn't specified in the list, check
"Issue alert if the accessed object is not specified in the list" check box.
Suspicious Client
Application (Client Id)
Alert any successful access to selected object by certain client applications.
You can specify one or more client applications by typing the specific client application or using a regular expression.
1. Click Add.
2. Select an operator from the dropdown list.
3. Enter a client ID depending on the operator you selected.
4. Repeat steps 1 to 3 if necessary.
l
To generate alerts for the client application you specified in the list, check
"Alert any successful access if the client application is in the list" check box.
l
To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
Excessive Access Violation
Alert excessive access to selected object within the specified time slot.
You can specify the maximum accesses allowed within a certain time period.
1. Enter the number of accesses allowed.
2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown lis
Tracking Strategy - Tracking rule selection for time violation.
l
The threshold you set for time violation can be incremented by OS User,
Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
161 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
Options
Time Range Violation
Suspicious Client IP (only for Collection Method
"TCP/IP Sniffer")
Descriptions
Alert any access to selected object by certain time range.
You can specify one or more time range.
1. Click Add.
2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format.
3. Repeat above if necessary.
l
To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".
l
To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".
Alert any successful access to selected object by certain client IPs.
This rule only has effect for monitoring with Collection Method
"TCP/IP Sniffer".
You can specify one or more IP address, IP address Range or subnet.
1. Click Add.
2. Enter Start/End IP address, or IP/Netmask. For example, you could enter "192.168.1.1" - "192.168.1.254" for the IP range, or
"192.168.2.0/255.255.255.0" for a subnet.
3. Repeat the above step if necessary.
l
To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
l
To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
4. Click Save.
See also
l
User policy alert rules for various databases
User policy alert rules for various databases
The alert rules that are available for user policies depends are determined by the type of database.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
162
Data policies Database Activity Monitoring (DAM) policies
Database
Oracle
Microsoft SQL Server
DB2
Sybase
MySQL
Available Alert Rules
l
Security Violation l
Suspicious OS User l
Suspicious Object Access l
Suspicious Location l
Suspicious Client Application (Client Id) l
Excessive Access Violation l
Time Range Violation l
Suspicious Client IP (only for "TCP/IP Sniffer") l
Security Violation l
Suspicious OS User l
Suspicious Object Access l
Suspicious Location l
Suspicious Client Application l
Excessive Access Violation l
Time Range Violation l
Suspicious Client IP (only for "TCP/IP Sniffer") l
Security Violation l
Suspicious OS User l
Suspicious Object Access l
Suspicious Location l
Excessive Access Violation l
Time Range Violation l
Suspicious Client IP (only for "TCP/IP Sniffer") l
Security Violation l
Suspicious OS User l
Suspicious Object Access l
Suspicious Location l
Excessive Access Violation l
Time Range Violation l
Suspicious Client IP (only for "TCP/IP Sniffer") l
Security Violation l
Suspicious Object Access l
Suspicious Location l
Excessive Access Violation
See also
l
Configuring alert rules for a user policy
163 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Data policies
Configuring a database policy
Database policies generate audit records only. You do not configure them to generate alerts.
To configure a database policy
1. Do one of the following: l l
To configure a policy that is available to add to multiple target monitoring configurations, go to
Policy > DAM
Audit Policies.
To configure a policy for a specific target, go to
DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the
Audit Policies tab.
2. In the Data Policies list, select Database, and then click Add.
3. Complete the Policy Info settings. For detailed information about the settings, see
Managing DAM policies on page 145 .
4. To expand Audit Settings, click the triangle icon beside the section name.
5. Do one of the following: l l
Select
Manually Select Object and then enter the specific database or schema name.
Select Browse Object by Target to select a specific database or schema name from the list.
6. If you are configuring the policy using Policy > DAM Audit Policies and selecting an object by browsing, for
Target, select a target. Then, select one or more items from the Database or Schema list.
Enter text in the
Search field to filter the list of databases and schemas.
7. For Audit Actions, select one of more of the following values: Select, Insert, Update, Delete.
8. Click > (right arrow) to move the selected items to the Selected Objects table.
To remove items, select the item, and then click < (left arrow). Click << (double left arrow) to remove all items.
9. Select Save.
The new policy is displayed in the list of policies.
See also
l
Configuring a database query policy
A database query policies is an alert policy that allows you to query the target database with SQL and save the result as an alert. You do not configure them to generate audit records.
For example, for Microsoft SQL Server databases, create a database query policy with the following
SQL Query
value: select @@version which returns the following result in the alerts:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
164
Data policies Database Activity Monitoring (DAM) policies
Microsoft SQL Server 2012 - 11.0.2100.60 (Intel X86) Feb 10 2012 19:13:17 Copyright (c) Microsoft Corporation Express Edition on Windows NT 6.0 <X86> (Build
6002: Service Pack 2) (Hypervisor)
FortiDB runs the database query policy according to a schedule you specify.
To configure a database query policy and add it to a target monitoring configuration
1. Do one of the following: l l
Go to
Policy > DAM Alert Policies.
Go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the
Alert Policies tab.
2. In the Data Policies list, select Database Query, and then click Add.
3. Complete the Policy Info settings. For detailed information about the settings, see
Managing DAM policies on page 145 .
4. Complete the following settings, which are specific to database query policies:
SQL query
Return Records Count
Limit
Targets
Enter the query text.
Enter the maximum number of returned records that FortiDB includes in the alert that this policy generates.
For example, if you enter 5, the database returns the first 5 records of the table that you queried, which FortiDB displays in the details for the corresponding alert.
Default value is 1.
Select the target database to query.
5. If you are creating the policy using the monitoring configuration for a specific target, you can ensure the policy is added to the configuration by selecting Create new policy group for policy.
6. To test if the SQL query is valid, click Test.
If it is valid, the message "Success" is displayed.
7. Click Save.
The policy you created is displayed in the data policy list.
8. Go to DB Activity Monitoring > Monitoring Management, and then click a target name.
9. On the Alert Policy Groups tab, ensure that a group that includes the database query policy that you created is selected.
For example, the policy is added if the Data Policies policy group is selected.
For more information on adding policies, see
Adding policy groups to target database monitoring on page
10. Click the Query Schedule tab, select Enable Schedule for Database Query Policy, and then use the following settings to specify a schedule:
165 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Privilege policies
Schedule type
Starts at
Recurrence pattern
Ends by
Specify Run Once or Recurring.
Specify a start time and date for the policy.
Specify at what interval FortiDB runs the policy. For example, select
Weekly, and then select a day of the week.
Displayed only when
Recurring is selected.
Specify
No end date or select a date.
Displayed only when
Recurring is selected.
11. Click Save.
Privilege policies
The target database monitoring and auditing features use privilege policies monitor or track changes to privilege settings in selected databases.
You cannot create privilege policies, but you can modify some of the settings of the pre-defined privilege policies.
To view predefined privilege policies, on the
DAM Security Alert Policies or DAM Activity Auditing
Policies page, from the View list, select Privilege Policies.
To configure a privilege policy
1. Do one of the following: l l
To configure a policy that is available to add to multiple target monitoring configurations, go to
Policy > DAM
Alert Policies or Policy > DAM Audit Policies.
To configure a policy for a specific target, go to
DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the
Alert Policies or Audit Policies tab.
2. To identify privilege policies, do one of the following: l
If you are using the
DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Privilege Policies.
The View menu filters policies using the pre-defined Privilege Policies group, which include privilege policies for all database types. To view privilege policies for a specific database type, modify the filter of the Privilege Policies group or create a new policy group. For details about modifying a policy group, see
Alert and audit policy groups on page 179
.
l
If you are using the target monitoring configuration, under
Type, look for the icon.
3. Click the name of the policy you want to configure.
4. On the Edit Audit Policy page, under Policy Info, enter an optional description, and then select Enable.
5. If you are configuring an alert policy, for Severity, select one of the following options:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
166
Privilege policies Database Activity Monitoring (DAM) policies l l l l l
Informational (default, lowest severity level)
Cautionary
Minor
Major
Critical (highest severity level)
6. Click Save.
See also
l l l l l
Microsoft SQL Server privilege policies
Oracle privilege policies
FortiDB provides the following privilege policies:
Policy Names Contents
Column Privileges
Profiles
Role Privileges
Column-level privilege granting
Description
This policy generates alerts when the column privileges are modified.
For example, user SCOTT can grant
SELECT privileges on a column of a table to a user, without letting that user SELECT on other columns in the same table.
Resources (I/O, etc.) assigned to users
This policy generates alerts when the profiles are modified.
Changes to any profile setting could have wide-reaching effects.
Roles granted to users and other roles
This policy generates alerts when the role privileges are modified.
It also contains information about which role has been assigned to other roles. Change of user’s role means changes in user’s access privileges. Role changes should be closely monitored in order to ensure data security.
167 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Privilege policies
Policy Names
Roles
System Privileges
Table Privileges
User Privileges
Contents
Database roles
All granted system privileges
All granted schema- object privileges
Database users
Description
This policy generates alerts when the roles are modified.
Contains information about all existing roles in the database.
This policy generates alerts when the system privileges are created, deleted, or modified.
Contains all granted system privileges to all users or roles.
System privileges are powerful privileges and should be granted with great cautions. Monitoring system-privilege changes should be mandatory.
This policy generates alerts when the table privileges are modified.
Lists all granted privileges on schema objects. These include privileges on tables, views, sequences, procedures, functions and packages.
This policy generates alerts when the users privileges are modified.
Contains information about users in the database. Although this view has no privilege information, it contains the users to whom privileges may be assigned or changed.
See also
l
Microsoft SQL Server privilege policies
The following privilege policies are available for Microsoft SQL databases:
Policy Names Privileges involved Description
Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
168
Privilege policies Database Activity Monitoring (DAM) policies
Policy Names
Member Privileges
Object Privileges
Roles
Server Roles
User Privileges
Privileges involved
Role- and group-membership assignments
Description
This policy generates alerts when the members are modified.
Column- and table-and other object-level privileges
This policy generates alerts when the object privileges are modified.
All objects that are accessible by the current user
This policy generates alerts when the roles are modified.
Contains information about all existing roles in the database.
Default server roles assigned to users.
This policy generates alerts when the server roles are modified.
Lists valid database users and the groups to which they belong
This policy generates alerts when the user privileges are modified.
See also
l
Sybase privilege policies
The following privilege policies are available for Sybase databases:
Policy Names Privileges involved Description
Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified.
Member Privileges
Object Privileges
Role- and group-membership assignments
Column- and table-and other object-level privileges
This policy generates alerts when the members privileges are modified.
This policy generates alerts when the object privileges are modified.
Procedures
Roles
Roles and Groups
Procedure privilege
All role groups as the server level.
This policy generates alerts when the procedures are modified.
This policy generates alerts when the role groups are modified.
All roles and groups. A group is a user group as the database level.
This policy generates alerts when the roles and groups are modified.
169 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Privilege policies
Policy Names
System Privileges
User Privileges
Privileges involved
All granted system privileges
Description
This policy generates alerts when the system privileges are modified.
Lists valid database users and the groups to which they belong
This policy generates alerts when the user privileges are modified.
See also
l
DB2 privilege policies
The following privilege policies are available for DB2 databases:
Policy Names Contents
Column Privileges column privileges
Description
Database Privileges
Index Privileges database system privileges
Index privileges This view contains the right to DROP the indfor example The creator of an index automatically has this CONTROL privilege.
Package Privileges
A package is a database object grouping related procedures, functions, associated cursors, and variables together.
CONTROL: Provides the ability to rebind, drop, execute, and extend these package privileges to others.
Only SYSADM and DBADM authorities can grant CONTROL privilege.
BIND: Provides the privilege to rebind an existing package.
EXECUTE: Provides the privilege to execute a package.
Schema Privileges Objects within a schema : tables, views, indexes, packages, data types, functions, triggers, procedures, and aliases
CREATEIN: Provides the privilege to create objects within the schema.
ALTERIN: Provides the privilege to alter objects within the schema.
DROPIN: Provides the privilege to drop objects within the schema
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
170
Privilege policies Database Activity Monitoring (DAM) policies
Policy Names
Table and View Privileges
Tablespace Privileges
Contents
Tables and view privileges tablespace privileges
Description
CONTROL: Provides the privilege to
DROP the table or view and GRANT table or view privileges to somebody else.
ALTER: Provides the privilege to add columns, comments, primary key or unique constraint, in order to create triggers, and create or drop check constraints
DELETE: Provides the privilege to delete rows
INDEX: Provides the privilege to
CREATE INDEX
INSERT: Provides the privilege to
INSERT rows. REFERENCES:
Provides the privilege to CREATE or
DROP a foreign key. SELECT:
Provides the privilege to retrieve data. UPDATE: Provides the privilege to change existing entries.
A SYSADM or SYSCTRL authority can create Tablespace and grant USE privilege to others
See also
l
MySQL privilege policies
The following privilege policies are available for MySQL databases:
Policy Names Privileges involved Description
Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified.
Object Privileges
Procedures
Column- and table-and other object-level privileges
Procedure privilege
This policy generates alerts when the object privileges are modified.
This policy generates alerts when the procedures are modified.
171 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies
See also
l
Metadata policies
Metadata policies
The target database monitoring and auditing features use metadata policies monitor or track changes in metadata in selected databases.
You cannot create metadata policies, but you can modify some of the settings of the pre-defined metadata policies.
To view predefined metadata policies, on the
DAM Security Alert Policies or DAM Activity Auditing
Policies page, from the View list, select Metadata Policies.
To configure a metadata policy
1. Do one of the following: l l
To configure a policy that is available to add to multiple target monitoring configurations, go to
Policy > DAM
Alert Policies or Policy > DAM Audit Policies.
To configure a policy for a specific target, go to
DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the
Alert Policies or Audit Policies tab.
2. To identify metadata policies, do one of the following: l
If you are using the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Metadata Policies.
The View menu filters policies using the pre-defined Metadata Policies group, which include metadata policies for all database types. To view metadata policies for a specific database type, modify the filter of the
Metadata Policies group or create a new policy group. For details about modifying a policy group, see
Alert and audit policy groups on page 179 .
l
If you are using the target monitoring configuration, under
Type, look for the icon.
3. Click the name of the policy you want to configure.
4. On the Edit Audit Policy page, under Policy Info, enter an optional description, and then select Enable.
5. If you are configuring an alert policy, for Severity, select one of the following options: l l l l l
Informational (default, lowest severity level)
Cautionary
Minor
Major
Critical (highest severity level)
6. Click Save.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
172
Metadata policies Database Activity Monitoring (DAM) policies
See also
l l l l l
Microsoft SQL Server metadata policies
Oracle metadata policies
The following metadata policies are available for Oracle databases:
Policy Names
Packages
Contents
packages
Description
This policy generates alerts when database packages are modified.
Synonyms
Tables
Tablespaces
Triggers synonyms tables, columns and indexes tablespaces triggers
This policy generates alerts when database synonyms are modified.
This policy generates alerts when tables, columns, or indexes are modified.
This policy generates alerts when table spaces are modified.
This policy generates alerts when triggers are modified.
Views views
This policy generates alerts when views are modified.
See also
l
Microsoft SQL Server metadata policies
The following metadata policies are available for Microsoft SQL Server databases:
Policy Names Contents Description
Routines
routines This policy generates alerts when database packages are modified.
Tables
tables, columns and indexes
This policy generates alerts when tables, columns, or indexes are modified.
173 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Metadata policies
Policy Names
Triggers
Views
Contents
triggers views
Description
This policy generates alerts when triggers are modified.
This policy generates alerts when views are modified.
See also
l
Sybase metadata policies
The following metadata policies are available for Sybase databases:
Policy Names Contents Description
Indexes
indexes This policy generates alerts when indexes are modified.
Stored Procedures
Tables
stored procedures tables, columns and indexes
This policy generates alerts when stored procedures are modified.
This policy generates alerts when tables, columns, or indexes are modified.
Triggers
Views
triggers views
This policy generates alerts when triggers are modified.
This policy generates alerts when views are modified.
See also
l
DB2 metadata policies
The following metadata policies are available for DB2 databases:
Policy Names Contents Description
Aliases aliases This policy generates alerts when aliases are modified
Indexes indexes
This policy generates alerts when indexes are modified
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
174
Metadata policies Database Activity Monitoring (DAM) policies
Policy Names
Packages
Tables
Tablespaces
Triggers
Views
Contents
packages tables tablespaces triggers views
Description
This policy generates alerts when database packages are modified.
This policy generates alerts when tables and columns are modified.
This policy generates alerts when table spaces are modified.
This policy generates alerts when triggers are modified.
This policy generates alerts when views are modified.
See also
l
MySQL metadata policies
The following metadata policies are available for MySQL databases:
Policy Names
Events
Contents
events
Description
This policy generates alerts when events are modified.
Indexes
Stored Procedures
Tables
Triggers
Views indexes stored procedures tables triggers views
This policy generates alerts when indexes are modified.
This policy generates alerts when stored procedures are modified.
This policy generates alerts when tables and columns are modified.
This policy generates alerts when triggers are modified.
This policy generates alerts when views are modified.
See also
l
175 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies PCI, SOX, and HIPAA alert policies
PCI, SOX, and HIPAA alert policies
Regulatory compliance policies record all types of database activities and store the data in the FortiDB repository.
You can use these policies to generate the following compliance reports: l l l
Sarbanes-Oxley (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
HIPAA (Health Insurance Portability and Accountability Act)
You cannot create these types of policies, but you can change the configuration of the pre-defined metadata policies.
For details about compliance reports, see
PCI, SOX, and HIPAA reports on page 242
.
To view regulatory compliances policies:
1. Go to Policy > DAM Alert Policies.
2. Select the policy type from the View dropdown.
For example, select
PCI Policies.
For Oracle databases, if the
Security Alerts pages does not display alerts generated by regulatory compliance policies as expected, you can run a script that can fix the problem. See
Configuring an Oracle database for PCI,
SOX, and HIPAA policies on page 81 .
See also
l l l
Configuring PCI, SOX and HIPAA policies
Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options)
Select users to audit for PCI and SOX reports (User Audit Options)
Configuring PCI, SOX and HIPAA policies
Some regulatory compliance reports require you to set either Object Audit Options or User Audit Options for the corresponding policy group item.
1. Go to Policy > DAM Alert Policies.
2. For View, select PCI Policies, Sox Policies, or HIPAA Policies.
3. Click the policy name.
The Edit Alert Policy page for the policy is displayed.
4. Enter the following information if necessary.
a. Enter a description.
b. Select Enable to enable the policy.
5. Select one of the following severity options from the dropdown list.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
176
PCI, SOX, and HIPAA alert policies Database Activity Monitoring (DAM) policies l l l l l
Informational (default, lowest severity level)
Cautionary
Minor
Major
Critical (highest severity level)
6. For generating reports, set Object Audit Options or User Audit Options, if required. See
FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options) on page 177
and
Select users to audit for PCI and SOX reports (User Audit Options) on page 178 .
See also
l l l
Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options)
Select users to audit for PCI and SOX reports (User Audit Options)
Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit
Options)
Some regulatory compliance reports require you to select the tables on which FortiDB tracks data changes. The reports display the activity in the tables you specify.
You select the objects to audit for the following regulatory compliance reports using the corresponding PCI or
SOX policy: l l l l l l l l l
Abnormal or Unauthorized Changes to Data
Abnormal Use of Service Accounts
Abnormal Termination of Database Activity
End of Period Adjustments
PCI - Invalid Operation
PCI - Access to Credit Card Tables
HIPAA Privilege Changes
HIPAA Access to EPHI data
HIPAA User Privileges on EPHI data
To configure the Object Audit Options settings for a policy
1. Go to the editing page for the policy. (See
Configuring PCI, SOX and HIPAA policies on page 176
.)
2. Under Object Audit Settings, in the Select Objects to Audit section, select one of the check boxes. The following steps are based on the default setting of this field.
l l
Manually Select Object: You enter the specific object name.
Browse Object by Target: You can select one from the dropdown list (default).
3. In the Target field, select a target from the dropdown list.
4. For Oracle and DB2, in the Schema field, select one from the dropdown list. For Microsoft SQL Server and
Sybase, select one from the dropdown list in the
Database field, and then select one in the Schema field.
5. From the Tables selection box, select one or more tables.
177 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies PCI, SOX, and HIPAA alert policies
For Oracle databases, you can also select a synonym.
6. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field.
7. Click the right arrow to move the selection to the Selected Objects table.
If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.
8. Click Save.
9. Optionally, configure the User Audit Options for the following policies: Sox Abnormal or Unauthorized
Changes to Data, Sox Abnormal Termination of Database Activity, Sox Abnormal Use of Service Accounts policies, and PCI - User Audit Options. For more information, details about setting the User Audit Options, go to "Setting or Modifying User Audit Options".
See also
l l
Configuring PCI, SOX and HIPAA policies
Select users to audit for PCI and SOX reports (User Audit Options)
This action is required for the following policies to generate the corresponding reports: Abnormal Use of Service
Accounts, Abnormal Termination of Database Activity, Sox Abnormal or Unauthorized Changes to Data, and PCI-
Privileged User Action.
1. To edit the policy, in the list of SOX or PCI policies, click its name. For example, click Sox Abnormal or
Unauthorized Changes to Data.
2. In the User Audit Options section, select a target from the Browse by target dropdown list. You can enter a username in the
Enter user field.
3. Click the right arrow to move the selection to the Selected Objects table.
If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.
4. Click Save.
See also
l l
Configuring PCI, SOX and HIPAA policies
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
178
Alert and audit policy groups Database Activity Monitoring (DAM) policies
Alert and audit policy groups
FortiDB provides pages that display all DAM alert and audit policy groups with descriptions and allow you to perform the following tasks: l l l
Add a new policy group by selecting Add.
Click the group name to modify the policy group, including selecting which target databases FortiDB monitors using the policies in the group.
Delete the user-defined policy groups by selecting the group and clicking Delete.
Because you use filtering criteria to specify which policies are members of a group, any time you create a new policy that matches the filtering criteria, FortiDB automatically adds it to the corresponding policy group.
See also
l l l
Creating or modifying an alert or audit policy group
Adding policy groups to target database monitoring
Creating or modifying an alert or audit policy group
1. Do one of the following: l l
Go to
Policy > DAM Alert Policy Groups
Go to Policy > DAM Audit Policy Groups
2. Do one of the following: l l l
To add a new group, click Add. Then, for Group Name, enter a name for the policy group.
You can click
Cancel to cancel creating a new policy-group filter and go back to the main policies page.
To modify a group, click its name.
3. Optionally, for Description, add or edit text that describes your grouping criteria or other helpful information.
4. On the Filters tab, use the following settings to create or edit your filtering criteria:
Operator
Column
Operator
Value
- (minus) and + (plus)
Values And and Or are not available for the first row.
Specify a column to use for filtering.
Specify an operator.
Enter a value or select one from the list of available values. If you are using a list, click > (right arrow) to add selected items to the right-hand list.
Click to add or remove rows that define criteria.
For example:
179 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database Activity Monitoring (DAM) policies Alert and audit policy groups
Column
Database Type
Policy Type
Operator
Equals
Equals
Value
DB2
Metadata
Policies
Returns
All policies associated with DB2 databases
Metadata policies associated with
DB2 databases
5. To apply your filtering criteria, click Search.
6. To save the configuration, select Save Group.
7. To associate the policy group to a target database:
a. Select the
Targets tab.
b. In the box on the left, select targets to associate with the policy group, and then click the right arrow to move the selection to the box on the right.
