Fortinet FortiDB Handbook

Fortinet FortiDB Handbook
Add to My manuals

Below you will find brief information for FortiDB. This handbook is for use with FortiDB software, which provides a comprehensive database security and compliance platform. The handbook provides information on how to set up, configure, and manage FortiDB, as well as on the various features and capabilities of the software, including vulnerability assessment (VA), database activity monitoring (DAM), and compliance reporting. This allows you to quickly and easily implement internal IT control frameworks for database activity monitoring, IT audit and regulatory compliance.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

FortiDB Handbook: Database Security & Compliance Guide | Manualzz

D

ATABASE

S

ECURITY AND

C

OMPLIANCE

FortiDB Handbook

VERSION 5.1.11

FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com  http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATE COOKBOOK

http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER

http://www.fortiguard.com

FORTICAST

http://forticast.fortinet.com

CLI REFERENCE

http://cli.fortinet.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

Friday, March 17, 2017

FortiDB 5.1.11 Handbook

1st Edition

TABLE OF CONTENTS

Introduction

What’s new

FortiDB tutorials

Tutorial: Generating a vulnerability assessment (VA) report

Tutorial: Monitoring a database table using the TCP/IP sniffer

Tutorial: Monitoring a database table using the native auditing feature

Tutorial: Monitoring changes to metadata

Tutorial: Generating PCI, SOX, and HIPAA compliance reports

Installation (software-only)

System requirements

Preparing to install

Configuring the FortiDB repository database

Configuring a PostgreSQL repository

Configuring an Oracle repository

Configuring an Microsoft SQL Server repository

UNIX/Linux installation

Windows installation

Confirming the installation

Starting or stopping FortiDB

Installing a new license

Managing disk space

Useful directories, files, and folders

Log files for troubleshooting

General logs

Tomcat logs

Upgrading FortiDB

How to set up your FortiDB

Registering your FortiDB

Planning the network topology for database activity monitoring (DAM)

Connecting to the web UI and CLI

Updating the firmware

Upgrading the firmware

Installing FortiDB firmware

Changing the “admin” account password

15

16

19

19

23

27

30

33

36

36

46

46

46

47

44

44

45

40

42

43

43

43

37

38

38

39

48

49

50

51

53

48

48

49

Setting the system time

Configuring the network settings

Configuring network settings using the web UI

Configuring network settings using the CLI

Backups

Administrators

Configuring permissions

Privileges by license type (software-only FortiDB)

Viewing and exporting an administrator report

FortiMonitor administrator

Advanced/optional system settings

System information and settings

Changing the FortiDB host name

Global configuration

Assessment properties

Notification properties

Reporting properties

User Profile/Security properties

Target properties

LDAP Server properties

Monitor properties

Connecting to target databases

Pre-configuration for monitoring target databases

Network requirements for monitoring using the TCP/IP sniffer

Oracle target database pre-configuration

Required privileges for monitoring or auditing Oracle databases

Configuring an Oracle database for PCI, SOX, and HIPAA policies

Enabling FortiDB to delete audit records

Oracle XML file agent installation and configuration (UNIX, Windows, AIX)

Monitoring encrypted Oracle traffic

Using the SYSLOG utility to collect audit data

MySQL target database pre-configuration

Required privileges for monitoring via SQL Trace

Sybase target database pre-configuration

Configuring the Sybase audit system and FortiDB database user

Configuring the Sybase Monitoring and Diagnostic (MDA) tables

DB2 target database pre-configuration

Users and privileges required by the DB2 agent

Configuring the DB2 database and installing the agent

Microsoft SQL Server target database pre-configuration

Database user account requirement

Privileges required by the FortiDB database user

Privileges for VA assessments, privilege summaries, and penetration tests

Privileges for monitoring data

69

72

74

67

68

68

74

75

77

77

79

94

95

102

91

91

92

94

94

84

85

86

86

87

79

79

80

80

81

81

82

83

84

61

63

64

66

67

54

55

56

57

59

60

Privileges for monitoring privileges

Privileges for monitoring metadata

Managing targets

Columns

Buttons and fields

Searching or filtering the target list

Adding (or modifying) a target connection

Configuring DB2 options

Configuring SSH connections to Oracle and DB2 databases

SSH environment requirements (software-only version)

Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX

Exporting target information

Importing targets

Managing target groups

Pre-defined target groups

Adding or modifying a target group

Auto-discovery

How to discover DB2 databases

How to discover Microsoft SQL Server

Running auto-discovery

Adding targets from auto-discovery

Vulnerability assessment (VA) policies

Types of VA policies

Updates to VA policies

Exporting and importing VA policies

VA policy version

VA policy groups

VA policy states

Keywords and user keywords for VA policies

Managing VA pre-defined policies

Importing pre-defined policies (appliance)

Importing pre-defined policies (software-only FortiDB)

OS-Level pre-defined policies

Setting an access control list (ACL) for minimally-privileged users

VA user-defined policies

Adding user-defined policies

Deleting user-defined policies

Exporting user-defined policies

Importing user-defined policies

VA policy groups

Adding VA policy groups

Modifying VA policy groups

108

109

110

111

112

112

113

114

103

104

105

105

105

106

107

114

115

115

115

115

117

118

118

120

122

123

124

128

130

118

118

119

119

119

120

131

133

133

134

134

135

136

Deleting VA policy groups

Penetration tests

Connection options for penetration tests

Files used for penetration tests

Configuring and running penetration test assessments

Data discovery policies and policy groups

Managing data discovery policies

Data discovery policy groups

Database Activity Monitoring (DAM) policies

Types of DAM policies

Managing DAM policies

Configuring policy information for a policy

Automatically generating alert policies

Data policies

Configuring a table policy

Configuring audit settings for a table policy

Configuring alert rules for a table policy

Table policy alert rules for different databases

Configuring a table and column policy

Configuring a session policy

Configuring audit settings for a session policy

Configuring alert rules for a session policy

Configuring a user policy

Configuring audit settings for a user policy

Configuring alert rules for a user policy

User policy alert rules for various databases

Configuring a database policy

Configuring a database query policy

Privilege policies

Oracle privilege policies

Microsoft SQL Server privilege policies

Sybase privilege policies

DB2 privilege policies

MySQL privilege policies

Metadata policies

Oracle metadata policies

Microsoft SQL Server metadata policies

Sybase metadata policies

DB2 metadata policies

MySQL metadata policies

PCI, SOX, and HIPAA alert policies

Configuring PCI, SOX and HIPAA policies

Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit

Options)

137

137

137

138

139

141

142

143

144

144

177

170

171

172

173

173

174

174

175

176

176

164

164

166

167

168

169

145

146

147

155

155

155

158

159

159

162

148

149

149

149

153

154

Select users to audit for PCI and SOX reports (User Audit Options)

Alert and audit policy groups

Creating or modifying an alert or audit policy group

Adding policy groups to target database monitoring

Deleting a policy group

Vulnerability assessment

Adding or modifying assessments

Running assessments

Running an assessment immediately

Running an assessment at a specified date and time

Running scheduled assessments

Configuring assessment notifications

Notification OIDs for target-level assessments

Notification OIDs for Rule-Level Assessments

Selecting the type of report an assessment generates

Reviewing, deleting, and aborting assessment results

View VA global summary information

Assessment history

Assessments History tab

Scheduled Reports tab

Import or export assessment history

Viewing and exporting a privilege summary

DB-Type Distinctions

General differences

Filtering differences

Column and column value differences

Sensitive data discovery

Manage sensitive data discovery

Running sensitive data discovery

Viewing sensitive data discovery reports

Viewing VA and sensitive data discovery event logs

Database activity monitoring (DAM)

Managing target monitoring

Target monitoring configuration tabs and options

Configuring target database monitoring

Configuring monitoring using the TCP/IP sniffer (all database types)

Configuring Microsoft SQL Server monitoring

Configuring DB2 monitoring

Configuring Sybase monitoring

Configuring MySQL monitoring

Configuring Oracle monitoring

Adding alert and audit policies to monitoring

Adding policy groups to target monitoring

178

179

179

180

180

181

181

189

189

189

189

190

191

191

192

192

182

182

182

182

183

184

185

187

187

189

193

193

193

193

194

195

195

197

198

199

201

202

202

203

204

205

206

Sending alert notifications

FortiDB event to ArcSight data field mapping

Blocking invalid access while monitoring

Excluding policies from the Alert Policy settings (whitelist)