8. Click Save.
See also
l
Adding policy groups to target database monitoring
Adding policy groups to target database monitoring
You use the
DAM Alert Policy Groups and DAM Audit Policy Groups pages to add alert or audit policy groups to the monitoring configuration for one or more target databases.
Go to Policy > DAM Alert Policy Groups or Policy > DAM Audit Policy Groups, click a group name, and then use the Targets tab to select targets.
Alternatively, you can use the target database monitoring configuration to add policies to an individual target. For information, see
Adding alert and audit policies to monitoring on page 205
and
Adding policy groups to target monitoring on page 206
.
Deleting a policy group
You can delete user-defined policy groups but not pre-defined policy groups.
1. Do one of the following: l l
Go to Policy > DAM Alert Policy Groups
Go to
Policy > DAM Audit Policy Groups
2. Select the check box for one or more user-defined policies.
3. Click Delete.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
180
Vulnerability assessment
Vulnerability assessment
Adding or modifying assessments
You configure and run vulnerability assessments (VAs) from the Assessments page. This assessment management page allows you to create a database group, add policy groups and a schedule, and run the scan.
See also
l l l l l l
Adding or modifying assessments
View VA global summary information
Viewing and exporting a privilege summary
Viewing VA and sensitive data discovery event logs
Adding or modifying assessments
This topic describes the task of adding (or modifying) FortiDB assessments. For a successful assessment, you must: l l
Create, or use an existing, target-base group which contains at least one valid target database
Create, or use an existing, policy group which contains at least one working policy l
FortiDB does not perform an automatic session timeout after a certain period of time has elapsed. For example, if you leave assessment results on your screen while at lunch, unauthorized individuals could see this information. Therefore, you should logout or close your browser if you expect to leave your computer unattended.
l
Items marked with an asterisk (*) on data-entry forms are mandatory.
1. Go to Vulnerability Assessment > Assessments.
2. Do one of the following: l l
To add an assessment, click
Add.
To modify an assessment, click its name.
3. On the General tab, enter the requested items: an Assessment Name so that you can reuse it later and
(optionally) a Description of your assessment. Then configure your assessment using the tabs on the web page.
4. In the Targets tab, specify which target groups you want to assess.
Select one or more target groups from the
Available Target Groups list on the left and click >> (right arrows) to add them to the
Assigned Target Groups list.
You can remove a target group from Assigned Target Groups list on the right by clicking << (left arrows).
5. In the Policies tab, specify which target groups you want to assess.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
181
Adding or modifying assessments Vulnerability assessment
a. Select one or more target groups from the Available Policy Groups list on the left and add them to the
Assigned Policy Groups list by selecting the right-arrow button. (In order to remove a policy group from the Assigned Policy Groups list , select the left-arrow button.)
b. In order to see the policies associated with a policy group, select the group in either the
Available Policy
Groups list or the Assigned Policy Groups list. The list of policies is displayed in the Active Policies list .
6. Optionally, to specify policies to exclude from assessments by target:
a. Click
Vulnerability Assessment > Assessments Exempted Policies.
b. Double-click the name of the target to view the list of policies you can exempt from assessments for that target.
c. In the Available Exempted Policies list, select the policy to exclude, and then click >> (double arrows) to add it to the Selected Exempted Policies list.
d. Click
Save.
See also
l l l l
Configuring assessment notifications
Selecting the type of report an assessment generates
Reviewing, deleting, and aborting assessment results
Running assessments
The
Scheduling tab of the Assessment page provides the following options: l l
Run once — Enables you to specify the time and date for a single assessment run
Recurring — Enables you to schedule a series of assessments
Running an assessment immediately
1. Go to Vulnerability Assessment > Assessments.
2. Click the name of an assessment.
3. Click Run.
Running an assessment at a specified date and time
1. Select the Run once radio button.
2. In the Starts at field group, specify a starting date directly, use the default, or alternatively, select the calendar icon, and then select a date.
3. Select the Enable Schedule check box if you want to activate your schedule. (By default, your assessment schedule is disabled so that you can configure it without activating it.)
4. Select the Save button to save your schedule.
Running scheduled assessments
1. Select the Recurring radio button.
182 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment Adding or modifying assessments
2. In the Starts at field group, specify a starting date directly, use the default, or alternatively, select the calendar icon, and then select a date.
3. Select one of the radio buttons in the Recurrence pattern field group.
l l l l
If you choose the
Hourly radio button, you can then specify the hourly interval in the Every __ hours field.
If you choose the Daily radio button, you can then specify the daily interval in the Every __ days field.
If you choose the
Weekly radio button, you can then specify the day(s) of the week on which you want your weekly assessments to run.
If you choose the Monthly radio button, you can then specify which day(s) during which month(s) you want your assessment to run. The
Day radio button and adjacent dropdown list allows you to specify the numeric day for your assessment to run in each specified month. Alternatively, you may specify the day in each month, such as the 'first Monday', using the two provided dropdown lists.
a. In the
Starts at field group, specify a starting time or use the default.
b. In the Recurrence pattern field group, select the Hourly , Daily , Weekly , or Monthly radio button.
c. In the
Ends by field group, you can leave the default No end date radio button selected or select the
End by radio button and then specify a particular date at which you want your schedule to end by selecting on the calendar icon.
4. Select the Enable Schedule check box if you want to activate your schedule. (By default, your assessment schedule is disabled so that you can configure it without activating it.)
5. In the Administrative Domains section, you can select which users this scheduled task will be applicable for.
Remember that users may only manage specific targets, so this section provides a way to perform assessments on particular targets. If one or more of the selected users manages all targets, then assessments will be performed on all applicable targets for this VA scan.
6. Select the Save button to save your schedule.
See also
l l
Adding or modifying assessments
Viewing VA and sensitive data discovery event logs
Configuring assessment notifications
This topic describes the task of configuring how and to whom assessment notifications will be sent. You can choose email and/or SNMP-trap notifications of these issues.
1. In the Desired Notification format(s) section of the Notifications tab, select the Target Level (default) and/or the Rule Level check box(es).
l l
Target-level notifications contain a target-database-level summary of issues discovered during the assessment.
Rule-level notifications contain detail for every discovered issue.
2. Select the Enable Email and/or the Enable SNMP Trap check box(es) in order to enable email and/or
SNMP notifications, respectively, of assessment-discovered issues.
a. For email notifications, you must designate one or more email receivers. Select one or more of the entries in the
Available Receivers list box and add them to the Selected Receivers list on the right by selecting on the right-arrow button.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
183
Adding or modifying assessments Vulnerability assessment l
When the email receiver cannot be reached, it is your email server's responsibility to retry sending the email.
l
In order to remove receiver(s), select them in the
Selected Receivers list and select the left-arrow button.
l
In order to see the details associated with any receiver, select the name of a receiver in either the
Available Receivers or Selected Receivers lists and those details will appear in
Receiver Details list on the right.
b. For SNMP notifications, you should set the
Notification properties in the System Configuration component of the FortiDB application.
The non-appliance version of FortiDB ships with MIB files in the $FortiDB_
HOME/etc/snmp directory.
3. (Optional) If you want to attach reports to the e-mail notification, go to the Reports tab and select the Attach
reports to selected e-mail receivers check box, and make sure to select one or more report(s) and format
(s). Note that the Enable Report Generation to Disk option is not required to be selected to use this capability.
See also
l l l
Adding or modifying assessments
Notification OIDs for target-level assessments
Notification OIDs for Rule-Level Assessments
Notification OIDs for target-level assessments
FortiDB uses the following object identifiers (OIDs) for target-level assessment notifications:
OID Meaning
SNMPv2-SMI::enterprises.12356
Fortinet enterprise ID
SNMPv2-SMI::enterprises.12356.104
FortiDB product ID
SNMPv2-SMI::enterprises.12356.104.0.6
SNMPv2-SMI::enterprises.12356.104.0.105
SNMPv2-SMI::enterprises.12356.104.0.107
SNMPv2-SMI::enterprises.12356.104.0.123
SNMPv2-SMI::enterprises.12356.104.0.124
SNMPv2-SMI::enterprises.12356.104.0.125
VA Alert Trap/Notification assessment Time
Target Name
Assessment Name
FortiDB host name
Policy count
184 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment Adding or modifying assessments
OID
SNMPv2-SMI::enterprises.12356.104.0.126
SNMPv2-SMI::enterprises.12356.104.0.127
SNMPv2-SMI::enterprises.12356.104.0.128
SNMPv2-SMI::enterprises.12356.104.0.129
SNMPv2-SMI::enterprises.12356.104.0.130
SNMPv2-SMI::enterprises.12356.104.0.131
Meaning
Total Failed Count
Critical failure count
Major failure count
Minor failure count
Caution failure count
Informational count
An example of a trap for a target-database-level SNMP notification:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3) 0:00:00.03 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.6 SNMPv2-SMI::enterprises.12356.104.0.105 = STRING: "Tue Dec 04 17:38:15 PST 2007" SNMPv2-
SMI::enterprises.12356.104.0.107 = STRING: "Test Target" SNMPv2-SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment" SNMPv2-SMI::enterprises.12356.104.0.124 = STRING: "jdoe.fdb.com" SNMPv2-
SMI::enterprises.12356.104.0.125 = STRING: "158" SNMPv2-SMI::enterprises.12356.104.0.126 = STRING: "36" SNMPv2-SMI::enterprises.12356.104.0.127 =
STRING: "10" SNMPv2-SMI::enterprises.12356.104.0.128 = STRING: "0" SNMPv2-SMI::enterprises.12356.104.0.129 = STRING: "2" SNMPv2-SMI::enterprises.12356.104.0.130 =
STRING: "4" SNMPv2-SMI::enterprises.12356.104.0.131 = STRING: "20"
See also
l l
Adding or modifying assessments
Notification OIDs for Rule-Level Assessments
Notification OIDs for Rule-Level Assessments
FortiDB uses the following object identifiers (OIDs) for rule-level assessment notifications:
OID Meaning
SNMPv2-SMI::enterprises.12356
Fortinet enterprise ID
SNMPv2-SMI::enterprises.12356.104
SNMPv2-SMI::enterprises.12356.104.0.6
FortiDB product ID
VA Alert Trap/Notification
SNMPv2-SMI::enterprises.12356.104.0.8
SNMPv2-SMI::enterprises.12356.104.0.102
SNMPv2-SMI::enterprises.12356.104.0.103
VA Target Level Alert Trap/Notification
Severity
Policy Name
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
185
Adding or modifying assessments Vulnerability assessment
OID
SNMPv2-SMI::enterprises.12356.104.0.105
SNMPv2-SMI::enterprises.12356.104.0.106
SNMPv2-SMI::enterprises.12356.104.0.107
SNMPv2-SMI::enterprises.12356.104.0.123
SNMPv2-SMI::enterprises.12356.104.0.107
SNMPv2-SMI::enterprises.12356.104.0.124
SNMPv2-SMI::enterprises.12356.104.0.125
SNMPv2-SMI::enterprises.12356.104.0.126
SNMPv2-SMI::enterprises.12356.104.0.127
SNMPv2-SMI::enterprises.12356.104.0.128
SNMPv2-SMI::enterprises.12356.104.0.129
SNMPv2-SMI::enterprises.12356.104.0.130
SNMPv2-SMI::enterprises.12356.104.0.131
SNMPv2-SMI::enterprises.12356.104.0.132
Meaning
Assessment Time
Application name@ server name
Target Name
Assessment Name
Target Name
FortiDB host name
Policy count
Total Failed Count
Critical failure count
Major failure count
Minor failure count
Caution failure count
Informational count
Policy ID
An example of formatted traps for a rule-level SNMP notification.
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (73) 0:00:00.73
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.8
SNMPv2-SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment"
SNMPv2-SMI::enterprises.12356.104.0.107 = STRING: "Test Target"
SNMPv2-SMI::enterprises.12356.104.0.124 = STRING: "jdoe.fdb.com"
SNMPv2-SMI::enterprises.12356.104.0.105 = STRING: "Thu Dec 06 16:26:26 PST 2007"
SNMPv2-SMI::enterprises.12356.104.0.125 = STRING: "158"
SNMPv2-SMI::enterprises.12356.104.0.126 = STRING: "36"
SNMPv2-SMI::enterprises.12356.104.0.127 = STRING: "10"
SNMPv2-SMI::enterprises.12356.104.0.128 = STRING: "0"
SNMPv2-SMI::enterprises.12356.104.0.129 = STRING: "2"
SNMPv2-SMI::enterprises.12356.104.0.130 = STRING: "4"
SNMPv2-SMI::enterprises.12356.104.0.131 = STRING: "20"
An example of the trap with the rule information:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (84) 0:00:00.84
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.6
SNMPv2-SMI::enterprises.12356.104.0.132 = STRING: "6501"
SNMPv2-SMI::enterprises.12356.104.0.102 = STRING: "MINOR"
SNMPv2-SMI::enterprises.12356.104.0.103 = STRING: "DVA ORCL 01.01 Lock and Expire
186 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment Adding or modifying assessments
Unused Default Accounts"
SNMPv2-SMI::enterprises.12356.104.0.106 = STRING: "[email protected]"
SNMPv2-SMI::enterprises.12356.104.0.107 = STRING: "Test Target"
SNMPv2-SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment"
SNMPv2-SMI::enterprises.12356.104.0.105 = STRING: "Thu Dec 06 16:26:26 PST 2007"
See also
l
Notification OIDs for target-level assessments
Selecting the type of report an assessment generates
FortiDB allows you to select which reports your assessment generates. For example, it can generate a summary report, a detailed report, or both.
1. Go to Vulnerability Assessment > Assessment
2. Click the name of an assessment.
3. Click the Reports tab.
4. Specify which report you want for your assessment.
a. Select one or more report groups from the Available Reports: list on the left and add them to the
Selected Reports list box by clicking on the right-arrow button. (In order to remove a report from the
Selected Reports list, select the left-arrow button.)
To view a report description, select the report in the Selected Reports list box and then the description should show up in the Report Description list box on the right.
b. Check the Enable Report check box.
5. In the Report formats field group, enable one or more of the following checkboxes: l l l l
PDF (.pdf) (the default)
Excel (.xls)
Comma Delimited (.csv)
Tab Delimited (.txt).
6. Select the Save button
See also
l
Adding or modifying assessments
Reviewing, deleting, and aborting assessment results
The Results tab of the Assessment page allows you to view the status and other information about completed and incomplete assessments, view assessment results, and to abort assessments.
When you click a
Start Time value in the top table, target name and other information is displayed in the bottom table (under
Results for each target).
When you click a Target value in the bottom table, detailed results for the target are displayed.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
187
Adding or modifying assessments Vulnerability assessment
Column name
Status
DB Type
Failed (Cri,Maj,Min,Cau)
Passed
Informational
Errors
Total
Description
The current status of the assessment
The type of your target database
The number of failed policies by Severity type where: l
Cri is Critical l
Maj is Major l
Min is Minor l
Cau is Cautionary
The number of passed policies
The number of Informational policies
The number of policies for which errors were returned
The total number of policies incorporated by the assessment
The Status column can display the following values:
Status column icon Description
Running
Idle
Queued
Completed
Error
Aborted
To delete an assessment, select one or more items in the top table, and then click Delete.
To abort an assessment
Do one of the following: l
To abort an entire assessment, check the row of interest in the top table and then, below the top table, click
Abort.
188 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment View VA global summary information l
To abort the assessment of a particular target database within an assessment, click a Start Time value in the top table, select a row in the bottom table, and then, below the bottom table, click Abort.
See also
l l
Adding or modifying assessments
View VA global summary information
View VA global summary information
Click Vulnerability Assessment > Assessment Summary to view the summary information for all target databases.
The summary information includes statistics of assessments and vulnerabilities found by assessment.
If you assess the same target more than once, this global summary only summarizes the latest one assessment.
The
Vulnerability Assessment Global Summary page also displays statistics for checks that failed during the assessment, including severity, classification, and database type.
See also
l l
Reviewing, deleting, and aborting assessment results
Assessment history
The
Assessment History page displays the run assessments and scheduled reports in disk.
Assessments History tab
Display all run assessment in this list page.
Click the
Target link to view the Detailed Report of this assessment.
Select the assessment record(s), click the Delete button to delete.
Scheduled Reports tab
When you enable the option "Save Scheduled Assessment Report to Disk File" in Assessment > Report tab, the selected report files are saved in disk after running the scheduled assessment.
Go to Scheduled Reports tab page to download or delete report files.
Import or export assessment history
You can export or import the result of an assessment as an XML file.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
189
Viewing and exporting a privilege summary Vulnerability assessment
To export assessment results to an XML file
1. On the the Assessments History page, specify a date range.
Assessments run between this date range, from the 1st date 0:00 to 2nd date 0:00(not include result in 2nd date).
2. Optionally, for Prefix, specify a prefix for the XML file name.
3. Click Export, and than save the downloaded XML file.
To import assessment results from an XML file
1. On the the Assessments History page, click Import.
The
Import assessments history page is displayed.
2. Click Choose File to select an XML file.
3. Click Import.
4. Click the Back button to return to the Assessments History page.
If you import the XML from another FortiDB, it might contain information about its own target databases information, which is not managed by your current FortiDB. FortiDB imports these target databases as imported shadow targets, which it uses for assessment reporting. However, it doesn not add them to the target list and cannot manage by them.
See also
l l
Reviewing, deleting, and aborting assessment results
View VA global summary information
Viewing and exporting a privilege summary
To view the privilege summary, log in to FortiDB with an administrator account that has the Operations Manager or Report Manager role.
A privilege summary shows who has access to what in your target databases. As such, it can: l l l l l
Help you establish a baseline for your security system
Show you if any users have more privileges than they need in order to do their jobs
Show you if any roles (or, for DB2, groups) include more privileges than necessary
Provide a common place to review privilege assignments for all FortiDB-supported target DB types
Eliminate the need to execute the SQL statements to get privilege-assignment information
1. Click Vulnerability Assessment > Privilege Summary.
2. For Target Group, select the target group that contains the target database for which you want to see a privilege summary.
3. For Target, select the target database for which you want to see a privilege summary.
190 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment Viewing and exporting a privilege summary
You can access Microsoft SQL Server and Sybase targets individually via databaselevel connections or, as a group, via server-level connections.
4. For Database Name, select the name of the database for which you want to see a privilege summary.
5. Select the Users tab in order to see a list of users, or the Roles tab in order to see a list of roles, for the specified database.
l l
Because MySQL does not support roles or groups of privileges, no
Role tab is displayed for MySQL target databases.
In MySQL, a user is identified by a combination of a user name and host name, such as `root@localhost’ or ‘[email protected]’. Therefore, two users with the same name but at different hosts can have different privileges.
a. After you have selected a user or role, you can then use the Privilege Type or Classification dropdown lists in order to filter the displayed information.
The subsequently available privilege information depends on: l
FortiDB-user access having already been given to certain target-database system tables, catalogs, and/or views. (See the Target Privilege Matrix for a list of the appropriate tables.) l
The particular combination of Privilege Type and Classification choices you make. (For more information on these choices, see
DB-Type Distinctions on page 191 .)
b. Optionally, you may export most of the privilege summary information that is displayed in one of the following file formats: l l l
PDF ( Portrait (the default) or Landscape orientation)
Tab-delimited text (.txt)
Comma-separated-values (.csv)
See also
l l
Privileges for VA assessments, privilege summaries, and penetration tests
DB-Type Distinctions
The privilege summary information varies slightly by the type of the target database.
General differences
There are differences by RDBMS type: l l
The Users tabs are used for all RDBMS types.
The
Roles tab are used for all RDBMS types, except for MySQL which does not support roles. For DB2 target database,
Roles means Groups.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
191
Viewing and exporting a privilege summary Vulnerability assessment
Filtering differences
After selecting a specific user name on the
Users tab, or a specific role on the Roles tab, you can filter the displayed privilege information.
For Oracle, DB2, Microsoft SQL Server, and Sybase, the Privilege Type dropdown offers these choices: l l
Direct which refers to privileges that have been directly assigned (i.e., not via roles) to the selected user name
Indirect which refers to privileges that have been assigned via roles to the selected user name
MySQL applies the
Direct type only.
For Oracle, the
Classification dropdown offers these choices: l l
Object Privileges which refers to privileges that pertain to a specific schema or object
System Privileges which refers to privileges that do not pertain to a specific schema or object
For DB2, the
Classification dropdown offers these choices: l l l l l l l
Column Auth which refers to privilege information on certain columns
DB Authwhich refers to privilege information on certain databases
Index Auth which refers to privilege information on certain indexes
Package Auth which refers to privilege information on certain packages
Schema Auth which refers to privilege information on certain schemas
Table Auth which refers to privilege information on certain tables
Tablespace Auth which refers to privilege information on certain tablespaces
For MySQL, the
Classification dropdown offers these choices: l l l l
Column Level which refers to privilege information on certain columns. Granting/Revoking grant option is applied for all privileges within the same table only.
Schema Level which refers to privilege information on certain databases. Granting/Revoking grant option is applied for all privileges.
Table Level which refers to privilege information on certain tables. Granting/Revoking grant option is applied for all privileges within the same table only.
User Level which refers to privilege information applied to all databases on the database server.
Granting/Revoking grant option is applied for all privileges.
Column and column value differences
The column names and values used by the privilege summary vary by the DB type of your target database. For more information, see the documentation provided by your database vendor for system tables, views, and/or catalogs.
See also
l
Viewing and exporting a privilege summary
192 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Vulnerability assessment Sensitive data discovery
Sensitive data discovery
The FortiDB sensitive data discovery feature searches a target database for sensitive information located in tables and columns. It works with Oracle and Microsoft SQL Server target databases only.
Before you configure and run a sensitive data discovery scan, complete the following configurations: l l
A FortiDB connection to the target database. See
Adding (or modifying) a target connection on page 107 .
One or more data discovery policies. See
Data discovery policies and policy groups on page 141 .
Manage sensitive data discovery
Go to
Vulnerability Assessment > Sensitive Data Discovery to manage data discovery.
In the list page: l l l
Status: indicates discovery is running (active) or not(inactive).
Data Discovery Policy Group: which policy groups are assigned to this discovery.
Last Discovery: Last discovery time and found result, click to view detail report.
Click 'Target Name' in list to add/modify data discovery: l l l
Target tab: select database metadata as discovery object(s).
Policy Group tab: select discovery policy group to assign to this discovery.
Result tab: after run discovery, check this tab for result summary.
And click
Save to save discovery definition.
Running sensitive data discovery
In discovery add/modify page, click Save & Start Scan to save and start discovery.
In discovery list page, select one or more discovery with check box(es), click 'Start Scan' button to start discovery, click 'Stop Scan' button to stop.
Viewing sensitive data discovery reports
There are two pre-defined data discovery reports: detailed and summary.
To view a detailed report, do one of the following: l l
On the discovery list page, click the link in the Last Discovery column.
Go to
Report > Pre-Defined VA Reports, click Sensitive Data Discovery Detailed Report, and then select a target and discovery time.
For a summary report, go to
Report > Pre-Defined VA Reports, click Sensitive Data Discovery Summary
Report, and then select a target and discovery time.
See also
l l
Data discovery policies and policy groups
Viewing VA and sensitive data discovery event logs
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
193
Viewing VA and sensitive data discovery event logs Vulnerability assessment
Viewing VA and sensitive data discovery event logs
The
Assessment Log page lists the event logs that vulnerability assessments and sensitive data discovery scans generate. To view the log, click Vulnerability Assessment > Local Assessment Log.
The assessment log information includes Date, Module (VA or SDD), Assessment, Target, Severity, Action, and
Result or Description.
You can use the
Assessment Logs page for the following tasks: l l l l l l l l l l
Display logs filtered by module (VA or SDD) that you select from the
Module dropdown list.
Display logs filtered by Assessment name(for VA only) that you select from the Assessment dropdown list.
Display logs filtered by Target that you select from the
Target dropdown list.
Display logs filtered by Severity that you select from the Severity dropdown list.
Display logs filtered by Action that you select from the
Action dropdown list.
Display logs filtered by the date range you select from the From and To fields.
Display Date, Policy name, Target, Type, Severity, and description for each error.
Export the logs view you selected, by selecting
Export
Delete all logs by selecting
Delete All
Configure the History Prune - specify the number of days after which to delete the log entries. The default number is
30 (days).
See also
l l
Adding or modifying assessments
194 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM)
Database activity monitoring (DAM)
Managing target monitoring
Database activity monitoring (DAM) centralizes monitoring and auditing. DAM also displays alerts and allows you to generate reports. Alert filtering criteria ranges from general classifications such as target or database type to detailed classifications such as severity and rule violation. Your filter settings can create a new alert group or modify the pre-defined alert groups. Alert groups can be exported to files in various formats such as .pdf, .xls,
.csv, and .txt.
See also
l l l l l l
Configuring target database monitoring
Viewing audit records (activity auditing results)
Managing target monitoring
The Monitoring Management page provides centralized management for monitoring target databases. You can view monitoring status, policies you configured, and start and stop monitoring. You can also associate policy groups with target databases and view generated alerts.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
195
Managing target monitoring Database activity monitoring (DAM)
Monitoring Management page columns
Descriptions Columns
Status
indicates the target has not been initialized for monitoring. Go to monitoring configuration page to setup monitoring.
indicates the target is not monitored.
that monitoring is starting indicates that monitoring is stopping.
indicates the target is being monitored but some of the policies could not be applied.
indicates that monitoring is active.
indicates that monitoring is not running. An attempt to start the monitor failed.
indicates that the FortiDB is has disconnected from the target. The target database maybe not available, or disconnected from FortiDB agent (if using agent as collection method).
Name
DB Host Name/IP
DB Type
Collection Method
Alert Policy Groups
Target name. Click to configure monitoring.
Database host name or IP address of your target database computer
Database type of your target. ORACLE, MSSQL, DB2, SYBASE, or
MYSQL
Collection method used for monitoring
The group or groups of alert policies that specify the database activities that generate security alerts.
Action
configure monitoring, same as click Name.
show the Alerts of this target.
show the Local Monitoring Logs of this target
Monitoring Management page buttons and fields
Buttons and Fields
View dropdown
Descriptions
Filters a display of the target list
196 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Target monitoring configuration tabs and options
Buttons and Fields
Start Monitoring
Stop Monitoring
Restart
Descriptions
This button starts monitoring for the target database. You must select the target first.
This button stops monitoring. You must select the target first.
This button stops then starts monitoring.
See also
l
Configuring target database monitoring
Target monitoring configuration tabs and options
The monitoring configuration for a target database is displayed when you click the target’s name on the
Monitoring Management page.
Monitoring configuration page tabs and options
Tabs
General
Alert Policies
Alert Policy Groups
Purposes
Settings of audit configuration for each target database. You can start and stop monitoring and auditing in this page. It also shows monitoring and auditing status. See
Configuring target database monitoring on page 198
.
Shows the available alert policies with information, such as policy type, status, name, and severity. You can create Data policies from this page, and enable/disable policies for the target. See
Adding alert and audit policies to monitoring on page 205 .
Associate the alert policy group to your target database. See
Adding policy groups to target monitoring on page 206 .
Audit Policies
Audit Policy Groups
Shows the available audit policies with information. You can create
Data policies, or enable/disable policies from this page. See
Adding alert and audit policies to monitoring on page 205 .
Note: This tab is only available for collection method "TCP/IP Sniffer" for Oracle, Microsoft SQL Server, Sybase and DB2.
Associate the audit policy group to your target database. See
Adding policy groups to target monitoring on page 206 .
Note: This tab will be only available for collection method "TCP/IP
Sniffer" for Oracle, Microsoft SQL Server, Sybase and DB2.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
197
Configuring target database monitoring Database activity monitoring (DAM)
Tabs
Query Schedule
Alert Notification
Real Time Blocking
Audit Management
White List
Purposes
Specifies a schedule for any database query policies, which are alert policies that query the target database with SQL and save the result as an alert. See
Configuring a database query policy on page 164 .
Configure Alert Notification for monitoring. See
Sending alert notifications on page 207
.
Enables or disables real-time blocking for monitoring configurations that use the TCP/IP sniffer, and configures blocking settings. See
Blocking invalid access while monitoring on page 209
.
For Oracle, this page shows the issued audit command and all audit commands for each object. For Microsoft SQL Server, this page shows audited events and audited filters used by FortiDB. This page is not applicable for Sybase. See
Displaying the history of issued audit commands on page 212
.
Note: This tab is only available for the following collection methods: l
Oracle – "DB, EXTENDED" or "XML File Agent" l
Microsoft SQL Server – "SQL Trace" l
DB2 – "DB2 Agent”
In the White List tab, you can configure data policies, which will be automatically excluded from the Alert Policy settings for Oracle or
Microsoft SQL Server Server. See
Excluding policies from the Alert
Policy settings (whitelist) on page 210 .
Note: This tab will be only available for collection method "DB,
EXTENDED" for Oracle,"SQL Trace" for Microsoft SQL Server.After
Monitor started, the SQL action matching with the white list settings, fortidb will not generante alerts for it. The SQL action matching the white list settings should be known secure action.
See also
l
Configuring target database monitoring
Configuring target database monitoring
The
General tab shows audit configuration information and monitoring status for each target database.
The Audit Configuration settings specify how FortiDB collects audit information. The settings that are displayed depend on the database type and collection method. For more information, see the topic for the appropriate database type: l l
Configuring monitoring using the TCP/IP sniffer (all database types) on page 199
Configuring Microsoft SQL Server monitoring on page 201
198 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Configuring target database monitoring l l l l
Configuring DB2 monitoring on page 202
Configuring Sybase monitoring on page 202
Configuring MySQL monitoring on page 203
Configuring Oracle monitoring on page 204
The
Test button is available for some collection methods. Click it to verify the connection.
Click the
Save button to save your Audit Configuration settings.
The Monitoring settings allow you to start or stop monitoring.
Monitoring settings and messages
Setting
Start Monitoring/Stop
Monitoring
Description
Click to start or stop monitoring.
Start monitoring when
FortiDB starts
Monitoring Status
Specifies whether FortiDB starts monitoring the current target automatically when it starts.
Displays one of the following monitoring status values: l
Running l
Need Restart: A monitoring restart is required to apply a policy change l
Idle l
Terminating l
Terminated l
INIT (Initializing)
Status Message
Displays information related to the monitoring or auditing status
See also
l
Target monitoring configuration tabs and options
Configuring monitoring using the TCP/IP sniffer (all database types)
FortiDB can monitor database activity using its TCP/IP sniffer.
The activity auditing and profiling features require the TCP/IP sniffer.
1. To configure a target to support database activity monitoring, on the General tab for the target, for DB
Activity Monitoring, select Allow.
For more information on target configuration, see
Adding (or modifying) a target connection on page 107 .
2. Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target.
3. On the General tab, complete the following settings:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
199
Configuring target database monitoring Database activity monitoring (DAM)
Collection Method
Select TCP/IP Sniffer.
Version
Select the version of the target database.
FortiDB supports the following versions:
9i, 10g, 11g, 12c
Oracle
Microsoft SQL Server
2000, 2005, 2008, 2008_R2, 2012, 2014
DB2
Sybase
Postgre
UDB 9.1, 9.5, 9.7
ASE 12.5, 15.0, 15.5, 15.7
Postgre SQL 8.x
SSL Certificate Private Key
For Microsoft SQL Server databases only.
If SSL encryption is enabled, select the
SSL Certificate Private Key
file and enter the
Key Password (if you have it) that FortiDB uses.
The SSL Certificate for SSL encryption is configured on the server side.
SSL Certificate Private Key
(P12)
For Oracle databases only.
If SSL encryption is enabled and certificate information is stored in
PKCS #12 format, select the certificate file and enter the
Key
Password.
The SSL Certificate for SSL encryption is configured on the server side. For more information, see
Monitoring encrypted Oracle traffic on page 83
.
SSL Certificate Private Key
(SSO)
For Oracle databases only.
If SSL encryption is enabled, select the X.509 format certificate file and enter the Key Password.
For more information, see
Monitoring encrypted Oracle traffic on page
.
Sniffer on Port
Enable Activity Auditing
Log All
Enable Activity Profiling
Specify the FortiDB port that is connected to the switch's SPAN port.
Select to enable activity auditing.
Select to audit all activity. Otherwise, FortiDB audits only activity captured by the policies specified by the Audit Policies tab.
Select to enable activity profiling.
4. If you did not select Log All, to specify the activity that is audited, do one of the following: l l
On the
Audit Polices tab, create a list of one or more policies to use.
On the Audit Policy Groups tab, select one or more policy groups to use.
200 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Configuring target database monitoring
For information on adding audit policies and audit policy groups to the configuration, see
Adding alert and audit policies to monitoring on page 205
.
By default, no audit policies or policy groups are specified.
5. On the General tab, under Monitoring, click Start Monitoring.
For more information about monitoring, see
Monitoring settings and messages on page 199 .
See also
l l
Target monitoring configuration tabs and options
Network requirements for monitoring using the TCP/IP sniffer
Configuring Microsoft SQL Server monitoring
FortiDB uses either SQL Trace or the TCP/IP sniffer to collect audit information from Microsoft SQL Server databases.
The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see
Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .
To configure auditing for a Microsoft SQL Server database using SQL Trace
To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete.See
Microsoft SQL Server target database preconfiguration on page 94 .
2. Verify that the SQL Server has an audit trace folder (for example, C:\SQLTrace).
Ensure that you enter the full path to the folder.
3. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.
4. On the General tab, complete the following settings:
Collection Method
Trace Folder
Polling Frequency (ms)
Select SQL Trace.
To change a collection method from one option to the other, first stop monitoring, change the collection method, then restart monitoring.
Specify the folder where your server writes the trace information.
Ensure that you enter the full path.
Enter the polling frequency for audit collection, in seconds
To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.
5. Click Test to confirm the connection with the method you selected.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
201
Configuring target database monitoring Database activity monitoring (DAM)
6. On the General tab, under Monitoring, click Start Monitoring.
For more information about monitoring, see
Monitoring settings and messages on page 199 .
See also
l l
Target monitoring configuration tabs and options
Microsoft SQL Server target database pre-configuration
Configuring DB2 monitoring
FortiDB uses either a DB2 agent or the TCP/IP sniffer to collect audit information from DB2 databases.
The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see
Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .
To configure auditing for a DB2 database using the DB2 agent
To change the collection method, first stop monitoring. You cannot change this setting while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete.See
DB2 target database pre-configuration on page 91 .
2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.
3. On the General tab, for Collection Method, select DB2 Agent.
4. Click Test to confirm the connection with the method you selected.
5. On the General tab, under Monitoring, click Start Monitoring.
For more information about monitoring options, see
Monitoring settings and messages on page 199
.
See also
l l
Target monitoring configuration tabs and options
DB2 target database pre-configuration
Configuring Sybase monitoring
FortiDB uses either the Sybase audit system (Sybase Monitoring and Diagnostic (MDA) tables) or the TCP/IP sniffer to collect audit information from Sybase databases.
The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see
Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .
202 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Configuring target database monitoring
To configure auditing for a Sybase database using Monitoring and Diagnostic (MDA) tables
To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete, which includes: l l l
Creating the sybsecurity database
Installing installsecurity
Configuring the MDA (Monitoring and Data Access) tables
See
Sybase target database pre-configuration on page 86
.
2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.
3. On the General tab, complete the following settings:
Collection Method
Polling Frequency (ms)
Select
MDA.
To change the collection method, first stop monitoring, change the collection method, then restart monitoring.
Enter the polling frequency for audit collection, in seconds
To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.
4. Click Test to confirm the connection with the method you selected.
5. Under Monitoring, click Start Monitoring.
For information about the Monitoring options, see
Monitoring settings and messages on page 199
.
See also
l l
Target monitoring configuration tabs and options
Sybase target database pre-configuration
Configuring MySQL monitoring
FortiDB uses the MySQL general log to collect audit information from DB2 databases.
To configure auditing for a MySQL database
To change the polling frequency for monitoring, first stop monitoring. You cannot change this setting while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete.See
MySQL target database pre-configuration on page 84 .
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
203
Configuring target database monitoring Database activity monitoring (DAM)
2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.
3. On the General tab, complete the following settings:
Collection Method
Polling Frequency (ms)
Select
General Log.
To change the collection method, first stop monitoring, change the collection method, then restart monitoring.
Enter the polling frequency for audit collection, in seconds.
To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.
4. Click Test to confirm the connection with the method you selected.
5. Under Monitoring, click Start Monitoring.
For more information about monitoring, see
Monitoring settings and messages on page 199 .
See also
l l
Target monitoring configuration tabs and options
MySQL target database pre-configuration
Configuring Oracle monitoring
FortiDB can use several methods to collect audit information from Oracle databases.
The TCP/IP sniffer method is provided by the appliance version of FortiDB only. For detailed configuration instructions, see
Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .
To configure auditing for an Oracle database
To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete.See
Oracle target database pre-configuration on page 80 .
2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.
3. Obtain the value of your database’s audit_trail parameter.
4. On the General tab, for Collection Method, select one of the following options:
204 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Adding alert and audit policies to monitoring
Oracle audit_ trail parameter value
Collection method
db, extended DB,
EXTENDED db DB,
EXTENDED
Agent required?
No xml, extended
XML File
Agent
No
For Oracle 9i only. Monitoring Oracle 9i databases has the following limitations: l
Table and table column policy - Cannot retrieve the SQL statement text l
Table, user, and session policy - No effect with Suspicious Location rule l
Session policy - No effect with Extremely Long Session rule and High
Read Ratio rule
Yes
FortiDB's XML file agent provides high performance for auditing
Oracle target databases. To use the XML file agent option, run the
FortiDB XML file agent in your target database. For more information, see
Oracle XML file agent installation and configuration (UNIX,
.
5. If you selected DB, EXTENDED, for Polling Frequency(secs), enter the polling frequency for audit collection, in seconds.
6. Click Test to confirm the connection with the method you selected.
7. Under Monitoring, click Start Monitoring.
For more information about monitoring, see
Monitoring settings and messages on page 199 .
See also
l l
Target monitoring configuration tabs and options
Oracle target database pre-configuration
Adding alert and audit policies to monitoring
The Alert Policies and Audit Policies tabs on the monitoring configuration page allow you to configure data policies. FortiDB can add these policies to a new policy group automatically and associate the group with the current target.
Audit policies are available only for target monitoring configurations that use the
TCP/IP Sniffer collection method.
The list of policies on the tab allows you to manage the policies that FortiDB uses to monitor the target:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
205
Adding policy groups to target monitoring Database activity monitoring (DAM) l l l
To enable or disable policies, select one or more items in the list (or the checkbox in the column header to select all items), and then click Enable or Disable.
To delete user-defined policies, select the appropriate item, and then click
Delete.
To create a data policy, in the Data Policies list, select a policy type, and then click Add.
For examples of creating data policies, see the database activity monitoring tutorials in
.
l l
To edit a policy name, click its name.
Click the Restart button to restart monitoring after policy change.
For detailed information on these policies, see
Database Activity Monitoring (DAM) policies on page 144 .
See also
l l
Target monitoring configuration tabs and options
Oracle target database pre-configuration
Adding policy groups to target monitoring
When you configure monitoring for a target database, FortiDB automatically adds the data, metadata, and privilege alert policy groups to the configuration. However, it does not automatically associate PCI, SOX, and
HIPAA alert policy groups.
FortiDB does not automatically associate any audit policies or audit policy groups with the target monitoring configuration. To allow FortiDB to perform policy-based activity auditing, you either select
Log All on the configuration’s
General tab or use the Audit Policies or Audit Policy Groups tabs to select policies.
Alternatively, instead of adding a policy group to a single target, you can add groups to multiple targets. For information, see
Adding policy groups to target database monitoring on page 180 .
To add a policy group to target database monitoring
1. Verify that you have a target connection that allows monitoring.
2. Go to DB Activity Monitoring > Monitoring Management.
3. Click the target name. The Target Monitor:<target name> page is displayed.
4. Select the Alert Policy Groups or Audit Policy Groups tab.
5. Select the policy groups you want to associate to the target from the Available Policy Groups box.
6. Click the right arrow to move the selection to the Selected Policy Groups box.
When you select a group, its policies are displayed in the
Selected Policy Group contents box.
7. Select Save.
See also
l
206 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Sending alert notifications
Sending alert notifications
Use the
Alert Notification tab to configure FortiDB to send a notification when it receives a monitoring alert. It can send alerts via email, SNMP, and other methods.
You can also generate notifications as reports, which allows you to specify what alert information to include and schedule a time for FortiDB to generate and send the report. For more information, see
To access the
Alert Notification tab, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.
To send notifications via email
1. Go to Administration > Global Configuration > Notification, and then ensure that the host name and port of an email server are specified.
For more information, see
Notification properties on page 72
.
2. Go to Administration > Administrators, and then ensure that an email address is specified for the administrators that you want to send email notifications to.
For more information on configuring administrators, see
3. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target to configure.
4. On the Alert Notification tab, select Enable Email.
5. In the Available Receivers list, select an item, and then click >> (right arrows) to add it to the Selected
Receivers list.
6. Click Save.
To send notifications via SNMP
1. Go to Administration > Global Configuration > Notification, and then ensure that the SNMP receiver host and port are specified.
For more information, see
Notification properties on page 72
.
2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.
3. On the Alert Notification tab, select Enable SNMP Trap.
4. Click Save.
To send notifications to a Syslog server
1. Go to Administration > Global Configuration > Notification, and then ensure that the Syslog receiver host and port are specified.
For more information, see
Notification properties on page 72
.
2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
207
Sending alert notifications Database activity monitoring (DAM)
3. On the Alert Notification tab, select Enable Syslog.
4. Click Save.
To send notifications to an ArcSight Syslog server
For FortiDB event to ArcSight data field mapping information, see
FortiDB event to ArcSight data field mapping on page 208
.
1. Go to Administration > Global Configuration > Notification, and then ensure that the ArcSight Syslog receiver host and port are specified.
For more information, see
Notification properties on page 72
.
2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.
3. On the Alert Notification tab, select Enable ArcSight Syslog.
4. Click Save.
See also
l
FortiDB event to ArcSight data field mapping
FortiDB event to ArcSight data field mapping
The following table displays the corresponding ArcSight remote logging format field for each FortiDB event:
FortiDB event ArcSight Event Data Field
Hostname dhost
Source Hostname shost
Alert Timestamp
FortDB Hostname
Severity
Action
Return Code
Display ID
DB Type
System User
DB User rt dvchost cat act cn1 externalId cs1 suser duser
208 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Blocking invalid access while monitoring
FortiDB event
Login Name
DB Object
Description
Target Database Name
Policy Name
Source Application
SQL Statement
See also
l
ArcSight Event Data Field
cs3 fname cs4 cs5 cs6 requestClientApplication msg
Blocking invalid access while monitoring
Because the real-time blocking feature uses the TCP/IP Sniffer, the
Real Time Blocking tab is only available when
Collection Method is TCP/IP Sniffer.
You can configure FortiDB to use a TCP/IP Reset (RST) mechanism to prevent invalid access to the server by database clients. FortiDB allows you to select which alert policies FortiDB uses to validate the connection data.
Whenever it blocks access, FortiDB generates a critical security alert.
Because real-time blocking interrupts the TCP connection, it can destabilize your database client application or application server. Ensure that you understand this feature and its implications before you enable it.
You can configure FortiDB to block a client for a specified period of time after it violates access policies. During this period, instead of scanning the connection for policy violations, which uses system resources, FortiDB automatically resets connections from the client. After the blocking period expires, FortiDB resumes the scanning process. Specifying a blocking period can improve performance if FortiDB is under attack by malicious clients.
The default blocking period is 5 minutes.
To enable real-time blocking
1. Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target.
2. If FortiDB is currently monitoring the target, click Stop Monitoring.
3. On the Real Time Blocking tab, select Enable Real Time Blocking.
4. To configure FortiDB to continue to deny access to clients that it blocks for a specified period of time, select
Block Client for [x] minutes, and then enter a value in minutes.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
209
Excluding policies from the Alert Policy settings (whitelist) Database activity monitoring (DAM)
The default value is 5 minutes.
5. For TCP RST Blocking Port, select the network port FortiDB uses to send the TCP RST packet to the client's connection.
Ensure that FortiDB can reach the connection between database client and server through the port you specify. If the client is behind firewall or router with NAT, the TCP reset signal appears to be sent to the client from the firewall or router.
6. To assign alert policies for real-time blocking, select one or more policies from the Available Policies list, and then click >> (right arrows) to move them to the Selected Policies list.
The items in the
Available Policies list are from groups selected on the Alert Policy Groups tab.
To remove items, select them and then click << (left arrows).
7. Click Save.
8. On the General tab, to re-start monitoring with the real-time blocking feature, click Start Monitoring.
See also
l
Database Activity Monitoring (DAM) policies
Excluding policies from the Alert Policy settings (whitelist)
Use the
White List tab to specify Oracle or Microsoft SQL Server Server database activities that do not generate alerts.
The White List tab is available only when the collection method is DB, EXTENDED
(for Oracle databases) or SQL Trace (for Microsoft SQL Server databases). Because
FortiDB does not generate alerts for SQL actions that match the whitelist criteria, ensure that the SQL actions in the whitelist are known, secure actions.
To enable the whitelist
1. Go to DB Monitoring Activity > Monitoring Management and click the name of the target to configure.
2. On the White List tab, select Enable White List.
3. Use the following settings to specify the whitelist criteria:
210 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM)
Setting
Object Settings
Login Name Settings
DB User Settings
Excluding policies from the Alert Policy settings (whitelist)
Description
Excludes from alerts any successful access to the specified objects from alerts.
Select one of the following selection methods: l
Manually Select Object
l
Browse Object by Target (default)
Use the following options to specify one or more objects:
1. Select an item from the Target list.
2. Select an item from the Schema list.
3. In the Tables list, select one or more items and then click >
(right arrow) to move your selections to the .
To remove objects, select them in the
Selected Objects list and then click < (left arrow).
Excludes from alerts any successful access to the specified object by the specified login names.
To specify one or more login names:
1. Select one or more login names from the login names list.
2. Click the right arrow to move the selections to the Selected login names list.
Note: If you want to remove the login names from the selected login names list, select the login names you want to remove and click the left arrow.
Excludes from alerts any successful access to selected object by certain database users.
You can specify one or more database users as follows:
1. Select one or more database users from the login names list.
2. Click the right arrow to move the selections to the Selected database users list.
Note:If you want to remove the database users from the selected database users list, select the database users you want to remove and click the left arrow.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
211
Displaying the history of issued audit commands Database activity monitoring (DAM)
Setting
OS User Settings
Source Location Settings
Application Settings
Description
Exclude to alert any successful access to selected object by certain
OS users.
You can specify one or more OS user names by typing the specific name or using a regular expression.