Displaying the history of issued audit commands

Oracle audit management

Statement options

Object options

Clearing audit settings

Audit management

Microsoft SQL Server audit management

Audited events

Audited filters

DB2 audit management

DB2 audit settings with syscat.auditpolicies

DB2 audit settings with syscat.audituse

Viewing alerts

Changing the status of and annotating alerts

Exporting the alert list as a report

Filtering and searching alerts

Exclude option

Configure criteria row

Multiple criteria rows

Alert details

Alert group

Add, edit, or delete an alert group

Pre-defined alert groups

Data filter for an alert group

Alerts summary

Alerts analysis

Viewing audit records (activity auditing results)

Filtering and searching the audit record list

Viewing audit record details

Audit group

Add, edit, or delete an audit group

Pre-defined audit groups

Data filter for an audit group

Activity profiling

Viewing status and summary information for activity profiling

Viewing and exporting activity profiling results

Source clients access list

Database tables access list

Exporting profiling results

SOX audit

Logs

220

221

222

223

224

225

225

225

217

218

218

218

218

218

220

220

220

226

226

226

227

227

228

228

228

229

207

208

209

210

212

213

213

213

213

214

214

214

214

214

214

215

215

217

230

Local monitoring log

Local audit trail

Viewing and managing the audit trail records

Examples of audit trail records

Reports

Vulnerability assessment (VA) reports

DAM reports

Report files that FortiDB saves to disk

Other reports you can export

Pre-defined VA reports

Assessment reports

Statistics tables

Vulnerabilities

Score report and trend report

Policy reports

Sensitive data discovery reports

User-defined VA reports

Managing user-defined reports

General tab

Columns tab

Grouping tab

Filtering tab

Export options

Viewing scheduled VA reports

Pre-defined DAM reports

User-defined DAM reports

Report management

Filtering report data

Data time range

Records limit

Custom data filters

Configuring data displays

Data table view

Adding analysis charts and statistics tables to reports

Schedule and notification

Scheduling reports

Email notification for scheduled reports

PCI, SOX, and HIPAA reports

General steps for generating PCI, SOX, and HIPAA reports

Report: Abnormal Termination of Database Activity

COBIT objectives

Setup requirements

Report columns

Report: Abnormal or Unauthorized Changes to Data

COBIT objectives

Setup requirements

230

230

231

232

233

236

236

236

237

237

237

237

237

237

238

238

239

239

240

240

240

240

241

241

241

241

242

242

242

245

245

245

246

246

246

246

247

233

233

234

234

234

235

235

235

235

Report columns

Report: Abnormal Use of Service Accounts

COBIT objectives

Setup requirements

Report columns

Report: End of Period Adjustments

COBIT objectives

Setup requirements

Report columns

Report: History of Privilege Changes

COBIT objectives

Setup requirements

Report columns

Report: Verification of Audit Settings

COBIT objectives

Setup requirements

Report columns

Activity Profiling Reports

Archiving audit data

Archiving example

Archiving strategy

Archiving data

Using the command line interface (CLI)