1. Input one OS user into the textbox.
2. Click the right arrow to move the selections to the Selected users List.
Note: If you want to remove the OS users from the selected OS users list, select the OS users you want to remove and click the left arrow.
Exclude to alert any successful access to selected object from certain locations.
You can specify one or more locations by typing the specific location or using a regular expression.
1. Input one Hostname or ip address into the textbox.
2. Click the right arrow to move the selections to the Selected source locations list.
Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
Exclude to alert any successful access to selected object by certain client applications.
You can specify one or more client applications by typing the specific client application or using a regular expression.
1. Input one application name or client ID into the textbox.
2. Click the right arrow to move the selections to the Selected applications list.
Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
See also
l
Database Activity Monitoring (DAM) policies
Displaying the history of issued audit commands
The
Target’s Audit Management tab displays the history of issued audit commands. Each type of target database has a different style of audit management.
212 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Displaying the history of issued audit commands
The Target’s Audit Management tab is not available for Sybase or MySQL databases. For the remaining database types, it only available when Collection Method is one of the following values: l l l
DB, EXTENDED or XML File Agent (for Oracle)
SQL Trace (for Microsoft SQL Server)
DB2 Agent (for DB2)
See also
l l l
Microsoft SQL Server audit management
Oracle audit management
The Target’s Audit Management page for Oracle target databases displays the history of issued audit commands.
Statement options
The Statement options section displays: l l l l
Database User
Audit Option
Success
Failure
Object options
The Object options section displays all the audit commands, including success or failure, for each object with: l l l l
Object owner
Object name
Object type
Access or Session on SELECT/INSERT/UPDATE/DELETE/EXECUTE/ALTER
To update the list, click the Refresh button.
Clearing audit settings
FortiDB modifies the Oracle auditing system to monitor the policies that you define. These audit settings affect what is audited and affect how fast the SYS.AUD$ table will fill. Under normal operating conditions, FortiDB removes its settings when monitoring is stopped.
However, sometimes the SYS.AUD$ table can become cluttered with other peoples' settings that were not properly removed. To correct this, use FortiDB's clear audit setting feature to remove all audit settings.
If FortiDB is the only client of the audit system, then you can use this feature to clear all audit settings. But if other people need the audit settings, do not clear audit settings. To clear audit settings, you must stop monitoring.
After clearing the settings, the audit statement and audit options tables will be empty. If you then start FortiDB monitoring ,you will see only FortiDB's audit settings that are necessary for enabled policies.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
213
Displaying the history of issued audit commands Database activity monitoring (DAM)
Audit management
When using the audit-based collection methods for Oracle, you may want to clear the audit settings from previous operations if FortiDB is used as the exclusive auditing mechanism for that target database. Also, for the
DB,EXTENDED collection method, you may want to delete all previous log entries in the Oracle target database.
You can do both in the Audit Settings Management section of the Audit Management tab. These options are selected by default, so be sure to deselect these options if FortiDB is not the only service that is using Oracle's auditing mechanism.
For the DB,EXTENDED collection mechanism, the audit log table may periodically grow larger than the file system's capacity for that table. To periodically delete audit log entries, go tothe
Scheduled Maintenance
section.
Warning: Using FortiDB to manage the contents of the SYS.AUD$ should be compliant with the best practices of your organization.
Microsoft SQL Server audit management
The Target’s Audit Management page for Microsoft SQL Server target databases displays a list of SQL Server events and filters used by FortiDB to audit.
If you select Monitoring or Auditing from the Trace Type dropdown list then click the Refresh button, FortiDB will display the general information.
Audited events
The Microsoft SQL Server Audited Events section displays a list of SQL Server events used by FortiDB for auditing purposes with the following information: l l
Column
Event
Audited filters
The Microsoft SQL Server Audited Filters section displays a list of Microsoft SQL Server filters used by FortiDB for auditing purposes with the following information: l l l l
Column
Comparison Operator
Logical Operator
Value
To update the list, click
Refresh.
DB2 audit management
The
Target’s Audit Management page for DB2 target databases displays the history of audit commands issued by the database.
DB2 audit settings with syscat.auditpolicies
The DB2 Audit Settings section displays DB2 syscat.auditpolicies view contents with the following information:
214 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Viewing alerts l l l l l l l l l l l l l l
Policy Name
Policy ID
Create Time
Alter Time
Audit Status
Context Status
Validate Status
Checking Status
SecMaint Status
ObjMaint Status
SysAdmin Status
Execute Status
Execute with Data
Error Type
DB2 audit settings with syscat.audituse
The DB2 Audit Settings section also displays DB2 syscat.audituse view contents with the following information: l l l l l l
Policy Name
Policy ID
Schema
Object Name
Object Type
Sub Object Type
To update the list, click the Refresh button.
Viewing alerts
The Security Alerts page displays a list of all alerts generated from all databases and their details. You can filter the list using a pre-defined alert group, an alert group that you defined, or by date.
You can also export the list in a number of formats.
You can also export the alert list in several different formats.
Security Alerts page columns
Column
ID
Description
FortiDB assigns alert identifiers sequentially.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
215
Viewing alerts Database activity monitoring (DAM)
Column
Type
Status
Severity
Received Time
Target
Source Location
Policy Violation & Action
Description
indicates that a table policy generated the alert indicates that a table and column policy generated the alert indicates that a session policy generated the alert indicates that a user policy generated the alert indicates that a database query policy generated the alert indicates that a privilege policy policy generated the alert indicates that a metadata policy generated the alert
One of the following types of alert status: You can change the alert status from the Alert Summary page.
l l l l
(Unacknowledged)
(Acknowledged)
(Error Corrected)
(Alert has an annotation created by a FortiDB administrator)
For information on changing the status value, see
Changing the status of and annotating alerts on page 217 .
Severity of the policy that generated the alert: Informational, Cautionary,
Minor, Major, or Critical
The date and time when FortiDB received the alert
Name of the target database
Hostname of source client
The name of the policy that generated the alert the action that violated the rule
Security Alerts page filtering options
Option
View
Description
Filter alerts based on the alert group, per-defined or user-defined, by select group from View drop-down list.
216 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Viewing alerts
Option
Search
Description
Click Search / New Group to define search criteria, or click the Edit button to modify search criteria of user-defined group. When you finish search criteria configuration, click the Search button to search alerts. You can also click the Save Group button to save the search criteria to an alert group quickly.
For more information on groups, see
For information on search criteria configuration, see
Filtering and searching alerts on page 218 .
Date Range and Entry Limit
Filters alerts based on the specified date range, and input number for
Limit To, then click the Refresh button to refresh alerts.
Click an alert to view its detail below the list. For more information, see
.
See also
l l l l l
Changing the status of and annotating alerts
Exporting the alert list as a report
Filtering and searching alerts
Changing the status of and annotating alerts
Select one or more alerts with checkboxes, click one of three Status Icon button, to change status to
Unacknowledged, Acknowledged, or Error Corrected.
Select one or more alerts with check boxes then click the Annotate icon button to add or edit exist alert's annotation. Click the
Save button to save the annotation.
See also
l
Exporting the alert list as a report
The alert list displayed on this page can be exported as a report in several different formats.
l l l l
PDF (.pdf)
Excel (.xls)
Tab (.txt)
CSV (.csv)
To export alerts, select the file format from the Export as dropdown, then click the Export button.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
217
Viewing alerts Database activity monitoring (DAM)
If you want to generate alerts report with more detail information, use the predefined or user-defined DAM alert feature.
For detail, go to the Reports.
See also
l
Filtering and searching alerts
For alerts search or group filters setting, to filter alerts by columns condition, you can define filtering criteria with one or more data filtering entries.
Exclude option
Check Exclude following filters option, if you want alerts in opposite (don't match the criteria).
Configure criteria row
One filtering criteria entry is defined in a row. Select the
Operator ("And" or "Or", not available for first row),
Column, Operator from dropdown list, and input Value or select from available value list to add.
Multiple criteria rows
Add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.
If there are multiple filtering entries, combined both with "And" and "Or" operations, use the brackets "
(" and ")" for the operations priority.
Filters sample for group "Table change by non-system user":
Action and ( DB User or Login Name
See also
l
Equals
Not Equal
Not Equal
Delete Insert Truncate Update
SYSTEM
SYSTEM )
Alert details
The
Alert Details section shows following details information about the alerts:
Field Name Description
ID
Alert ID. This number is set sequentially
Timestamp
The date and time when the alert was received by FortiDB
218 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM)
Field Name
Target Name
Policy Name
Action
Rule Violations
Severity
OS User or Auth Id
DB User
Login Name
Object
SQL Statement
Return Code
Source Location
Application
Annotation
Viewing alerts
Description
Target database name.
Policy name that generated the alert. For example, Tables, Column
Privileges, tablePolicy1, etc.
Action that was taken and caused the alert
Alert rules that generated the alert. For example, Suspicious location,
Suspicious Login Name, etc.
Short name of Severity level to which the policy is configured: l
INF - Information l
CAU - Cautionary l
MAJ - Major l
MIN - Minor l
CRI - Critical
OS user (for Oracle, Microsoft SQL Server), Auth Id (for DB2) that accessed to the target database
DB user who took an action
Login name that logged into the target database
Object that was accessed and caused the alert
SQL Statements that were executed and caused the alert
Return code from the target database
Hostname of source location that originated the action
Source application that originated the actions and caused alerts
Annotation text added by administrator for this alert
For Sybase target databases, the OS User field shows as "not available". For Microsoft
SQL Server, the OS User is available only when you use the Windows authentication.
For Sybase, and Microsoft SQL Server, the Object field may not be available for
Privilege Policies: Roles and System Privileges.
See also
l
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
219
Alert group Database activity monitoring (DAM)
Alert group
The
Alerts Group page allows you to organize the security alerts that FortiDB’s monitoring activity generates.
You use the alert groups to filter the list of alerts displayed on the Security Alerts page and to filter the information in a DAM report.
Add, edit, or delete an alert group
Use the Alerts Group page to perform the following tasks: l l l
To create new group, click Add.
To modify group settings, click the name of the group or the
Edit icon in the Action column.
To delete a group, select the check box for one or more user-defined audit groups, and then click Delete.
Alternatively, you can create a new group when you search the list of alerts on the Security Alert page. (See
Filtering and searching alerts on page 218 .)
Pre-defined alert groups
FortiDB provides pre-defined alert groups that you can use to add and modify filtering criteria.
Pre-defined alert groups
Major and Critical Alerts
Descriptions
Alerts that have major and critical severities.
Metadata Changes
Privilege Changes
Security Violations
Table changes
Alerts generated by triggering metadata policies.
Alerts generated by triggering privilege policies.
Alerts that are triggered by security violations.
Alerts that are triggered by inserts, updates, or deletes on tables.
Unacknowledged Alerts
Alerts that have a status of 'Unacknowledged'.
Data filter for an alert group
The
Filters tab allows you to define data filtering criteria for the group when you add or edit a group.
You can define one or more data filtering entries that specify the criteria to match. When an alert matches the specified criteria, it is included in the group.
Exclude following filters
Operator
Column
Select to select alerts that do not match the criteria.
Values
And and Or are not available for the first row.
Specify a column value.
220 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Alerts summary
Operator
Value
- (minus) and + (plus)
Specify an operator.
Enter a value or select one from the list of available values.
Click to add or remove rows that define criteria.
If there are multiple filtering entries, combined both with "And" and "Or" operations, use the brackets "
(" and ")" for the operations priority.
For example, to create a filter for the group "Table change by non-system user", use the following settings:
Row Operator Column Operator Value
1 Action Type Equals Delete, Insert, Truncate, Update
2
3 and and
Database
User
Not Equal
Login Name Not Equal
SYSTEM
SYSTEM
To create a filter for a group that selects alerts generated when a specific user (scott) creates a table:
Row Operator Column Operator Value
1 Policy Type Equals Metadata Policies
2
3 and and
Action Type
Database
User
Equals
Equals
Create Table scott
See also
l l
Alerts summary
The
Alerts Summary page summarizes the alerts statistics and recent trends.
The DB Activity Monitoring table shows the alerts statistics for today, recent years, and all ("total"). It also displays the number of databases FortiDB is monitoring and the current count of alert groups.
The alert trend charts show alerts that changed by time, include alerts trends for last 7 days, last 30 days, last 90 days, and last 12 months.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
221
Alerts analysis
See also
l l
Database activity monitoring (DAM)
Alerts analysis
The Alerts Analysis page allows you to analyze the alerts received within a date range that you specify.
Columns Descriptions
Status l l l l indicates that the alert analysis is new created or edit indicates that the alert analysis is in queue to run indicates that the alert analysis is running indicates that the alert analysis is complete
Target
Alert Received From
Alert Received To
Analyze Time
Target to analyze, either a specific target or
ALL
Start date of alerts
End date of alerts
Analyze time
Action
Edit icon button. Click to edit analysis
View icon button. Click to view analysis result
To analyze results
1. Click the Add button. Click the analysis name, or click the Edit icon in the Action column to edit the analysis.
2. In the analysis add/edit page, input the name, select the target - All or one of target, specify alerts receive date range, and Save.
Include alerts received in "Received To" day, e.g. From "March 1" to "March 31" for alerts received in March.
3. Mark the check box corresponding to an analysis.
4. Click the Run button.
5. To view the results, either click the View icon button in Action column, or click the time when an analysis finished.
222 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Viewing audit records (activity auditing results)
To view the results of an analysis
Do one of the following: l l
In the
Action column, click
Click an Analyze Time value.
(
View).
The analysis result page displays the following information: l l l
Analysis Summary: Target, Alerts date range, and Total alerts count in this range.
Statistics Chart: Alerts statistics date-series chart.
More alerts statistics by different category: l
By Target(for 'All' target analysis) l l l l
By Severity
By Policy
By Action
By DB Login l l l
By DB User
By Client Location (Top 10)
By Client Application (Top 10)
See also
l l
Viewing audit records (activity auditing results)
The
Activity Auditing page displays a list of audit records with their details. The audit records FortiDB generates when it is monitoring the database is determined by the activity auditing option you specify:
Log All, or the policies selected on the Audit Policy Groups tab.
To enable activity auditing, you configure FortiDB to monitor the target database using the TCP/IP sniffer. For more information, see
Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .
Audit record list columns
Columns
ID
Descriptions
Audit ID. This number is set sequentially.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
223
Viewing audit records (activity auditing results) Database activity monitoring (DAM)
Columns
Type
Timestamp
Target
Source Hostname/IP
Action
DB User
SQL Text
See also
l l
Filtering and searching the audit record list
Descriptions
l indicates that the audit is generated by Log All option enabled for target monitoring l indicates that the audit is generated by
Table Policy
l l l l indicates that the audit is generated by
Table and Column Policy
indicates that the audit is generated by
Session Policy
indicates that the audit is generated by
User Policy
indicates that the audit is generated by
Database Policy
l l indicates that the audit is generated by
Privilege Policy
indicates that the audit is generated by
Metadata Policy
Audit timestamp
Target database name.
Hostname and IP address of source client.
Action of database activity
Database user of action.
SQL Text.
Filtering and searching the audit record list
To filter the audits by audit group, select an option from the View list. For more information on audit groups, see
To search the audits, click
Search/New Group, specify the search criteria, then click Search. You can save the search criteria as an audit group. For more information on the search and group creation options, see
Searching or filtering the target list on page 106
.
To edit your saved group, select the group from View dropdown list, click Edit, modify the search criteria, and then click Save Group.
To display audit records for a specific time range, specify the Received from and To time, enter the Limit to value, and then click
Refresh.
See also
l l
Viewing audit records (activity auditing results)
224 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Audit group
Viewing audit record details
Click an audit record to display its details at the bottom of the audit record list.
Field Name Description
ID
Audit ID. FortiDB sets this number sequentially.
Timestamp
The date and time activity audited.
Target/IP
Target Service Port
Policy Type
Policy Name
Action
Source Hostname/IP
Source MAC
DB User
SQL Text
Target database name and database server's IP address.
Target database server's service port.
Type of audit policy that generate the audit. Shows "All" if enable Log All option.
Name of audit policy that generated the alert. For example, Tables,
Column Privileges, tablePolicy1, etc.
Activity action.
Hostname and IP address of source client.
MAC address of source client.
DB user who took an action.
SQL Statements text of activity.
See also
l l
Viewing audit records (activity auditing results)
Filtering and searching the audit record list
Audit group
The
Audit Group page allows you to organize audit records.
You use the audit groups to filter the list of alerts displayed on the Activity Auditing page and to filter the information in a DAM report.
Add, edit, or delete an audit group
Use the Audit Group page to perform the following tasks: l l
To create new group, click Add.
To modify group settings, click the name of the group or the
Edit icon in the Action column.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
225
Activity profiling Database activity monitoring (DAM) l
To delete a group, select the check box of one or more user-defined audit groups, and then click Delete.
Alternatively, you can create a new group when you search the list of audit records on the
Activity Auditing
page. (See
Filtering and searching the audit record list on page 224
.)
Pre-defined audit groups
FortiDB has pre-defined audit groups that you can use to add and modify filtering criteria.
Pre-defined audit groups
All
Descriptions
All available policies
All DB2 Policies
All MySQL Policies
All Oracle Policies
All SQL Server Policies
All Sybase Policies
Data Policies
All policies that are supported for DB2 databases
All policies that are supported for MySQL databases
All policies that are supported for Oracle databases
All policies that are supported for Microsoft SQL Server databases
All policies that are supported for Sybase databases
All policies that trigger on table, table-column, user, or session changes to the target database
Metadata Policies
Privilege Policies
SYS Operations
All policies that trigger on metadata changes to the target database
All policies that trigger on privilege changes to the target database
Policies that monitor SYS operations
Data filter for an audit group
Use the
Filters tab to define filtering criteria for a group.
For information on the filtering options, see
Data filter for an alert group on page 220
.
See also
l
Viewing audit records (activity auditing results)
Activity profiling
FortiDB’s activity profiling feature generates statistics about database activity by user and table. You can use these statistics as a baseline when you configure policies that identify suspicious access patterns.
Activity profiling requires the appliance version of FortiDB and the TCP/IP sniffer collection method. For information on using the sniffer, see
Configuring monitoring using the TCP/IP sniffer (all database types) on page
.
226 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) Activity profiling
See also
l l
Viewing status and summary information for activity profiling
Viewing and exporting activity profiling results
Viewing status and summary information for activity profiling
The
Activity Profiling page displays target profiling status and a summary of profiling results.
Activity Profiling page columns
Descriptions Columns
Status
l l l indicates the target is not monitored.
indicates that monitoring and profiling are active.
indicates that monitoring is active and profiling is not enabled.
Name
DB Host Name/IP
DB Type
Profiling Statistics
Profiling Start Time
Target name. Click to view detailed profiling results.
Database host name or IP address of your target database computer
The type of database
Total number of activities since profiling started
Either the time when FortiDB started to monitor the database start time or the time when you cleared the existing profiling results
Action
l
Click (View Profiling Detail) to view detailed profiling information for the target.
l
Click (Reset Profiling Statistics) to clear the existing profiling results for the target.
If monitoring with profiling is enabled, FortiDB sets
Profiling Start
Time to the current time. Otherwise, it sets Profiling Start Time when monitoring starts.
To display profiling status and summary information for a specific target group, in the View list, select a target group.
See also
l
Viewing status and summary information for activity profiling
Viewing and exporting activity profiling results
The
Target DB Activity Profiling page displays detailed profiling results.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
227
Activity profiling Database activity monitoring (DAM)
FortiDB organizes profiling results for specific targets by database login and user, source clients, and database table access.
To view statistics for a login or user, in the
DB Login/User list, select the appropriate name.
Source clients access list
Source clients access list columns
Columns
Source IP
Descriptions
IP address of database source client
OS Hostname
Source Application
OS User
Session Count
Hostname of source client
Application name of source client
Operating system (OS) user name
Database access session count from this source client
Database tables access list
The list of database tables access displays all database tables accessed by the selected login or user and information about related access actions.
The
Table Name column displays the name of the database that the login or user accessed. (For Oracle databases, this can also be the name of a synonym.)
The other columns display the count number for actions, which include the following actions: l l l l l l l l l l
Select
Update
Insert
Delete
Create
Alter
Drop
Trunc
Grant
Revoke
Exporting profiling results
For information on generating and exporting an activity profiling report that you can run at a scheduled time and send automatically to receipients using email, see
Activity Profiling Reports on page 251 .
To export the detailed profiling results as report
1. For Export as, select one of the following file formats:
228 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Database activity monitoring (DAM) l l l l
PDF (.pdf)
Excel (.xls)
Tab (.txt)
CSV (.csv)
2. Click Export.
See also
l
Viewing status and summary information for activity profiling
SOX audit
SOX audit
When you use one or policies from the
Sox Policies DAM alert policy group to monitor the target database,
FortiDB saves SOX compliance audit logs.
The Sox Audit page displays the compliance audit logs.
To filter the audit logs, in the
Target list, select the appropriate target database, enter from and to dates, and then click
Refresh.
See also
l l
PCI, SOX, and HIPAA alert policies
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
229
Logs
Logs
Local monitoring log
Local monitoring log
The
Local Monitoring Log page lists monitoring events logs.
The log information includes Date, Target, Policy name, Severity, and Description.
In the Local Monitoring Logs page, you can: l l l l l l
Display logs filtered by the severity level that you select from the
Severity dropdown list.
Display logs filtered by the target database that you select from the Target dropdown list.
Display logs filtered by the date range you select from the
From and To fields.
Export the current list by selecting
Export
Delete all logs by selecting
Delete All
Schedule error checks using one of the following options: l
Run Once: FortiDB checks for errors at the time specified by Starts at.
l
Recurring: FortiDB checks for errors during the interval specified by Starts at and End by.
Local audit trail
The local audit trail feature allows you to capture the following information as audit trail records: l l
All administrator activities: Add/delete/update admininstrators, add/delete/update policies or policy groups, add/delete/update targets or target groups, add/delete/run assessments, archive, restore, log on, and system configuration.
System activities: Start and stop.
You can filter the list of audit trail records by date. You can also export the list as a tab-delimited text file, which you can open in spreadsheet applications such as Microsoft Excel.
To display the audit trail, an administrator requires the
System Administrator role.
To enable the local audit trail
1. In the navigation menu, go to Administration > Global Configuration.
2. On the User Profile/Security tab, for Enable Local Audit Trail, select true.
3. Click Save.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
230
Local audit trail
See also
l l
Viewing and managing the audit trail records
Examples of audit trail records
Viewing and managing the audit trail records
To view the local audit trail, in the navigation menu, click
Administration > Local audit trail.
Column Description
Timestamp
The date and time of the action.
Action
By
Location
Object Name
The action that occured.
The name of the account that performed the action. For example, the admin account.
Note: When FortiDB invokes actions such as scheduled scan, scheduled archive, start FortiDB, and stop FortiDB, “internal” is displayed in this column.
The location where the action occurred. For example, local or the remote location where the account logged in, which is displayed as an
IP address or host name.
Note: When FortiDB invokes actions such as scheduled scan, scheduled archive, start FortiDB, and stop FortiDB, “internal” is displayed in this column.
The object that the action affected.
To filter the list of local audit records by date, either enter start and end dates or click the calendar icon to select dates, and then click
Apply.
To sort the list, click a column heading to sort using values in that column.
Click
Delete to delete the audit trail records in the selected date range.
If the Local Audit Trail global setting is enabled and you delete audit trail records,
FortiDB generates an audit trail record for the delete action.
Select the
Export button to export the audit trail records in the selected date range as a comma-delimited text file.
See also
l
Examples of audit trail records
Logs
231 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Logs Local audit trail
Examples of audit trail records
Timestamp:2009-02-26 16:06:47
Action: Update
By: admin
Location: 172.30.63.50
Object Name: VA Policy: DVA IBM DB2 UDB 02.11 Latest Fixpak not installed
---------------
Timestamp:2009-02-26 15:36:31
Action: Scan
By: jsmith
Location: 172.30.63.40
Object Name: VA Scan: Latest Patch Policies
----------------
Timestamp:2009-09-09 15:02:25
Action: Add
By: admin
Location: 172.30.63.50
Object Name: DAM Policy Group: tablePolicy1_2 Group
--------------
See also
l
Viewing and managing the audit trail records
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
232
Reports
Reports
FortiDB can generate various reports, including pre-defined and user-defined vulnerability assessment (VA) reports and database activity monitoring (DAM) reports.
For VA and DAM reports, select an item in
Report menu, to manage and generate reports. For other exportable reports, go to the corresponding context page, use
Export function to export the report file.
Reports can be exported as a PDF file. Some reports can be exported as an Excel, tabbed text, or CSV file.
To generate VA and DAM reports, your administrator account requires the
Report
Manager role.
Vulnerability assessment (VA) reports
Vulnerability assessment (VA) reports include: l l l pre-defined or user-defined assessment reports pre-defined VA policy reports pre-defined sensitive data discovery reports
You can view and export VA reports manually. Go to a pre-defined or user-defined VA report, select the report to preview content, then click
Export to export the report in PDF or other file format.
You can also generate assessment report files automatically by scheduling FortiDB to generate them.
DAM reports
DAM reports include: l l l pre-defined and user-defined security alert reports activity audit reports
PCI, SOX, and HIPAA compliance reports
The information in activity audit reports comes from DAM activity auditing, a feature that requires the appliance version of FortiDB and the
TCP/IP Sniffer collection method.
You can configure the report criteria such as data filtering, schedule, and notification of security alert reports and activity audit reports. For user-defined reports, you can also customize the display of the data table view and analysis chart view.
FortiDB generates and saves security alert reports and activity audit reports in all file formats, whether you generate them manually or using a schedule.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
233
Pre-defined VA reports Reports
Report files that FortiDB saves to disk
FortiDB saves generated report files (such as PDF or Excel (.xls)) to disk when: l l
FortiDB generates all file types for all DAM reports.
You enable the
Schedule and Save Scheduled Assessment Report to Disk File option for vulnerability assessment.
To free disk space, delete report files after you download them.
Other reports you can export
You can export PDF report files for: l l l l l l l l
Administrators Entitlement Report:
Administration > Administrators
Target Database Report: Target Database Server > Targets
Database Discovery Report:
Target Database Server > Auto Discovery
VA Privilege Summary Report: Vulnerability Assessment > Privilege Summary
VA Local Log Report:
Vulnerability Assessment > Local Assessment Log
DAM Security Alerts Summary Report for search result: DB Activity Monitoring > Security Alerts
Activity Profiling Report:
DB Activity Monitoring > Activity Profiling > Profiling Detail
DAM Local Log Report: DB Activity Monitoring > Local Monitoring Log
See also
l l l l l l
Pre-defined VA reports
Go to Report > Pre-Defined VA Reports to view a list of available reports and select a report template to use to view and export report information.
See also
l l l
Sensitive data discovery reports
234 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports Pre-defined VA reports
Assessment reports
Assessment reports provide the results of target database assessments, including assessment statistics, vulnerabilities detail, and run result of policies.
To view and export assessment reports, select report parameters include Assessment, run time and target database. Go to Preview Report tab to view the report content, and Export as file with format you selected.
Pre-defined Assessment Reports: l l l l l l l
Global Detailed Report: this report gives the number and types of passed and failed policies and their details for all targets in the assessment
Target Detailed Report: this report gives the number and types of passed and failed policies and their details
Target Detailed Failed Report: this report gives the number and types of failed policies and their details
Target Summary Report: this report summarizes the number and types of passed and failed policies
Target Summary Failed Report: this report summarizes the number and types of failed policies
Target Score Report: this report displays the scan results in graphical form
Target Trend Report: this report displays the database policy progress over time
Statistics tables
With the exception of the target trend report, all report templates contain the following two statistics tables: l l
Severity: Summarizes numbers of each state by policy-severity type
Classification: Summarizes numbers of each state by policy-classification type
Vulnerabilities
With the exception of target score and trend reports, all report templates contain summary or detailed vulnerabilities information, which is sorted using the following categories: l l l l l
Critical Vulnerabilities
Major Vulnerabilities
Minor Vulnerabilities
Cautionary Vulnerabilities
Informational Vulnerabilities
Score report and trend report
The pre-defined Score Report template provides you a way to see vulnerability results in graphical form for all target databases used in an assessment. It also shows results by the RDBMS type of the assessed targets.
The pre-defined Trend Report template provides you a way to see assessment results over time to assist your vulnerability planning and remediation efforts.
See also
l
Adding or modifying assessments
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
235
User-defined VA reports Reports
Policy reports
Policy reports provide information about pre-defined and user-defined VA policies. You can choose to generate reports for all VA policies or filter by database type, classification, severity, or policy type.
FortiDB provides the following two types of policy reports: l l
Policy Summary Report: Provides detailed information about the current vulnerability assessment policies in the system
Policy Detailed Report: Summarizes the most current vulnerability assessment policies in the system
See also
l
Vulnerability assessment (VA) policies
Sensitive data discovery reports
Sensitive data discovery reports allow you to view and export the results of sensitive data discovery. Select target database and discovery time to view and export discovery report.
FortiDB provides the following two types of sensitive data discovery reports: l l
Sensitive Data Discovery Detailed Report: Provides detailed information about the sensitive data discovery.
Sensitive Data Discovery Summary Report: this report gives the summary information about the sensitive data discovery.
See also
l l
Data discovery policies and policy groups
User-defined VA reports
You can customize your report template with selected columns and data from the
User-Defined VA Reports
and
User-Defined DAM Reports pages.
The User-Defined VA Reports page lists the report(s) you created, and allows you add, modify, and delete reports.
Column or button
Name
Description
User defined name for report. Click name link to modify and export report.
Description
Last Modified
Created By
User defined description
Date and time of the report you modified last
User who created the report
236 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports User-defined VA reports
Column or button
Add
Delete
Description
This button adds a report
This button deletes the report you checked in the check box
See also
l
Managing user-defined reports
Click the
Add button, or click the name of exist report, to go to report edit page
General tab
Naming and describing your reports.
Columns tab
Specifying which columns you want to include in your reports.
Select columns from Available Columns list, add into Columns in Report list.
Your report must contain at least one display column.
Grouping tab
Specifying grouping criteria:
In the Group Data By dropdown list, select the column name(s) by which you want to group data results.
Optionally, specify a sort order in the Order dropdown(Ascending or Descending). And specify a Day, Week,
Month, Quarter, or Year value by which to group date-related report results in the
Group date values by
dropdown.
For VA reports, you cannot group by
Policy Description. You can specify two additional grouping levels, in the same way, by using the and then by and the and lastly by drop down lists.
Filtering tab
Specifying filtering criteria: l l
Define a column filtering entry in a row, by selecting
Column, Operator and inputing the Value.
Add or subtract filtering criteria rows respectively by selecting the + (plus) or - (minus) buttons.
In order to limit the number of rows to display, check the Enter number radio button and then specify, as your row limit, any positive number less than 1000.
Export options
Export/Save report or Cancel editing.
Exporting your report in a certain output format, PDF or tab-delimited text file.
Click the
Save button to save report, click the Cancel button to cancel.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
237
Viewing scheduled VA reports
See also
l
Vulnerability assessment (VA) policies
Reports
Viewing scheduled VA reports
The
Scheduled VA Reports page allows you manage report files generated by scheduled vulnerability assessments.
The following VA configurations generate a scheduled VA report file and save it to disk: l l
Enable schedule for Vulnerability Assessment
Enable the report option
Save Scheduled Assessment Report to Disk File
For information on configuring assessments, see
Adding or modifying assessments on page 181
.
Target database name and report filename will be list in Scheduled VA Reports page.
Click the report filename to download/open the report file.
Select the checkbox for one or more reports, click
Download to download the ZIP archive file, and then click
Delete to delete the selected report files.
See also
l
Running an assessment at a specified date and time
Pre-defined DAM reports
Pre-defined DAM reports display security alerts data or activity audit events, which you can filter to exclude from the report data.
Go to
Report > Pre-Defined DAM Reports, select Security Alert Reports or Activity Audit Reports tab, to configure/run reports with pre-defined template, and browse generated report content and download report file
(s).
Activity Audit Report is available only for FortiDB appliance, and monitoring target database with collection method of TCP/IP sniffer.
For details, see
Viewing audit records (activity auditing results) on page 223
.
The following pre-defined report templates are available for Pre-defined DAM reports.
Pre-defined Security Alert Reports:
l l l
Security Alert Detailed report: this report shows the details for all alerts generated within the report filter criteria.
Security Alert Summary report: this report summarizes the alerts generated within the report filter criteria.
Security Alert Statistical report: this report summarizes statistical information about alerts generated based on rules-violations, policies, and severities.
Pre-defined Audit Reports:
238 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports User-defined DAM reports l l
Activity Audit Detailed report: this report shows the details for all activity audit events generated within the report filter criteria.
Activity Audit Summary report: this report summarizes the activity audit events generated within the report filter criteria.
See also
l l l
User-defined DAM reports
The User-Defined DAM Reports page allows you filter report data, configure scheduling and notification, and customize the report layout.
Go to
Report > User-Defined DAM Reports, click User-Defined Alert Reports or User-Defined Audit
Reports tab for your report type, and then define the report.
See also
l l l
Report management
The Pre-Defined DAM Reports, User-Defined DAM Reports, and Activity Profiling Reports pages display a table with following columns:
Description Column
[+] [-]
Click to expand or collapse the 10 most recent results for a report.
When the item is expanded, you can do the following: l
Click the name of a report instance (which contains the time FortiDB generated it) to view the report contents in HTML format.
l
Click the one of file format icons on the right (PDF/TXT/XLS/CSV) to download the report.
Status
Name
Description
l l l indicates a report is idle indicates a report is running indicates a report is scheduled to run
Click to configure report
Report description specified in the report configuration
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
239
User-defined DAM reports Reports
Column
Last Modified
Created By
Results
Action
Description
Date and time when an administrator last modified the report
FortiDB administrator who created the report
The number of times FortiDB has run the report l l click to edit the report configuration click to view all instances of FortiDB running this report
To run a report
Do one of the following: l l l
On the Pre-Defined DAM Report page, use the check boxes to select one or more reports to run, and then click Run.
On the
User-Defined DAM Report page, if the report you want to run is not in the list, click Add and configure the report. Then use the check boxes to select one or more reports to run, and then click
Run.
On the Activity Profiling Reports page, click Run. For information on configuring an activity profiling report, see
Activity Profiling Reports on page 251 .
See also
l l
Filtering report data
To add or edit a DAM report, go to the
Data Filter tab.
Data time range
You can choose dynamic time period, or specific time range, for report's data filtering.
Select the
Last Period option for dynamic time period. Input period value, and select period unit from Day,
Week or Month.
The dynamic time range will be calculated every time when you run the report (manually or scheduled run). For example, when you select "last 2 days" for period, FortiDB will filter the alerts (or audits) received from 48 hours early to the report running moment.
To use specific time range, select
Date Range option, input from date/time and to date/time.
Records limit
Input the number for records entry limit, in Limit to.
This limit number is the maximum records available to display in report data table.
Custom data filters
Custom Data Filters allows you configure filtering criteria by columns conditions.
240 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports User-defined DAM reports
The Filters configuration is same as configuring filtering criteria for Alert/Audit Search Group.
For details, see
Filtering and searching alerts on page 218
.
For DAM Alerts Report, you can select
Alert Group option, select one group from dropdown list, to use the group's filtering setting for reporting.
For DAM Audits Report, you can select Audit Group option, select one group from dropdown list, to use the group's filtering setting for reporting.
Configuring data displays
The Table View tab allows you to configure data table display and the Analysis tab allows you to configure analysis charts.
Data table view
To configure which data columns displayed in report, select columns from
Available Columns list, add into
Columns in Report list.
You can also configure the data groups in report's data table (optional).
In the Group Data By dropdown list, select the column name(s) by which you want to group data results.
Optionally, specify a sort order in the
Order dropdown (Ascending or Descending). And specify a Day, Week,
Month, Quarter, or Year value by which to group date-related report results in the
Group date values by
dropdown.
Adding analysis charts and statistics tables to reports
You can add multiple analyses, each with a statistics chart and table, to a report. You define each analysis in a row in the
Analysis tab. Click + (plus) or - (minus) to add or remove rows.
To configure anlysis:
1. Select the Chart type: Pie or Bar.
2. Select which data column you want to count for statistics, from Column type dropdown list.
3. For DAM Alert report, you can select Severity or Status as second Column type for Bar chart. The enumeration of Severity or Status will be list as Y-axis in statistics table.
4. If the data come from multiple target databases, enable Group by target check box, to generate analysis chart and statistics table respectively for each target.
5. Input the Max item number for data column.
6. Enable Count others, will add Others into analysis chart/table as last column.
Schedule and notification
Both Pre-Defined and User-Defined DAM Report, allows you configure the schedule and Email notification.
FortiDB only sends email notifications for reports that run on a schedule.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
241
PCI, SOX, and HIPAA reports Reports
Go to Schedule tab to configure schedule, and go to Notification tab to configure email notification.
Scheduling reports
The report scheduler allows you to set up when to start report generation, how often to generate reports, and when to stop.
Select the Enable Schedule check box to enable scheduler.
For schedule, there are two ways that you can set up the scheduler:
Scheduled Type Description
Run Once
Report generation will occur once at the specific time you set in the Start at field.
When to Run
The date range used to run the report when the time is in the Date Range field.
Recurring
Report generation will occur starting from the time set in the Start at field, and continue until the End by.
The
Recurrence pattern can be
Minutely, Hourly, Daily, Weekly, or
Monthly. Enter the value for recurring time interval.
Email notification for scheduled reports
Email Notification allows FortiDB send report file(s) via email at the scheduled time.
Select
Enable Email to enable email notification.
For email notifications, you must designate one or more email receivers. Select one or more of the entries in the
Available Receivers list box and add them to the Selected Receivers list.
You must set the Email server and user properties in the
Global Configuration for
Email notification.
Select the
Report formats of report file(s) you want to be included in email.
See also
l
PCI, SOX, and HIPAA reports
FortiDB provides the following types of compliance reports to help you achieve compliance with both internal and external requirements: l l l
Sarbanes-Oxley (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
Health Insurance Portability & Accountability Act (HIPAA)
Some compliance reports must be generated weekly, monthly, or quarterly.
242 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports PCI, SOX, and HIPAA reports
PCI compliance report templates
Name
PCI - Invalid Operation
PCI - Privileged User
Action
Description
Required option settings
Object Audit Options Identifies failed access attempts. This should be reviewed on a periodic basis by IT.
Tracks all access/changes by the administrative accounts. The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management.
User Audit Options
PCI - System Object
Operations
PCI - Access to Credit
Card tables
Tracks all access/changes by the administrative accounts . The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management.
Not required
Tracks all access/changes by the administrative accounts . The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management.
Object Audit Options
PCI -
Successful/Unsuccessful
Database Logins
Tracks all successful and failed logins.
Not required
Name
Abnormal or
Unauthorized
Changes to Data
Abnormal
Termination of
Database Activity
Abnormal Use of
Service Accounts
End of Period
Adjustments
Description
This report shows all changes made to data by any account other than the application user account.
This report shows failed database processes (i.e.
financial transactions or failed login attempts) originating from an application server.
Required option settings
Object Audit Options or User Audit Options
Object Audit Options or User Audit Options
This report shows service accounts and the associated or related transaction origins. For example, the use of service account from an origin other than the application server would be shown.
Object Audit Options or User Audit Options
This report shows changes to the general ledger at month-, quarter-, year-end.
Object Audit Options
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
243
PCI, SOX, and HIPAA reports
Name Description
History Of Privilege
Changes
Verification of Audit
Settings
This report shows changes to user access rights that were elevated or lessened in the database over time.
This report shows changes to configurable audit parameters.
Required option settings
Not required
Not required
HIPAA compliance report templates
Name
Privilege Changes
Description
This report shows all user account additions, deletions, and changes.
Required option settings
Object Audit Options
Logins
Security Incident
Procedures
Access to the
Assessment Logs
Access to EPHI Data
User Privileges on
EPHI Data
Privilege Summary
Audit Controls
This report shows all successful and failed login attempts.
This report shows what methods are used to communicate with external systems in case of security incidents.
This report shows all activities related to the assessment logs.
This report shows all access and and changes to the
EPHI data made by any account.
This report shows all users with access privileges for
EPHI data.
This report shows all users with privileges.
This report shows all audit settings.
Not required
Not required
Not required
Object Audit Options
Object Audit Options
Not required
Not required
Reports
You cannot use regulatory compliance reports to monitor activity at the column level.
244
See also
l l l l l
General steps for generating PCI, SOX, and HIPAA reports
Report: Abnormal Termination of Database Activity
Report: Abnormal or Unauthorized Changes to Data
Report: Abnormal Use of Service Accounts
Report: End of Period Adjustments
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports PCI, SOX, and HIPAA reports l l
Report: History of Privilege Changes
Report: Verification of Audit Settings
General steps for generating PCI, SOX, and HIPAA reports
1. Configure your target databases. See
Pre-configuration for monitoring target databases on page 79
.
2. Configure the FortiDB connection to your target databases. See
Adding (or modifying) a target connection on page 107 .
3. Configure FortiDB compliance policies. See
Configuring PCI, SOX and HIPAA policies on page 176 .
4. Configure and start monitoring for the target database. For details, see
Configuring target database monitoring on page 198 .
5. Assuming that several violations occurred in your target database, under Reports, go to PCI Reports, Sox
Reports, or HIPAA Reports.
6. Select one of the reports and export reports: l l l
In the Export as field, select the format type you want to generate a report from the dropdown list: PDF, Excel, or CSV.
(Optional) Enter W/P reference and/or Customer name in each field.
Enter the Date Range for data retrieval.
The date entered in these fields means 00:00 (midnight) of the day. For example,
9/23/09 means 00:00AM of 9/23/09.
l l l
Select one or more target databases, or enable All Targets check box for all databases.
(Optional) You can set filters to display the specific data in the report.
Select the Export to generate and export report file.
See also
l l l l l l l
Report: Abnormal Termination of Database Activity
Report: Abnormal or Unauthorized Changes to Data
Report: Abnormal Use of Service Accounts
Report: End of Period Adjustments
Report: History of Privilege Changes
Report: Verification of Audit Settings
Report: Abnormal Termination of Database Activity
This report identifies failed database processes (that is, financial transactions) originating from the application server. This report should be reviewed on a daily basis by IT Management.
COBIT objectives
This report is designed to meet the following COBIT objectives:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
245
PCI, SOX, and HIPAA reports Reports
Objective Number
DS10.1
Description
Routine transactions and processes between the application and the database are reviewed on a daily basis for successful completion by IT
Management.
Setup requirements
Sox Abnormal Termination of Database Activity policy: Object Audit Options and/or User Audit Options
Report columns
The following columns are displayed in the report body.
Columns
User ID
Description
The ID of the database user that conducted the flagged activity
Object
Timestamp
Terminal
Origin Application
Action Type
Error Code
The name and owner of the database object that was directly manipulated by the flagged activity
The exact time the flagged activity was conducted
The terminal IP address or name
The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
The type of action successfully enacted by the User ID.
The proprietary error code generated by the originating application.
See also
l
General steps for generating PCI, SOX, and HIPAA reports
Report: Abnormal or Unauthorized Changes to Data
This report tracks all changes made to data by any account other than the application user account. The report should be reviewed and commented on by appropriate management on a quarterly basis.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number
AI2.3
Description
Unauthorized changes to data by non-application[13] accounts are tracked and reviewed by IT Management on a quarterly basis.
246 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports PCI, SOX, and HIPAA reports
Setup requirements
Sox Abnormal or Unauthorized Changes to Data policy: Object Audit Options
Report columns
The following columns are displayed in the report body:
Columns
User ID
Description
The ID of the database user that conducted the flagged activity
Object
Timestamp
Terminal
Origin Application
The name and owner of the database object that was directly manipulated by the flagged activity
The exact time the flagged activity was conducted
The terminal IP address or name
The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
Action Type
The type of action successfully enacted by the User ID.
By default, all actions are considered unauthorized. If you want, for example, to only mark UPDATEs as unauthorized actions, use Filters section in order to filter out the other action types.
See also
l
General steps for generating PCI, SOX, and HIPAA reports
Report: Abnormal Use of Service Accounts
This report identifies the use of service accounts and the associated transaction origins. For example: The use of a service account from an origin other than the application server would be identified. The report should be reviewed and commented on by IT Management on a weekly basis.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number
DS5.3
Description
Database transactions from unauthorized sources are tracked and reviewed by IT Management on a weekly basis
Setup requirements
Sox Abnormal Use of Service Accounts policy: Object Audit Options and/or User Audit Options
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
247
PCI, SOX, and HIPAA reports Reports
Report columns
The following columns are displayed in the report body.
Columns Description
User ID
The ID of the database user that conducted the flagged activity
Terminal
The terminal IP address or name
Originating Application
Number of Actions
Timestamp
The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
The number of actions attempted by the account associated with the User
ID
The exact time the flagged activity was conducted
See also
l
General steps for generating PCI, SOX, and HIPAA reports
Report: End of Period Adjustments
This report tracks changes to the general ledger at month/quarter/year end. The report should be reviewed and commented on by appropriate management on a monthly basis.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number Description
AI2.3
End of period adjustments to the general ledger are tracked and reviewed by Business Management on a monthly basis.
Setup requirements
Sox End of Period Adjustments policy: Object Audit Options
Report columns
The following columns are displayed in the report body.
Columns Description
User ID The ID of the database user that conducted the flagged activity
Object
The name and owner of the database object that was directly manipulated by the flagged activity
248 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports PCI, SOX, and HIPAA reports
Columns
Timestamp
Terminal
Origin Application
Action
Description
The exact time the flagged activity was conducted
The terminal IP address or name
The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
The type of action successfully completed by the User ID.
See also
l
General steps for generating PCI, SOX, and HIPAA reports
Report: History of Privilege Changes
This report tracks privileged changes to database user access rights (that is, granting of privileged or escalated access rights). The report identifies the database account that was changed, the type of privilege that was granted, the date of the change, and the account that initiated the change. The report should be reviewed by both
IT and Business Management on a quarterly basis.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number Description
AI2.4, DS3.5, DS5.3, DS5.4
Changes to escalate database user access privileges are tracked for review on a quarterly basis by the IT manager and the application business manager
Setup requirements
Sox History of Privilege Changes policy: Just enable the policy. No settings of Object Audit or User Audit
Options required.
Report columns
The following columns are displayed in the report body.
Columns
User ID
Description
The ID of the database user that conducted the flagged activity
Grantee
Action
The name of the user for whom privileges were changed
The type of action successfully enacted by a non-application user account.
Actions include UPDATE, INSERT, and GRANT
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
249
PCI, SOX, and HIPAA reports
Columns
Target
Privilege Details
Timestamp
Description
The object on which the privileges were changed
The type of object privilege granted to, or revoked from, the grantee.
The exact time the flagged activity was conducted.
See also
l
General steps for generating PCI, SOX, and HIPAA reports
Report: Verification of Audit Settings
This report identifies any changes that have been made to the audit reporting and tracking capability of the database.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number
DS3.5, DS5.5, DS13.3
Description
Audit tracking is configured on all financial databases, changes to audit functionality is reviewed by IT Management on a quarterly basis.
Setup requirements
There are two requirements:
1. At least one of the following types of audit policies must be run in order to collect audit data: l l l
Data Policies
Privilege Policies: using the audit data retrieval method
Metadata Policies: using the audit data retrieval method
2. For tracking audit activity with the Data policies, run the following commands audit system audit; audit audit system; audit audit any; and then Close and Open your database connection in Data policies.
Report columns
The following columns are displayed in the report body.
Columns
User ID
Description
The ID of the database user that conducted the flagged activity
OS User
The OS User that conducted the flagged activity
Reports
250 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Reports Activity Profiling Reports
Columns
Object
Timestamp
Terminal
Origin Application
Action
Description
The name and owner of the database object that was directly manipulated by the flagged activity
The exact time the flagged activity was conducted
The terminal IP address or name
The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
The type of action successfully enacted by the User ID.
See also
l
General steps for generating PCI, SOX, and HIPAA reports
Activity Profiling Reports
FortiDB allows you to export activity profiling information in report form. You filter the information that FortiDB includes in the report by target database and, optionally, by database user and table.
For information on managing reports using the
Activity Profiling Reports page, see
.
Alternatively, you can export the profiling results displayed on the Target DB Activity Profiling page. You cannot add a schedule or configure notification for this type of report. See
Viewing and exporting activity profiling results on page 227
.
To configure and run an activity profiling report
1. On the navigation menu, click Report > Activity Profiling Reports.
2. On the Activity Profiling Reports page, under Name, click Activity Profiling Report.
3. On the General tab, for Name, enter a name for the report and an optional description.
Alternatively, you can use the default name ( Activity Profiling Report). FortiDB adds the date to the name of each report it generates to distinguish it from any other reports with the default name.
4. Click the Data Filter tab.
5. For Target, select the target database whose activity profiling results you want to include in the report.
6. For DB Login/User, select either All Users or a specific user.
7. In the All Table Name list, select an item and click > (right arrow) to add it to the Selected Table Names list.
Repeat this step as required until all the tables to include in the report are in the list.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
251
Activity Profiling Reports Reports
To select multiple items, click and item and then Shift-click a second item. Both items and any items between them are selected. Click Control-A to select all items.
8. Optionally, use the Schedule and Notification tabs to configure FortiDB to run the report at a scheduled time and send the report to one or more FortiDB administrators using email.
For detailed instructions, see
Schedule and notification on page 241
.
9. Click Save.
10. Do one of the following: l l
If you configured the report to run at a scheduled time, wait for it to run.
Click Run to run the report immediately.
11. When the Status value shows that the report no longer running, click [+] (plus sign) to access the instance of the report that you generated.
See also
l l
Configuring monitoring using the TCP/IP sniffer (all database types)
252 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Archiving audit data
Archiving audit data
Archiving example
DAM activity auditing and compliance audits that run with with alert PCI, SOX, and HIPAA policies generate data that is stored in the FortiDB repository. To conserve repository space and improve performance, you can move this data to archive files that you can return to the repository later.
FortiDB allows you to archive and retrieve the following types of data: l l l
Assessment
Alert
Auditing (includes sniffer activity auditing data and SOX audit data generated by alert SOX policy)
Archiving data exports it to an excrypted file. When you retrieve data, FortiDB imports it back into its repository.
Depending on how often you assess or monitor databases and the number and type of policies and target databases involved, the archive files can consume a large amount of space. To make space available on your appliance, you can move the exported files to remote storage and retrieve them later, if necessary. FortiDB requires an FTP server for remote storage. You cannot use another type of server.
To generate reports using archived data, you first retrieve the data.
You cannot retrieve archived data if the target associated with the data is deleted. For example, if you archive assessment data for a target database and then delete the target configuration for that database, you cannot restore the archived assessment data.
The day and time that FortiDB created the archive is displayed in the Timestamp column on Retrieve tab.
You cannot retrieve any data that you have already retrieved. This limitation prevents duplicate records in the
FortiDB repository.
Archiving example
In the following illustration, FortiDB archives assessments with a date between January 8, 2008 and January 10,
2008. (Because the archive interval starts at 0:00 a.m. on the start date and ends at 0:00 a.m. on the end date,
FortiDB does not archive data for January 11.) The assessments for all other dates remain in the repository.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
253
Archiving strategy Archiving audit data
Archiving strategy
Plan an archiving configuration that is appropriate for your environment. For example, determine how often you archive data based on your volume of data, and when to start archiving based on that frequency.
For example, if you plan to keep up to 4 months worth of data in your FortiDB repository, wait 4 months after installing FortiDB before archiving for the first time. After 4 months, in the Archive Period field of the Archive tab, select
3 Month(s) and older. This value archives all results except those that FortiDB ran during the previous three months. Schedule the archive to run immediately by specifying the current date and time. After archiving, three months' worth of data remains in your repository.
To maintain this frequency, you can either repeat the process of creating a 3 Month(s) and older archive every month or schedule it to occur automatically at an interval or on a specified day of the week or month.
Archiving data
The manual archiving process allows you to archive all assessment and monitoring data using a start and stop date. The scheduled archiving process allows you to archive data based on the age of the data relative to the date on which FortiDB does the archiving.
To immediately archive data based on its age, use the scheduled archiving process (
Enable Auto Archive) and specify the current time and date.
To configure remote archiving
1. On the navigation menu, go to Administration > Archive/Retrieve.
2. On the Remote Archive Configuration tab, enter the IP Address, port, username, password and remote path for remote FTP server.
The remote archiving feature works with an FTP server only.
3. Click the Save button to save the remote server configuration.
To archive data manually
1. If you want to send the archive to a remote server, complete the settings on the Remote Archive
Configuration tab.
For more information, see
To retrieve archived data on page 255
.
2. In the navigation menu, go to Administration > Archive/Retrieve.
3. On the Archive tab, specify a start and end date for your archive.
Because the selected dates specify 0:00 a.m. on the start date and 0:00 a.m. of the end date, the archive does not include data generated on the end date.
254
4. Click Archive Now.
The message “Archiving Completed” is displayed in the Status area in the top-right corner of the page.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Archiving audit data Archiving data
5. To send the archive to a remote server, on the Retrive tab, select the archive you just created, and then click
Send to remote server.
To archive data according to a schedule
1. If you want to send the archive to a remote server, complete the settings on the Remote Archive
Configuration tab.
For more information, see
To retrieve archived data on page 255
.
2. In the navigation menu, go to Administration > Archive/Retrieve.
3. On the Archive tab, select enable Enable Auto Archive.
4. Under Archive period, specify the end date for data in the archive by selecting the number of days, weeks, or months prior to the current date.
For example,
3 Month(s) and older creates an archive that contains all results except those that FortiDB ran in the last 3 months.
5. Under Run time, do one of the following: l l
Enter a time and date for Start at.
Under
Recurrence pattern, select Hourly, Daily, Weekly, or Monthly.
Hourly
Specify the hourly interval in the Every __ hours field.
Specify the daily interval in the Every __ days field.
Daily
Weekly
Specify the weekly interval in the Every __ week(s) on field, and then specify one or more days of the week that FortiDB runs the archive on.
Monthly
Specify one or months to run your archive in, and then do one of the following: l
Select
Day and specify the day during the selected months FortiDB runs the archive on, using a number.
l
Select The <ordinal number> <day of week> of every, and then select a day of the week in each selected month to run the archive on. (For example,
first
Monday.)
6. To send the archive file to a remote server, select Enable remote archive.
7. To delete the archived file from FortiDB, select Delete archive file after sending to remove server.
8. Click Save Schedule.
To retrieve archived data
1. In the navigation menu, go to Administration > Archive/Retrieve.
2. On the Retrieve tab, do one of the following: l l
To retrieve an archive file that is stored on the appliance, in the list of files, select the file you want to retrieve, and then click
Retrieve.
To retrieve an archive file that is stored on the remote server, for Archive file path on remote server, enter the archive file path on the remote server, and then click
Get from remote server.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
255
Archiving data Archiving audit data
When the retrieval process is complete, the message "Restoring Completed" is displayed in the Status area in the top-right area of the page.
See also
l l
Configuring monitoring using the TCP/IP sniffer (all database types)
256 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Using the command line interface (CLI)
Using the command line interface (CLI)
You can use CLI commands to view system information and to change system level settings.
See also
l l l l
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
257
Connecting to the CLI
Connecting to the CLI
1. Logon to the FortiDB appliance as the admin user or as a user with the FortiDB System Administrator role via the following methods: l l
Terminal to connect appliance's console port
Remote login with SSH or Telnet (determined by FortiDB's network interface settings)
2. Enter the CLI command of interest.
For more information on the configuration to use, see
Connecting to the web UI and CLI on page 49 .
See also
l l l
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
258
Command syntax
Command syntax
Specifying file names and locations in commands
Use only letters, numbers, hyphens, and underscores in filenames and locations. Do not use spaces or special characters. For example, my_file is an acceptable name; my&file is not.
Entering spaces in a command strings
Spaces are not allowed in strings that represent filenames or file locations.
When a string value, for other than a filename or locations, contains a space, do one of the following: l l l
Enclose the string in quotation marks; "Security Administrator" , for example.
Enclose the string in single quotes;
'Security Administrator'
, for example.
Use a backslash (“ \ ”) preceding the space; Security\ Administrator , for example.
Entering quotation marks in strings
If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.
Entering a question mark (?) in a string
If you want to include a question mark (?) in a string, you must precede the question mark with
CTRL-V. Entering a question mark without first entering
CTRL-V causes the CLI to display possible command completions, terminating the string.
Special characters that are not permitted in commands
The characters <, >, (, ), #, ’, and ” are not permitted in most FortiDB CLI fields nor are they permitted in the passwords used to protect configuration-file backups.
Specifying IP address formats in commands
You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either: set ip 192.168.1.1 255 or set ip 192.168.1.1/24
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
259
Command syntax
The IP address is displayed in the configuration file in dotted decimal format.
Notation
This guide uses the following conventions to describe command syntax: l
Angle brackets < > indicate variables.
For example: execute restore config <filename_str>
You enter: execute restore config myfile.bak
l
Vertical bar and curly brackets
{|} separate alternative, mutually exclusive required keywords.
For example: set protocol {ftp | sftp}
You can enter: set protocol ftp or set protocol sftp l
Square brackets [ ] indicate that a keyword or variable is optional.
For example: show system interface [<name_str>]username
To show the settings for all interfaces, you can enter show system interface . To show the settings for the
Port1 interface, you can enter show system interface port1
.
l
A space separates options that can be entered in any order and in any combination and that must be separated by spaces.
For example: set allowaccess {https ping ssh}
You can enter any of the following:
- set allowaccess ping
- set allowaccess https ping
- set allowaccess ssh
- set allowaccess https ssh
- set allowaccess https ping ssh
In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
l
Special characters: l
The \ is supported to escape spaces or as a line continuation character l l
The single quotation mark ' and the double quotation mark “ are supported, but must be used in pairs.
If there are spaces in a string, you must precede the spaces with the a pair of quotation marks.
\ escape character or put the string in
260 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
See also
l l
Command syntax
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
261
Tips & tricks
Tips & tricks
Help
You can press the question mark (?) key to display command help.
l l l
Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.
Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.
Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command-option combination and a description of each option.
Completing commands automatically
You can use the tab key or the question mark (?) key to complete commands.
l l l
Press Tab at any prompt to scroll through the options available for that prompt.
You can type the first characters of any command and press Tab or ? (question mark) to complete the command or to scroll through the options that are available at the current cursor position.
After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.
Recalling commands
You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.
Editing commands
Use the
Left and Right arrow keys to move the cursor back and forth in a recalled command. You can also use the
Backspace and Delete keys and the control keys listed in the following table in order to edit the command.
Function Key combination
Beginning of line
CTRL+A
End of line
Back one character
Forward one character
Delete current character
CTRL+E
CTRL+B
CTRL+F
CTRL+D
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
262
Tips & tricks
Function
Previous command
Next command
Abort the command
If used at the root prompt, exit the CLI
Key combination
CTRL+P
CTRL+N
CTRL+C
CTRL+C
Breaking a long command
To break a long command over multiple lines, use a \ at the end of each line.
Abbreviating commands
You can abbreviate commands and command options to the smallest number of non-ambiguous characters. For example, the command get system status can be abbreviated to g sy st .
See also
l l
263 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Overview of commands
Overview of commands
Command branch
Supported commands
l l l l l l l l l system admin setting system backup all-settings system debug filter system dns system global system interface system ntp system raid system route
l l l l l l l l l l l l l l l l l l l l l backup all-settings backup configurations backup fd-tcpdump backup-remove fd-archive backup-remove fd-report backup-remove fd-tcpdump date format disk generate certificate ping raid rebuild reboot reset restart restore all-settings restore configurations restore fd-archive shutdown time top traceroute
Description
Use config to configure objects of FortiDB functionality. Top-level objects are not configurable; they are containers for more specific lower-level objects. For example, the system object contains DNS addresses, interfaces, routes and so on. When these objects are multiple, such as routes, they are organized in the form of a table. You can add, delete or edit the entries in the table. Table entries each consist of keywords that you can set to particular values. Simpler objects, such as system DNS, are a single set of keywords.
Use execute to run static commands, to reset the FortiDB unit to factory defaults, or to back up or restore the FortiDB configuration.
The execute commands are available only from the root prompt.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
264
Overview of commands
Command branch
Supported commands
l l l l l l l system admin setting system backup all-settings system dns system global system interface system ntp system route
Description
Use show to display the FortiDB unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.
265 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Overview of commands
Command branch
Supported commands
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l counter memory counter misc counter packet counter parser counter session debug application control basic debug application housekeep basic debug application parser basic debug application parser packet debug application sniffer abnormal debug application sniffer basic debug application sniffer block-ip debug application sniffer blocksession debug application sniffer ipreassemble debug application sniffer malformed-packet debug application sniffer packet debug application sniffer tcpreassemble log show|tail|remove mapping debug mapping reset mapping status network interface list network interface detail network interface list network interface detail system coredump check system coredump export system export fd_log system raid list tcpdump start|stop tcpdump status
Description
Use diagnose commands to set debug parameters, view detailed information about
Ethernet interfaces or to send diagnostic information to an FTP server.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
266
Overview of commands
See also
l l
267 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
config
FortiDB provides the following config commands:
config system backup all-setting
config system dns config system global
config system ntp config system raid
config system admin setting
The config system admin setting command allows you to configure web administration settings.
Syntax
config system admin setting set http_port <integer> end set https_port <integer> set idle_timeout <integer> where:
Variables
http_port
Description
The HTTP port number for web administration.
Default
80 https_port idle_timeout
The HTTPS port number for web administration.
The idle-timeout value which ranges from 1 to 480 minutes
443
5
Example
To sets an idle-timeout value of 2 minutes and port 444 for HTTPS web administration: config system admin setting set idle_timeout 2 set https_port 444 end config
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
268
config
See also
l
config system backup all-setting
The config system backup all-settings command allows you to set or check the settings for scheduled backups.
Syntax
config system backup all-settings set crptpasswd <passwd> set directory <dir_name> set passwd <pwd> set protocol {ftp | sftp} set server <string> set status {enable | disable} set time <hh:mm:ss> set user <user_name> set week_days {monday tuesday wednesday thursday friday} end where:
Keywords and variables
crptpasswd <passwd>
Description
Optional password to protect backup content
Default
None directory <dir_name> server <string>
The directory on the backup server in which to save the backup file.
passwd <pwd>
The password for the backup server.
protocol {ftp | sftp}
The backup protocol.
The IP address or DNS-resolvable host name for the backup server.
None
None sftp
None status {enable | disable}
Enable or disable scheduled backups.
disable time <hh:mm:ss> user <user_name> week_days {monday tuesday wednesday thursday friday}
The time of day to perform the backup. Time is required in the form
<hh:mm:ss>
.
The user account name for the backup server.
The day(s) of the week on which to perform backups. You may select multiple days.
None
None
None
269 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Example
The backup server is at 172.20.120.11 using the admin account with no password and saving the backup in the
/usr/local/backups directory. Backups will be done on Mondays at 1:00pm using ftp.
config system backup all-settings set status enable set server 172.20.120.11
set user admin set directory /usr/local/backups set week_days monday set time 13:00:00 set protocol ftp end
config system debug-filter
The config system debug-filter command allows you to filter logging of packet and SQL processes.
Enabling debug filters has an impact on system performance.
For information on other debugging commands, see
Syntax
config system debug-filter edit <seq_num> set dst-ip <dst-ip_ip> set dst-port <dst-port_int> set ingress-intf {port1 | port2 | port3 | port4 | port5 | port6} set protocol {tcp | udp} set src-ip <src-ip_ip> set src-port <src-port_int> end where:
Keywords and variables Description
<seq_num>
Default
None
Enter an unused filter number to create a new route.
Enter an existing filter number to edit that route.
<dst-port_int>
<dst-port_int>
Enter the packet destination IP address to match.
Enter the packet destination port to match.
None
None
{port1 | port2 | port3 | port4 | port5 | port6}
Specify the interface on which FortiDB receives traffic that it applies this filter to.
None
{tcp | udp}
Specify the packet layer 4 protocol to match.
None config
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
270
config
Keywords and variables
<src-port_int>
<src-port_int>
Description
Enter the packet source IP address to match.
Enter the packet source port to match.
Default
None
None
config system dns
The config system dns command allows you to set the DNS server addresses.
Syntax
config system dns set primary <dns_ip> end set secondary <dns_ip> where:
Keywords and variables
primary <dns_ip>
Description
Enter the primary DNS server IP address.
secondary <dns_ip>
Enter the secondary DNS IP server address.
Example
config system dns set primary 65.39.139.53
set secondary 65.39.139.63
end
See also
l
Default
65.39.139.53
65.39.139.63
config system global
The config system global command allows you to configure global settings that affect miscellaneous
FortiDB features.
Syntax
config system global set console-output {more | standard} set daylightsavetime {enable | disable} set hostname <unithostname> set ssl-low-encryption {enable disable} set swapmem {enable | disable} set timezone <timezone_number> end where:
271 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
config
Keywords and variables
console-output {more
| standard}
Description
Select how the output is displayed on the console. Select more to pause the output at each full screen until keypress.
Select standard for continuous output without pauses.
daylightsavetime
{enable | disable} hostname
<unithostname>
Default
standard
Enable or disable daylight saving time. If you enable daylight saving time, the FortiDB system automatically adjusts the system time when the time zone changes to or from daylight saving time.
Enter a name for this FortiDB system.
enable
FD-XXX.
The default hostname varies depending on the appliances.
ssl-low-encryption
{enable disable}
Enable or disable low-grade (40-bit) encryption.
disable swapmem {enable | disable}
Enable or disable virtual memory.
enable timezone <timezone_ number>
The number corresponding to your time zone. Press ? to list time zones and their numbers. Choose the time zone for the
FortiDB system from the list and enter the correct number.
00
Example
The following command turns on daylight saving time, sets the FortiDB system name to FDB1K, and chooses the
Eastern timezone for US & Canada.
config system global set daylightsavetime enable set hostname FDB1k set timezone 12 end
See also
l
config system interface
The config system interface command allows you to edit the configuration of a FortiDB network interface.
Syntax
config system interface edit <port> set allowaccess {http https ping ssh telnet}
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
272
config end set ip <ipmask> set status {up | down} where:
Variable
<port> allowaccess {http https ping ssh telnet} ip <ipmask> status {up | down}
Description
<port> can be one of port1, port2, port3, port4.
Default
No default.
Enter the types of management access permitted on this interface. Valid types are: http https ping ssh telnet. Separate multiple selected types with spaces. If you want to add or remove an option from the list, retype the list as required.
Enter the interface IP address and netmask. The IP address cannot be on the same subnet as any other interface.
Varies for each interface.
No default
Start or stop the interface. If the interface is stopped it does not accept or send packets. If you stop a physical interface, VLAN interfaces associated with it also stop.
up
Example
This example shows how to set the FortiDB port1 interface IP address and netmask to 192.168.100.159
255.255.255.0, and the management access to ping, https, and ssh.
config system interface edit port1 set allowaccess ping https ssh set ip 192.168.100.159 255.255.255.0
end set status up
See also
l
config system mapping
The config system mapping command allows you to configure FortiDB to collect audit and alert data for FortiMonitor and transmit it via SSH File Transfer Protocol (SFTP).
FortiMonitor integration with FortiDB requires a FortiDB administrator with the name fortisiem. For more information, see
FortiMonitor administrator on page 66 .
Syntax
config system mapping set status {enable | disable} set limit-file <limit-file_int> set scan-cycle <scan-cycle_int> set range-start <date_str> set range-end <date_str>
273 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
end where:
Variable
status {enable | disable}
Description
limit-file <limitfile_int> scan-cycle <scancycle_int> set range-start
<date_str> set range-end <date_ str>
Enter the maximum number of SFTP files the feature generates.
Generating too many SFTP files can fill the appliance hard disk.
Enter a value that specifes how long FortiDB pauses between collection cycles for FortiMonitor, in seconds.
Adding pauses in data collection allows system resources to be available for target monitoring and other tasks.
When you use smaller values, FortiDB collects data more quickly.
Enter the date and time to start collecting data for
FortiMonitor using the format mm/dd/yyyy-hh:mm:ss, where: l mm is the month. Valid months are 01 to 12.
l dd is the day of the month. Valid days are 01 to 31.
l yyyy is the year. Valid years are 2001 to 2037.
l hh is the hour. Valid hours are 00 to 23.
l mm is the minute. Valid minutes are 0 to 59.
l ss is the second. Valid seconds are 0 to 59.
Optionally, enter the date and time to stop collecting data for FortiMonitor.
If you do not specify this options, FortiDB collects data continuously after the specified start time.
Default
Enable or disable data collection and transmission for FortiDB.
disable
1000
20
No default.
No default.
Examples
The following example starts data collection for FortiMonitor at a specific date and time with no specified stop time.
config system mapping set status enable end set range-start 6/10/2014-16:26:23
The following example specifies data collection for FortiMonitor with both a start and stop time.
set status enable config
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
274
config end set range-start 6/10/2014-00:00:00 set range-start 7/10/2014-23:59:59
config system ntp
The config system ntp command allows you to configure automatic time setting using a network time protocol (NTP) server.
Syntax
config system ntp set server <server_ip> end set status {enable | disable} set sync_interval <minutes> where:
Variable
server <server_ip>
Description
Enter the IP address or fully qualified domain name of the NTP server.
Default
No default.
status {enable | disable}
Enable or disable NTP time setting.
disable sync_interval
<minutes>
Enter how often, in minutes, the FortiDB system synchronizes its time with the NTP server.
60
config system raid
The config system raid command allows you to view or configure the hard disk RAID scheme.
Syntax
config system raid set level <raid_level_name> end where:
Variable
<raid_level_name>
Description
Specifies the RAID level.
Valid values are determined by the FortiDB model and hard disk hardware.
Default
raid1
275 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
l
Implementing RAID removes all existing data from the hard disks.
l
FortiDB 2000B supports raid1 and raid5 only. To determine which RAID scheme your appliance supports, see your hardware specification.
l
The appliance requires a minimum of 2 hard disks to implement RAID.
l
After you implement RAID, you cannot return the hard disk to its original partitions.
config l
Use CLI get system raid to get the RAID level information.
l
Use CLI diagnose system raid list information.
to get current RAID status l
If the RAID schema is corrupted, use CLI rebuild it.
execute raid rebuild to
Implementing RAID 5 on FortiDB 2000B
l l
The RAID 5 array requires at least 3 hard disks. You cannot implement RAID 5 on FortiDB 2000B if fewer than 3 hard disks are available.
To ensure the hard disks have the same parameters, ensure they all have the same capacity, model, and vendor.
To remove the RAID 5 array
The unset operation removes the RAID 5 array and all data is lost. Perform this operation only if it is necessary.
1. Using the CLI, log in to the FortiDB 2000B as the user admin.
2. To enter RAID configuration, enter config system raid.
3. Enter unset level.
FortiDB prompts you to confirm the action and warns you that all the data on all hard disks will be lost.
4. To continue, enter y.
FortiDB starts the RAID 5 unset operation.
5. To format the hard disk, enter execute format disk.
FortiDB reboots automatically. After the reboot, FortiDB is available on the first hard disk.
Implementing RAID on FortiDB 3000B
FortiDB 3000D has an integrated RAID controller that supports RAID 0, 1, 5, 10, and other standard levels.
However, you cannot use the CLI commands to implement RAID on FortiDB 3000D. Instead, you set the RAID level in BIOS.
To access the FortiDB 3000D BIOS, a keyboard and a display device are required.
To enter the BIOS Configuration Utility, when the BIOS screen is displayed during startup, press CTRL-R.
After you change RAID level, you must format the hard disk. To obtain the required format image, contact
Fortinet Technical Support.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
276
config
See also
l
config system route
The config system route command allows you to view or configure static routing table entries.
Syntax
config system route edit <seq_num> set device <port> set dst <dst_ip_mask> end set gateway <gw_ip> where:
Variable
<seq_num>
Description
Enter an unused routing sequence number to create a new route. Enter an existing route number to edit that route.
Default
No default.
device <port> dst <dst_ip_mask> gateway <gw_ip>
Enter the port used for this route.
Enter the IP address and mask for the destination network.
Enter the default gateway IP address for this network.
No default.
0.0.0.0
0.0.0.0
0.0.0.0
See also
l
277 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
execute
FortiDB provides the following execute commands:
execute backup-remove fd-archive
execute backup-remove fd-report execute backup-remove fd-tcpdump
execute format disk execute generate certificate
execute ping execute raid rebuild execute reboot execute reset
execute restart execute restore all-settings
execute restore configurations
execute restore fd-archive execute shutdown execute time
execute backup all-settings
The FortiDB CLI allows you to back up your local database to a FTP server.
After the backup is complete and the message “Transfer Finished” is displayed, press
<enter> to return to the original prompt.
execute
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
278
execute
Syntax
execute backup all-settings <ftp server> <filepath> <username> <password> [cryptpasswd] where:
Keywords and variables
<ftp server>
Description
IP address or hostname of FTP server.
<filepath>
<username>
<password>
[crptpasswd]
Location on FTP server where you want the settings file to be placed.
If you do not specify a name, the file name is fdb_ allbackup.dat
.
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
Optional password for protecting the settings file on the FTP server.
Example
execute backup all-settings <your_ftp_server> . <your_ftp_username> <your_ftp_password> myCrptpasswd
See also
l l l l
config system backup all-setting
show system backup all-settings
execute backup configurations
The FortiDB CLI allows you to back up your FortiDB configuration without backing up log data.
After the backup is complete and the message “Transfer Finished” is displayed, press
<enter> to return to the original prompt.
Syntax
execute backup configurations <ftp server> <filepath> <username> <password> [cryptpasswd] where:
Keywords and variables
<ftp server>
Description
IP address or hostname of FTP server.
279 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Keywords and variables
<filepath>
<username>
<password>
[crptpasswd]
Description
Location on FTP server where you want to save the configuration file.
If you do not specify a name, the file name is fdbconfigurations.data
.
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
Optional password that protects the configuration file on the FTP server.
Example
This example saves the configuration file to the FTP server at 172.30.144.210 using the default file name and protects it with the password myCrptpasswd.
execute backup configurations 172.30.144.210 . dzhang 123456 myCrptpasswd
See also
l l
execute restore configurations
execute backup fd-tcpdump
The execute backup fd-tcpdump command allows you to export log files generated by tcpdump to a
FTP site. FortiDB compresses the files before it sends them to the specified FTP site.
For information on generating tcpdump log files, see
diagnose tcpdump start|stop on page 306
.
Syntax
execute backup fd-tcpdump <ftp server> <username> <password> [directory] [filename] where:
Keywords and variables
<ftp server>
Description
IP address or hostname of the FTP server.
<username>
<password>
Username of FTP server account.
FTP server account password.
[directory]
[filename]
Location on FTP server where you want to save the tcpdump file.
If you do not specify a directory, FortiDB uses the default directory.
Username of FTP server account.
If you do not specify a name, the file name is fdb-tcpdump.tgz.
execute
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
280
execute
Example
execute backup fd-tcpdump <your_ftp_server> <your_ftp_username> <your_ftp_password>
See also
l l l
execute backup-remove fd-tcpdump
execute backup-remove fd-archive
Allows you to backup and then remove archives to a FTP server.
To return to the original prompt after the backup is complete, when the message
“Transfer Finished” is displayed, press Enter.
Syntax
execute backup-remove fd-archive <before-date> <ftp server> <username> <password>
[directory][filename] where:
Keywords and variables
<before-date>
Description
Date of the last archive you want included in your backup. For example, if you specify 2008-12-31, the backup will include archives for up to this date.
The format is YYYY-MM-DD (MM(1-12), DD(1-31)). YYYY is a 4-digit number representing the year. MM is a 2-digit number from 1 to 12 representing the month. DD is a 2-digit number from 1 to 31 representing the day of the month.
<ftp server>
<username>
<password>
[directory]
[filename]
IP address or hostname of FTP server.
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
Location on FTP server where you want the tar file to be placed.
Name for the tar file on the FTP server where you want the archives to be placed. The default file name is FD-ARCHIVE-<before-date>.tar.
Example
execute backup-remove fd-archive 2008-07-30 <your_ftp_server> <your_ftp_username> <your_ ftp_password> . myArchives.tar
281 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
execute
See also
l
execute backup-remove fd-report
This FortiDB CLI allows you to backup and then remove reports to a FTP server.
Please press <enter> to get back to the original prompt after the backup has completed with the message saying “Transfer Finished”.
Syntax
execute backup-remove fd-report <before-date> <ftp server> <username> <password>
[directory][filename] where:
Keywords and variables
<before-date>
Description
Date of the last archive you want included in your backup. For example, if you specify 2008-12-31, the backup will include reports for up to this date.
The format is YYYY-MM-DD (MM(1-12), DD(1-31)). YYYY is a 4-digit number representing the year. MM is a 2-digit number from 1 to 12 representing the month. DD is a 2-digit number from 1 to 31 representing the day of the month.
<ftp server>
<username>
<password>
[directory]
IP address or hostname of FTP server.
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
Location on FTP server where you want the tar file to be placed.
[filename]
Name for the tar file on the FTP server where you want the reports to be placed. The default file name is FD-REPORT-<before-date>.tar.
Example
execute backup-remove fd-report 2008-07-30 <your_ftp_server> <your_ftp_username> <your_ ftp_password> . myReports.tar
See also
l
execute backup-remove fd-tcpdump
The execute backup-remove fd-tcpdump command allows you to export log files generated by tcpdump to a FTP site and then remove the files from the local disk. FortiDB compresses the files before it sends
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
282
execute them to the specified FTP site.
For information on generating tcpdump files, see
diagnose tcpdump start|stop on page 306 .
Syntax
execute backup-remove fd-tcpdump <ftp server> <username> <password> [directory] [filename] where:
Keywords and variables
<ftp server>
Description
IP address or hostname of the FTP server.
<username>
<password>
Username of FTP server account.
FTP server account password.
[directory]
Location on FTP server where you want to save the tcpdump file.
If you do not specify a directory, FortiDB uses the default directory.
[filename] Username of FTP server account.
If you do not specify a name, the file name is fdb-tcpdump.tgz.
Example
execute backup fd-tcpdump <your_ftp_server> <your_ftp_username> <your_ftp_password>
See also
l l l
execute date
The execute date command allows you to get or set the system date. If you do not specify a date, the command returns the current system date.
Syntax
execute date [<date_str>] where:
283 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
execute
Variable
<date_str>
Example
To set the date to 17 September 2013: execute date 09/17/2013
See also
l
Description
This variable has the form mm/dd/yyyy.
l mm is the month and can be 01 to 12 l dd is the day of the month and can be 01 to 31 l yyyy is the year and can be 2001 to 2100
Dates entered will be validated - mm and dd require 2 digits, and yyyy requires 4 digits.
execute format disk
The execute format disk command allows you to format the hard disk on the FortiDB system.
Executing this command will erase all device settings/images, VPN & Update Manager databases, and log data on the FortiDB system's hard drive. FortiDB's IP address and routing information are preserved.
Syntax
execute format disk
When you run this command, FortiDB prompts you to confirm the request.
Warning: If you use this command without executing backup all settings command, you may not be able to view assessments or reports after you archive and restore your data. When you want to archive and format disk, make sure that you execute config system backup all-settings command before archiving.
execute generate certificate
The execute generate certificate command allows you to regenerate the certificate for FortiDB web administration.
Syntax
execute generate certificate keysize {keysize}
The variable {keysize} is the subject's public key size for certificate. Valid values are 1024 or 2048 .
The FortiDB system needs to be reboot after generating new certificate.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
284
execute
execute ping
The execute ping command allows you to send an ICMP echo request (ping) to test the network connection between the FortiDB system and another network device.
Syntax
execute ping {<ip> | <hostname>} where:
Variable
<ip>
Description
IP address of network device to contact
<hostname>
DNS resolvable hostname of network device to contact
Example
To ping a host with the IP address 192.168.1.23: execute ping 192.168.1.23
execute raid rebuild
The execute raid rebuild command allows you to rebuild the hard disk raid when the raid is corrupted.
Syntax
execute raid rebuild l
Rebuild raid will clean all existing data in the second hard disk.
l
If you just replace the second disk from exist raid, the new inserted disk will get raid synchronizing automatically and does not need rebuild raid. But if the second disks was part of raid volume before, usually need rebuild it.
execute reboot
The execute reboot command allows you to restart the FortiDB system. It disconnects all sessions on the
FortiDB system.
Syntax
execute reboot
execute reset
The execute reset command allows you to reset the FortiDB system to factory defaults. It disconnects all sessions and restarts FortiDB.
285 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
execute
Syntax
execute reset {admin-password | all-settings | data} where:
Variable
admin-password
Description
Reset admin's password to default password.
all-settings data
Reset the all settings.
Reset the database.
Example
execute reset all-settings
execute restart
This FortiDB CLI allows you to restart the application server under which both FortiDB-VA (Vulnerability
Assessment) and FortiDB-DAM (DB Activity Monitoring) are running.
Syntax
execute restart appserver
execute restore all-settings
This FortiDB CLI allows you to restore previously backed up your local database, FortiDB system-configuration settings, archives and reports.
Syntax
execute restore all-settings <ftp server> <filepath> <username> <password> [crptpasswd] where:
Variable
<ftp server>
Description
IP address or hostname of FTP server.
<filepath>
<username>
<password>
[crptpasswd]
Location of, and filename for, the settings file on the FTP server.
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
Optional password for protecting the settings file on the FTP server.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
286
execute
This operation will replace your current settings and necessitate a reboot.
Example
execute restore all-settings <your_ftp_server> ./fdb_allbackup.dat <your_ftp_username>
<your_ftp_password> myCrptpasswd
See also
l l l l
config system backup all-setting
show system backup all-settings
execute restore configurations
Use this command to restore FortiDB system configuration settings that you backed up to an FTP server.
This command replaces the existing configuration with the restored configuration, deletes all alert and audit data, and restarts FortiDB.
Syntax
execute restore configurations <ftp server> <filepath> <username> <password> [crptpasswd] where:
Variable
<ftp server>
Description
IP address or hostname of FTP server.
<filepath>
Location of, and filename for, the configuration file on the FTP server.
<username>
<password>
[crptpasswd]
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
Optional password for protecting the configuration file on the FTP server.
This operation replaces your current configuration and requires you to reboot FortiDB
287
Example
execute restore configurations 172.30.144.210 ./fdb-configurations.dat dzhang 123456 myCrptpasswd
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
execute
See also
l l
execute restore fd-archive
This FortiDB CLI allows you to restore previously backed up your archives.
Syntax
execute restore fd-archive <ftp server> <filepath> <username> <password> where:
Variable
<ftp server>
Description
IP address or hostname of FTP server.
<filepath>
<username>
<password>
Location of, and filename for, the settings file on the FTP server.
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
This operation will replace your current settings and necessitate a reboot.
Example
execute restore fd-archive <your_ftp_server> ./fdb_allbackup.dat <your_ftp_username>
<your_ftp_password>
See also
l
execute backup-remove fd-archive
execute shutdown
The execute shutdown command allows you to shut down the FortiDB system. This command will disconnect all sessions.
Syntax
l execute shutdown
execute time
The execute time command allows you to get or set the system time.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
288
execute
Syntax
execute time [<time_str>] where:
Variable
<time _str>
Description
This variable has the form hh:mm:ss.
l hh is the hour and can be 00 to 23 l mm is the minutes and can be 00 to 59 l ss is the seconds and can be 00 to 59
All parts of the time are required. Single digits are allowed for each of hh, mm, and ss.
If you do not specify a time, the command returns the current system time.
Example
To set the system time to 15:31:03: execute time 15:31:03
See also
l l
execute top
The execute top command allows you to view the processes running on the FortiDB system.
Syntax
execute top
To exit the display, type q. Other interactive commands are available while running top. For help on them, type h.
The execute top command displays the following information:
3
4
5
6
7
15:28:03 up 2 days, 0 users, load average: 0.06, 0.04, 0.01
Tasks: 82 total, 2 running, 80 sleeping, 0 stopped, 0 zombie
CPU(s): 0.0% us, 0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 2069772K total, 485764K used, 1584008K free, 40124K buffers
Swap: 2069764K total,
PID USER PR NI VIRT
0K used,
RES SHR
2069764K free,
S %CPU %MEM
7275k cached
TIME+ COMMAND
1
2 root root
18
RT
0
0
3232
0
1012 720
0 0
S
S
0
0
0.0
0.0
0:07.12 init
0:00.00 migration/0 root root root root root
34
RT
39
RT
33
19
0
19
0
19
0
0
0
0
0
0
0
0
0
0
0 S
0 S
0 S
0 S
0 S
0 0.0
0:00.00 ksoftirqd/0
0 0.0
0:00.00 migration/1
0 0.0
0:00.00 ksoftirqd/1
0 0.0
0:00.00 migration/2
0 0.0
0:00.00 ksoftirqd/2
289 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
execute
12
13
14
15
21
8
9
10
11 root root root root root root root root root
10
10
10
10
10
RT
34
10
10
-5
-5
-5
-5
-5
0
19
-5
-5
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 S
0 S
0 S
0 S
0 S
0 S
0 S
0 S
0 S
0 0.0
0:00.00 migration/3
0 0.0
0:00.00 ksoftirqd/3
0 0.0
0:00.00 events/0
0 0.0
0:00.00 events/1
0 0.0
0:00.00 events/2
0 0.0
0:00.00 events/3
0 0.0
0:00.00 khelper
0 0.0
0:00.00 kthread
0 0.0
0:00.00 kblockd/0
execute traceroute
The execute traceroute command allows you to test the connection between the FortiDB system and another network device, and display information about the network hops between the device and the FortiDB system.
Syntax
execute traceroute {<address_ipv4> | <host-name>} where:
Variable
<address_ipv4>
Description
IP address of network device.
<host-name>
FQDN hostname of network device.
Example
execute traceroute <your_IPaddress>
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
290
show
show
This topic contains the information about the show system commands that are available to the FortiDB user.
Only changes to the default configuration are displayed.
You can use the show command within a config shell to display the configuration of that shell, or you can use the show command with a full path to display the configuration of the specified shell. To display the configuration of all config shells, you can use the show command from the root prompt.
FortiDB provides the following show commands:
show system admin setting show system backup all-settings
show system dns show system global show system interface
show system ntp show system route
show system admin setting
The show system admin setting command allows you to display the change of systemadministration settings.
Syntax
show system admin setting
See also
l
show system backup all-settings
The show system backup all-settings backup settings.
command allows you to display the change of system
Syntax
show system backup all-settings
See also
l l
config system backup all-setting
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
291
show l l
show system dns
The show system dns command allows you to display the change of the DNS server addresses.
Syntax
show system dns
Example
The following is an example of the result of the show system dns command;
FD-XXX # show system dns config system dns set primary 65.39.139.53
set secondary 65.39.139.63
end
See also
l
show system global
The show system global command allows you to display the change of global settings.
Syntax
show system global
See also
l
show system interface
The show system interface command allows you to display the change of a FortiDB network interface.
Syntax
show system interface
Example
FD-XXX # show system interface config system interface edit "port1" set ip 172.30.62.80 255.255.255.0
set allowaccess ping https ssh telnet http end
292 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
See also
l
show system ntp
The show system ntp command allows you to display the change of the automatic time setting using a network time protocol (NTP) server.
Syntax
show system ntp
Example
The following is an example result of show system ntp:
FD-XXX # show system ntp config system ntp set server "132.246.168.147" set status enable set sync_interval 120 end
See also
l
show system route
The show system route command allows you to display the change of the static routing table entries.
Syntax
show system route
Example
The following is an example result of show system route
FD-XXX # show system route config system route edit 1 set device "port1" set gateway 172.30.62.254
end
:
See also
l
show
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
293
get
get
The get commands allow you to retrieve system setting and activity information. They include the following commands: l l l l l l get system target-database
— Displays information about all monitored database targets and the associated audit policies.
get system session
— Displays all active session information.
get system block-ip
— Displays all blocked IP addresses. When traffic matches these IP addresses, FortiDB generates a TCP reset packet.
get system block-session
— Displays all blocked sessions. If traffic matches the blocked session characteristics, FortiDB generates a TCP reset packet.
get system counter
— Displays current system counter information.
get system debug-filter <seq_num>
— Displays debug-filter settings. <seq_num> is the number of the filter to display. See
config system debug-filter on page 270 .
Example
To retrieve the current system-administration settings: get system admin setting <Enter> http_port : 80 https_port : 443 idle_timeout : 2
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
294
set
The set command allows you to set specific properties within a settings category.
Example
To change a default value for a property within the system-administration settings category: show system admin setting <Enter> config system admin setting <Enter> setting)# set idle_timeout 2 end show system admin setting <Enter> config system admin setting end set idle_timeout 2 set
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
295
diagnose
diagnose
The diagnose command displays diagnostic information that helps you to troubleshoot problems.
FortiDB provides the following diagnose commands:
diagnose counter memory diagnose counter misc diagnose counter packet
diagnose counter parser diagnose counter session diagnose debug application control basic
diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble
diagnose mapping debug diagnose mapping reset
diagnose system export fd_log diagnose system export fd_log
diagnose system raid list diagnose tcpdump start|stop
diagnose tcpdump status diagnose network interface list
diagnose network interface detail
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
296
diagnose
diagnose counter memory
Allows you to show all memory-related counters.
Syntax
diagnose counter memory all
See also
l l l l
diagnose counter misc diagnose counter packet
diagnose counter parser diagnose counter session
diagnose counter misc
Allows you to show miscellaneous counters.
Syntax
diagnose counter misc all
See also
l l l l
diagnose counter memory diagnose counter packet
diagnose counter parser diagnose counter session
diagnose counter packet
Allows you to show all packet-related counters.
Syntax
diagnose counter packet {all | error | ethernet | ip | ip-reassemble | summary | tcp} where:
Keywords Description
{all | error | ethernet | ip | ip-reassemble | summary | tcp}
Specifies the type of packet counter to display.
See also
l l
diagnose counter memory diagnose counter misc
297 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
l l
diagnose counter parser diagnose counter session
diagnose counter parser
Allows you to show all SQL statement parser counters.
Syntax
diagnose counter parser all
See also
l l l l
diagnose counter memory diagnose counter misc diagnose counter packet
diagnose counter session
Allows you to show session and hash-table-related counters.
Syntax
diagnose counter session {all | error | summary | table-operate |tcp-reassemble} where:
Keywords Description
{all | error | summary | tableoperate |tcpreassemble}
Specifies the type of session or harsh-table counter to display.
See also
l l l l
diagnose counter memory diagnose counter misc diagnose counter packet
diagnose debug application control basic
Allows you to enable basic debugging for the control thread.
Syntax
diagnose debug application control basic {enable | disable} diagnose
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
298
diagnose
See also
l l l
diagnose debug application housekeep basic diagnose debug application parser basic
diagnose debug application sniffer basic
diagnose debug application housekeep basic
Allows you to enable basic debugging for the housekeep thread.
Syntax
diagnose debug application housekeep basic {enable | disable}
See also
l l l
diagnose debug application control basic
diagnose debug application parser basic
diagnose debug application sniffer basic
diagnose debug application parser basic
Allows you to enable basic debugging for the parser thread.
Syntax
diagnose debug application parser basic {enable | disable}
See also
l l l l
diagnose debug application control basic
diagnose debug application housekeep basic diagnose debug application parser packet
diagnose debug application sniffer basic
diagnose debug application parser packet
Allows you to enable packet debugging for the parser thread.
Syntax
diagnose debug application parser packet {enable | disable}
See also
l l l
diagnose debug application parser basic
diagnose debug application sniffer malformed-packet
diagnose debug application sniffer packet
299 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
diagnose
diagnose debug application sniffer abnormal
Allows you to enable abnormal debugging for the sniffer thread.
Syntax
diagnose debug application sniffer abnormal {enable | disable}
See also
l l l l l l l
diagnose debug application sniffer basic diagnose debug application sniffer block-ip
diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble
diagnose debug application sniffer basic
Allows you to enable basic debugging for the sniffer thread.
Syntax
diagnose debug application sniffer basic {enable | disable}
See also
l l l l l l l
diagnose debug application sniffer abnormal diagnose debug application sniffer block-ip
diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble
diagnose debug application sniffer block-ip
Allows you to enable debugging for IP blocking activity in the sniffer thread.
Syntax
diagnose debug application sniffer block-ip {enable | disable}
See also
l l l
diagnose debug application sniffer abnormal diagnose debug application sniffer basic
diagnose debug application sniffer block-session
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
300
diagnose l l l l
diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet
diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble
diagnose debug application sniffer block-session
Allows you to enable debugging for session blocking activity in the sniffer thread.
Syntax
diagnose debug application sniffer block-session {enable | disable}
See also
l l l l l l l
diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet
diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble
diagnose debug application sniffer ip-reassemble
Allows you to enable debugging for IP reassembling activity in the sniffer thread.
Syntax
diagnose debug application sniffer ip-reassemble {enable | disable}
See also
l l l l l l l
diagnose debug application sniffer block-session diagnose debug application sniffer malformed-packet
diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble
diagnose debug application sniffer malformed-packet
Allows you to enable debugging for malformed packets in the sniffer thread.
Syntax
diagnose debug application sniffer malformed-packet {enable | disable}
301 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
diagnose
See also
l l l l l l l
diagnose debug application sniffer block-session diagnose debug application sniffer ip-reassemble
diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble
diagnose debug application sniffer packet
Allows you to enable packet debugging for the sniffer thread.
Syntax
diagnose debug application sniffer packet {enable | disable}
See also
l l l l l l l
diagnose debug application sniffer tcp-reassemble
diagnose debug application sniffer tcp-reassemble
Allows you to enable debugging for TCP reassembling activity in the sniffer thread.
Syntax
diagnose debug application sniffer tcp-reassemble {enable | disable}
See also
l l l l l l l
diagnose debug application sniffer packet
diagnose log show|tail|remove
Allows you to show or remove debug logs.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
302
diagnose
Syntax
diagnose log show|tail|remove fortidb-log|tomcat-log|localhost-log where:
Keywords
show
Description
Show the specified log.
tail remove fortidb-log tomcat-log
Print the tail of specified log, and continue to output appended data as the file grows.
Remove the specified log.
Log of FortiDB Application Server.
Initialization Log from Tomcat.
localhost-log Localhost log from Tomcat.
Example
diagnose log tail fortidb-log
See also
l
diagnose mapping debug
Syntax
diagnose mapping debug {enable | disable}
See also
l l
diagnose mapping reset
Syntax
diagnose mapping reset enable
See also
l l
303 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
diagnose
diagnose mapping status
Syntax
diagnose mapping status {alert | all | audit | control}
See also
l l
diagnose mapping debug diagnose mapping reset
diagnose system coredump check
Use this command to view the results of the coredump task. FortiDB generates coredump files when the system fails.
Syntax
diagnose system coredump check
Example
diagnose system coredump check
This example illustrates the command output after a system failure, which provides a count of the available coredump files.
Coredump check result:
Flowd happened 4 times!
Monitord happened 0 times!
Cliproxyd happened 0 times!
See also
l
diagnose system coredump export
diagnose system coredump export
Use this command to export FortiDB coredump files to a location on an FTP server.
After a system failure, FortiDB generates coredump files that contain the system’s RAM at the time of the crash.
This file is useful for troubleshooting problems with the TCP/IP sniffer.
Syntax
diagnose system coredump export <ftp server> <username> <password> [filepath] where:
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
304
diagnose
Keywords and variables
<ftp server>
<filepath>
<username>
<password>
[filepath]
Description
IP address or hostname of FTP server.
Location on FTP server where you want to save the configuration file.
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
Location on FTP server that FortiDB exports the coredump file to.
Example
This example exports the coredump files to the FTP server at 172.30.144.210.
diagnose system coredump export 172.30.144.210 dzhang 123456
The command generates output similar to the following message:
Packaging the coredump files...
Transferring the files...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 142M 0 0 100 142M 0 11.0M 0:00:12 0:00:12 --:--:-- 11.1M
Succeeded in uploading coredump files!
See also
l
diagnose system coredump check
diagnose system export fd_log
Allows you to export debug log files to an FTP server
Syntax
diagnose system export fd_log <ftp server> <user> <password> [directory] [filename] where:
Variables
<ftp server>
Description
IP address or hostname of FTP server.
<username>
<password>
User name of account that logs on to the FTP server.
Password of account that logs on to the FTP server.
[ directory] Location on FTP server where you want the diagnostic file to be placed.
305 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
diagnose
Variables
[filename]
Description
Name of the zip file that contains several log files that will be put on the FTP server.
If you don't specify a filename, you will get a default file called fortidb.zip.
Example
diagnose system export fd_log <your_ftp_server> <your_ftp_username> <your_ftp_password> .
myDiagnose.zip
See also
l
diagnose system raid list
Allows you to check hard disk RAID status.
Syntax
diagnose system raid list
See also
l
diagnose tcpdump start|stop
Allows you to use tcpdump to log packet traffic information for a target database and save it to the local disk.
Like the TCP/IP sniffer, tcpdump requires a connection to a mirror port on the switch that handles TCP/IP traffic for the target database. For more information, see
Network requirements for monitoring using the TCP/IP sniffer on page 79 .
You can export the tcpdump log files to an FTP server and remove them from the local disk. For more information, see
execute backup fd-tcpdump on page 280
and
execute backup-remove fd-tcpdump on page 282
.
Syntax
diagnose tcpdump start|stop <port> <client IP> <server IP> [minutes] where:
Variables
start|stop
Description
Specifies whether to start a new tcpdump log file or stop a current monitoring session.
<port>
The FortiDB Ethernet port on which tcpdump intercepts and logs packet traffic. This port is connected to the mirror port on the switch that handles TCP/IP traffic for the database.
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
306
diagnose
Variables
<client IP>
<server IP>
[minutes]
Description
The IP address of the database client.
Enter * to specify any IP address.
The IP address where the target database is located.
Enter * to specify any IP address.
Specifies the length of time tcpdump monitors packet traffic between the specfied database and client, in minutes. Maximum value is 720.
If you do not specify a duration, tcpdump monitors the specified packet traffic for 60 minutes or until you enter a corresponding diagnose tcpdump start|stop command.
Example
To monitor database traffic seen on port2 for 10 minutes: diagnose tcpdump start port2 <your_client_IPaddress> <your_database_server_IPaddress> 10
See also
l l l
execute backup-remove fd-tcpdump
diagnose tcpdump status
Allows you to view the current status of the tcpdump packet analyzer.
Syntax
diagnose tcpdump status
Example
FD-1KC # diagnose tcpdump status
Tcpdump is not running.
See also
l l l
execute backup-remove fd-tcpdump
diagnose network interface list
Allows you to view the status of Ethernet interfaces.
307 FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
Syntax
diagnose network interface list
See also
l l l
diagnose network interface detail
diagnose network interface detail
Allows you to view detailed information about Ethernet interfaces.
Syntax
diagnose network interface detail <port name> where:
Variable
<port name>
Description
Ethernet interface name (for example, port1).
Example
diagnose network interface detail port1
See also
l l l
diagnose network interface list
diagnose
FortiDB 5.1.11 Upgrade Guide
Fortinet Technologies Inc.
308
Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
advertisement
Key Features
- Vulnerability assessment (VA)
- Database activity monitoring (DAM)
- Compliance reporting
- Database security and compliance
- Provides a platform to protect databases and applications
- Flexible policy framework
- Helps with regulatory compliance
- Integrates with other Fortinet products
- Comprehensive documentation
Frequently Answers and Questions
What is FortiDB?
What are the key features of FortiDB?
How do I set up FortiDB?
How do I monitor database activity using FortiDB?
How do I generate compliance reports using FortiDB?
Related manuals
advertisement
Table of contents
- 15 Introduction
- 16 What’s new
- 19 FortiDB tutorials
- 19 Tutorial: Generating a vulnerability assessment (VA) report
- 23 Tutorial: Monitoring a database table using the TCP/IP sniffer
- 27 Tutorial: Monitoring a database table using the native auditing feature
- 30 Tutorial: Monitoring changes to metadata
- 33 Tutorial: Generating PCI, SOX, and HIPAA compliance reports
- 36 Installation (software-only)
- 36 System requirements
- 37 Preparing to install
- 38 Configuring the FortiDB repository database
- 38 Configuring a PostgreSQL repository
- 39 Configuring an Oracle repository
- 40 Configuring an Microsoft SQL Server repository
- 42 UNIX/Linux installation
- 43 Windows installation
- 43 Confirming the installation
- 43 Starting or stopping FortiDB
- 44 Installing a new license
- 44 Managing disk space
- 45 Useful directories, files, and folders
- 46 Log files for troubleshooting
- 46 General logs
- 46 Tomcat logs
- 47 Upgrading FortiDB
- 48 How to set up your FortiDB
- 48 Registering your FortiDB
- 48 Planning the network topology for database activity monitoring (DAM)
- 49 Connecting to the web UI and CLI
- 49 Updating the firmware
- 50 Upgrading the firmware
- 51 Installing FortiDB firmware
- 53 Changing the “admin” account password
- 54 Setting the system time
- 55 Configuring the network settings
- 56 Configuring network settings using the web UI
- 57 Configuring network settings using the CLI
- 59 Backups
- 60 Administrators
- 61 Configuring permissions
- 63 Privileges by license type (software-only FortiDB)
- 64 Viewing and exporting an administrator report
- 66 FortiMonitor administrator
- 67 Advanced/optional system settings
- 67 System information and settings
- 68 Changing the FortiDB host name
- 68 Global configuration
- 69 Assessment properties
- 72 Notification properties
- 74 Reporting properties
- 74 User Profile/Security properties
- 75 Target properties
- 77 LDAP Server properties
- 77 Monitor properties
- 79 Connecting to target databases
- 79 Pre-configuration for monitoring target databases
- 79 Network requirements for monitoring using the TCP/IP sniffer
- 80 Oracle target database pre-configuration
- 80 Required privileges for monitoring or auditing Oracle databases
- 81 Configuring an Oracle database for PCI, SOX, and HIPAA policies
- 81 Enabling FortiDB to delete audit records
- 82 Oracle XML file agent installation and configuration (UNIX, Windows, AIX)
- 83 Monitoring encrypted Oracle traffic
- 84 Using the SYSLOG utility to collect audit data
- 84 MySQL target database pre-configuration
- 85 Required privileges for monitoring via SQL Trace
- 86 Sybase target database pre-configuration
- 86 Configuring the Sybase audit system and FortiDB database user
- 87 Configuring the Sybase Monitoring and Diagnostic (MDA) tables
- 91 DB2 target database pre-configuration
- 91 Users and privileges required by the DB2 agent
- 92 Configuring the DB2 database and installing the agent
- 94 Microsoft SQL Server target database pre-configuration
- 94 Database user account requirement
- 94 Privileges required by the FortiDB database user
- 95 Privileges for VA assessments, privilege summaries, and penetration tests
- 102 Privileges for monitoring data
- 103 Privileges for monitoring privileges
- 104 Privileges for monitoring metadata
- 105 Managing targets
- 105 Columns
- 105 Buttons and fields
- 106 Searching or filtering the target list
- 107 Adding (or modifying) a target connection
- 108 Configuring DB2 options
- 109 Configuring SSH connections to Oracle and DB2 databases
- 110 SSH environment requirements (software-only version)
- 111 Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX
- 112 Exporting target information
- 112 Importing targets
- 113 Managing target groups
- 114 Pre-defined target groups
- 114 Adding or modifying a target group
- 115 Auto-discovery
- 115 How to discover DB2 databases
- 115 How to discover Microsoft SQL Server
- 115 Running auto-discovery
- 117 Adding targets from auto-discovery
- 118 Vulnerability assessment (VA) policies
- 118 Types of VA policies
- 118 Updates to VA policies
- 118 Exporting and importing VA policies
- 119 VA policy version
- 119 VA policy groups
- 119 VA policy states
- 120 Keywords and user keywords for VA policies
- 120 Managing VA pre-defined policies
- 122 Importing pre-defined policies (appliance)
- 123 Importing pre-defined policies (software-only FortiDB)
- 124 OS-Level pre-defined policies
- 128 Setting an access control list (ACL) for minimally-privileged users
- 130 VA user-defined policies
- 131 Adding user-defined policies
- 133 Deleting user-defined policies
- 133 Exporting user-defined policies
- 134 Importing user-defined policies
- 134 VA policy groups
- 135 Adding VA policy groups
- 136 Modifying VA policy groups
- 137 Deleting VA policy groups
- 137 Penetration tests
- 137 Connection options for penetration tests
- 138 Files used for penetration tests
- 139 Configuring and running penetration test assessments
- 141 Data discovery policies and policy groups
- 142 Managing data discovery policies
- 143 Data discovery policy groups
- 144 Database Activity Monitoring (DAM) policies
- 144 Types of DAM policies
- 145 Managing DAM policies
- 146 Configuring policy information for a policy
- 147 Automatically generating alert policies
- 148 Data policies
- 149 Configuring a table policy
- 149 Configuring audit settings for a table policy
- 149 Configuring alert rules for a table policy
- 153 Table policy alert rules for different databases
- 154 Configuring a table and column policy
- 155 Configuring a session policy
- 155 Configuring audit settings for a session policy
- 155 Configuring alert rules for a session policy
- 158 Configuring a user policy
- 159 Configuring audit settings for a user policy
- 159 Configuring alert rules for a user policy
- 162 User policy alert rules for various databases
- 164 Configuring a database policy
- 164 Configuring a database query policy
- 166 Privilege policies
- 167 Oracle privilege policies
- 168 Microsoft SQL Server privilege policies
- 169 Sybase privilege policies
- 170 DB2 privilege policies
- 171 MySQL privilege policies
- 172 Metadata policies
- 173 Oracle metadata policies
- 173 Microsoft SQL Server metadata policies
- 174 Sybase metadata policies
- 174 DB2 metadata policies
- 175 MySQL metadata policies
- 176 PCI, SOX, and HIPAA alert policies
- 176 Configuring PCI, SOX and HIPAA policies
- 177 Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object ...
- 178 Select users to audit for PCI and SOX reports (User Audit Options)
- 179 Alert and audit policy groups
- 179 Creating or modifying an alert or audit policy group
- 180 Adding policy groups to target database monitoring
- 180 Deleting a policy group
- 181 Vulnerability assessment
- 181 Adding or modifying assessments
- 182 Running assessments
- 182 Running an assessment immediately
- 182 Running an assessment at a specified date and time
- 182 Running scheduled assessments
- 183 Configuring assessment notifications
- 184 Notification OIDs for target-level assessments
- 185 Notification OIDs for Rule-Level Assessments
- 187 Selecting the type of report an assessment generates
- 187 Reviewing, deleting, and aborting assessment results
- 189 View VA global summary information
- 189 Assessment history
- 189 Assessments History tab
- 189 Scheduled Reports tab
- 189 Import or export assessment history
- 190 Viewing and exporting a privilege summary
- 191 DB-Type Distinctions
- 191 General differences
- 192 Filtering differences
- 192 Column and column value differences
- 193 Sensitive data discovery
- 193 Manage sensitive data discovery
- 193 Running sensitive data discovery
- 193 Viewing sensitive data discovery reports
- 194 Viewing VA and sensitive data discovery event logs
- 195 Database activity monitoring (DAM)
- 195 Managing target monitoring
- 197 Target monitoring configuration tabs and options
- 198 Configuring target database monitoring
- 199 Configuring monitoring using the TCP/IP sniffer (all database types)
- 201 Configuring Microsoft SQL Server monitoring
- 202 Configuring DB2 monitoring
- 202 Configuring Sybase monitoring
- 203 Configuring MySQL monitoring
- 204 Configuring Oracle monitoring
- 205 Adding alert and audit policies to monitoring
- 206 Adding policy groups to target monitoring
- 207 Sending alert notifications
- 208 FortiDB event to ArcSight data field mapping
- 209 Blocking invalid access while monitoring
- 210 Excluding policies from the Alert Policy settings (whitelist)
- 212 Displaying the history of issued audit commands
- 213 Oracle audit management
- 213 Statement options
- 213 Object options
- 213 Clearing audit settings
- 214 Audit management
- 214 Microsoft SQL Server audit management
- 214 Audited events
- 214 Audited filters
- 214 DB2 audit management
- 214 DB2 audit settings with syscat.auditpolicies
- 215 DB2 audit settings with syscat.audituse
- 215 Viewing alerts
- 217 Changing the status of and annotating alerts
- 217 Exporting the alert list as a report
- 218 Filtering and searching alerts
- 218 Exclude option
- 218 Configure criteria row
- 218 Multiple criteria rows
- 218 Alert details
- 220 Alert group
- 220 Add, edit, or delete an alert group
- 220 Pre-defined alert groups
- 220 Data filter for an alert group
- 221 Alerts summary
- 222 Alerts analysis
- 223 Viewing audit records (activity auditing results)
- 224 Filtering and searching the audit record list
- 225 Viewing audit record details
- 225 Audit group
- 225 Add, edit, or delete an audit group
- 226 Pre-defined audit groups
- 226 Data filter for an audit group
- 226 Activity profiling
- 227 Viewing status and summary information for activity profiling
- 227 Viewing and exporting activity profiling results
- 228 Source clients access list
- 228 Database tables access list
- 228 Exporting profiling results
- 229 SOX audit
- 230 Logs
- 230 Local monitoring log
- 230 Local audit trail
- 231 Viewing and managing the audit trail records
- 232 Examples of audit trail records
- 233 Reports
- 233 Vulnerability assessment (VA) reports
- 233 DAM reports
- 234 Report files that FortiDB saves to disk
- 234 Other reports you can export
- 234 Pre-defined VA reports
- 235 Assessment reports
- 235 Statistics tables
- 235 Vulnerabilities
- 235 Score report and trend report
- 236 Policy reports
- 236 Sensitive data discovery reports
- 236 User-defined VA reports
- 237 Managing user-defined reports
- 237 General tab
- 237 Columns tab
- 237 Grouping tab
- 237 Filtering tab
- 237 Export options
- 238 Viewing scheduled VA reports
- 238 Pre-defined DAM reports
- 239 User-defined DAM reports
- 239 Report management
- 240 Filtering report data
- 240 Data time range
- 240 Records limit
- 240 Custom data filters
- 241 Configuring data displays
- 241 Data table view
- 241 Adding analysis charts and statistics tables to reports
- 241 Schedule and notification
- 242 Scheduling reports
- 242 Email notification for scheduled reports
- 242 PCI, SOX, and HIPAA reports
- 245 General steps for generating PCI, SOX, and HIPAA reports
- 245 Report: Abnormal Termination of Database Activity
- 245 COBIT objectives
- 246 Setup requirements
- 246 Report columns
- 246 Report: Abnormal or Unauthorized Changes to Data
- 246 COBIT objectives
- 247 Setup requirements
- 247 Report columns
- 247 Report: Abnormal Use of Service Accounts
- 247 COBIT objectives
- 247 Setup requirements
- 248 Report columns
- 248 Report: End of Period Adjustments
- 248 COBIT objectives
- 248 Setup requirements
- 248 Report columns
- 249 Report: History of Privilege Changes
- 249 COBIT objectives
- 249 Setup requirements
- 249 Report columns
- 250 Report: Verification of Audit Settings
- 250 COBIT objectives
- 250 Setup requirements
- 250 Report columns
- 251 Activity Profiling Reports
- 253 Archiving audit data
- 253 Archiving example
- 254 Archiving strategy
- 254 Archiving data
- 257 Using the command line interface (CLI)
- 258 Connecting to the CLI
- 259 Command syntax
- 259 Specifying file names and locations in commands
- 259 Entering spaces in a command strings
- 259 Entering quotation marks in strings
- 259 Entering a question mark (?) in a string
- 259 Special characters that are not permitted in commands
- 259 Specifying IP address formats in commands
- 260 Notation
- 262 Tips & tricks
- 262 Help
- 262 Completing commands automatically
- 262 Recalling commands
- 262 Editing commands
- 263 Breaking a long command
- 263 Abbreviating commands
- 264 Overview of commands
- 268 config
- 268 config system admin setting
- 268 Syntax
- 268 Example
- 269 config system backup all-setting
- 269 Syntax
- 270 Example
- 270 config system debug-filter
- 270 Syntax
- 271 config system dns
- 271 Syntax
- 271 Example
- 271 config system global
- 271 Syntax
- 272 Example
- 272 config system interface
- 272 Syntax
- 273 Example
- 273 config system mapping
- 273 Syntax
- 274 Examples
- 275 config system ntp
- 275 Syntax
- 275 config system raid
- 275 Syntax
- 276 Implementing RAID 5 on FortiDB 2000B
- 276 Implementing RAID on FortiDB 3000B
- 277 config system route
- 277 Syntax
- 278 execute
- 278 execute backup all-settings
- 279 Syntax
- 279 Example
- 279 execute backup configurations
- 279 Syntax
- 280 Example
- 280 execute backup fd-tcpdump
- 280 Syntax
- 281 Example
- 281 execute backup-remove fd-archive
- 281 Syntax
- 281 Example
- 282 execute backup-remove fd-report
- 282 Syntax
- 282 Example
- 282 execute backup-remove fd-tcpdump
- 283 Syntax
- 283 Example
- 283 execute date
- 283 Syntax
- 284 Example
- 284 execute format disk
- 284 Syntax
- 284 execute generate certificate
- 284 Syntax
- 285 execute ping
- 285 Syntax
- 285 Example
- 285 execute raid rebuild
- 285 Syntax
- 285 execute reboot
- 285 Syntax
- 285 execute reset
- 286 Syntax
- 286 Example
- 286 execute restart
- 286 Syntax
- 286 execute restore all-settings
- 286 Syntax
- 287 Example
- 287 execute restore configurations
- 287 Syntax
- 287 Example
- 288 execute restore fd-archive
- 288 Syntax
- 288 Example
- 288 execute shutdown
- 288 Syntax
- 288 execute time
- 289 Syntax
- 289 Example
- 289 execute top
- 289 Syntax
- 290 execute traceroute
- 290 Syntax
- 290 Example
- 291 show
- 291 show system admin setting
- 291 Syntax
- 291 show system backup all-settings
- 291 Syntax
- 292 show system dns
- 292 Syntax
- 292 Example
- 292 show system global
- 292 Syntax
- 292 show system interface
- 292 Syntax
- 292 Example
- 293 show system ntp
- 293 Syntax
- 293 Example
- 293 show system route
- 293 Syntax
- 293 Example
- 294 get
- 294 Example
- 295 set
- 295 Example
- 296 diagnose
- 297 diagnose counter memory
- 297 Syntax
- 297 diagnose counter misc
- 297 Syntax
- 297 diagnose counter packet
- 297 Syntax
- 298 diagnose counter parser
- 298 Syntax
- 298 diagnose counter session
- 298 Syntax
- 298 diagnose debug application control basic
- 298 Syntax
- 299 diagnose debug application housekeep basic
- 299 Syntax
- 299 diagnose debug application parser basic
- 299 Syntax
- 299 diagnose debug application parser packet
- 299 Syntax
- 300 diagnose debug application sniffer abnormal
- 300 Syntax
- 300 diagnose debug application sniffer basic
- 300 Syntax
- 300 diagnose debug application sniffer block-ip
- 300 Syntax
- 301 diagnose debug application sniffer block-session
- 301 Syntax
- 301 diagnose debug application sniffer ip-reassemble
- 301 Syntax
- 301 diagnose debug application sniffer malformed-packet
- 301 Syntax
- 302 diagnose debug application sniffer packet
- 302 Syntax
- 302 diagnose debug application sniffer tcp-reassemble
- 302 Syntax
- 302 diagnose log show|tail|remove
- 303 Syntax
- 303 Example
- 303 diagnose mapping debug
- 303 Syntax
- 303 diagnose mapping reset
- 303 Syntax
- 304 diagnose mapping status
- 304 Syntax
- 304 diagnose system coredump check
- 304 Syntax
- 304 Example
- 304 diagnose system coredump export
- 304 Syntax
- 305 Example
- 305 diagnose system export fd_log
- 305 Syntax
- 306 Example
- 306 diagnose system raid list
- 306 Syntax
- 306 diagnose tcpdump start|stop
- 306 Syntax
- 307 Example
- 307 diagnose tcpdump status
- 307 Syntax
- 307 Example
- 307 diagnose network interface list
- 308 Syntax
- 308 diagnose network interface detail
- 308 Syntax
- 308 Example