Connecting to the CLI

Command syntax

Specifying file names and locations in commands

Entering spaces in a command strings

Entering quotation marks in strings

Entering a question mark (?) in a string

Special characters that are not permitted in commands

Specifying IP address formats in commands

Notation

Tips & tricks

Help

Completing commands automatically

Recalling commands

Editing commands

Breaking a long command

Abbreviating commands

Overview of commands

config config system admin setting

Syntax

Example

config system backup all-setting

253

253

254

254

257

258

248

248

248

248

249

249

249

249

247

247

247

247

248

250

250

250

250

251

259

260

262

262

262

262

262

263

263

264

268

268

268

268

269

259

259

259

259

259

259

Syntax

Example config system debug-filter

Syntax

config system dns

Syntax

Example config system global

Syntax

Example config system interface

Syntax

Example config system mapping

Syntax

Examples

config system ntp

Syntax config system raid

Syntax

Implementing RAID 5 on FortiDB 2000B

Implementing RAID on FortiDB 3000B

config system route

Syntax

execute execute backup all-settings

Syntax

Example execute backup configurations

Syntax

Example execute backup fd-tcpdump

Syntax

Example execute backup-remove fd-archive

Syntax

Example

execute backup-remove fd-report

Syntax

Example execute backup-remove fd-tcpdump

Syntax

Example execute date

Syntax

Example execute format disk

Syntax

275

275

276

276

277

277

278

278

279

279

279

279

280

280

280

281

269

270

270

270

271

271

271

271

271

272

272

272

273

273

273

274

275

275

282

283

283

283

283

284

284

284

281

281

281

282

282

282

execute generate certificate

Syntax

execute ping

Syntax

Example execute raid rebuild

Syntax execute reboot

Syntax execute reset

Syntax

Example execute restart

Syntax execute restore all-settings

Syntax

Example execute restore configurations

Syntax

Example

execute restore fd-archive

Syntax

Example execute shutdown

Syntax execute time

Syntax

Example execute top

Syntax

execute traceroute

Syntax

Example

show show system admin setting

Syntax show system backup all-settings

Syntax

show system dns

Syntax

Example show system global

Syntax show system interface

Syntax

Example

show system ntp

288

288

288

288

288

288

289

289

289

289

286

286

287

287

287

287

284

284

285

285

285

285

285

285

285

285

286

286

286

286

292

292

292

292

292

292

292

292

293

290

290

290

291

291

291

291

291

Syntax

Example show system route

Syntax

Example

get

Example

set

Example

diagnose

diagnose counter memory

Syntax diagnose counter misc

Syntax diagnose counter packet

Syntax

diagnose counter parser

Syntax diagnose counter session

Syntax diagnose debug application control basic

Syntax

diagnose debug application housekeep basic

Syntax diagnose debug application parser basic

Syntax diagnose debug application parser packet

Syntax

diagnose debug application sniffer abnormal

Syntax diagnose debug application sniffer basic

Syntax diagnose debug application sniffer block-ip

Syntax

diagnose debug application sniffer block-session

Syntax diagnose debug application sniffer ip-reassemble

Syntax diagnose debug application sniffer malformed-packet

Syntax

diagnose debug application sniffer packet

Syntax diagnose debug application sniffer tcp-reassemble

Syntax diagnose log show|tail|remove

Syntax

298

298

298

298

299

299

299

299

297

297

297

297

297

297

298

298

293

293

293

293

293

294

294

295

295

296

301

301

301

301

301

301

302

302

299

299

300

300

300

300

300

300

302

302

302

303

Example diagnose mapping debug

Syntax diagnose mapping reset

Syntax

diagnose mapping status

Syntax diagnose system coredump check

Syntax

Example diagnose system coredump export

Syntax

Example diagnose system export fd_log

Syntax

Example diagnose system raid list

Syntax diagnose tcpdump start|stop

Syntax

Example diagnose tcpdump status

Syntax

Example diagnose network interface list

Syntax diagnose network interface detail

Syntax

Example

306

306

307

307

307

307

307

308

308

308

308

304

304

305

305

305

306

306

306

303

303

303

303

303

304

304

304

304

304

Introduction

Introduction

Welcome, and thank you for selecting Fortinet products for your network.

FortiDB software is a comprehensive database security and compliance platform that helps large enterprises and cloud-based service providers protect their databases and applications from internal and external threats. Its flexible policy framework allows you to quickly and easily implement internal IT control frameworks for database activity monitoring, IT audit and regulatory compliance.

15 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

What’s new

What’s new

The following features are new or have changed since FortiDB 5.1. For upgrade information, see the release notes available with the firmware and

Updating the firmware on page 49 .

FortiDB 5.1.11

l

Patch release only.

FortiDB 5.1.10

l l l l l

Disk partitioning requirement — If upgrading from a version older than 5.1.8, you MUST repartition the hard disk to ensure FortiDB works properly.

Support "Flashback" for oracle XML agent — Two metadata DAM alert policies have been added in Oracle

XML agent mode to cover the flashback table and the flashback database.

Update SqbaseIQ for VA — Twelve (12) VA policies have been added for SybaseIQ.

MongoDB VA SSL connection support — Support for SSL connection has been added to MongoDB VA.

MongoDB VA YAML-type configuration file support — Support for YAML-type configuration file has been added to MongoDB VA.

FortiDB 5.1.9

l l l

Fix for glibc vulnerability — This release fixes a bug in the glibc open source library that made the product vulnerable to denial of service and other types of attacks (CVE-2015-7547).

Software support for FortiDB 1000B — FortiDB 5.1.9 and higher software is not supported on model 1000B.

Software version support — This release is supported on hardware versions of the product only. (The glibc vulnerability (CVE-2015-7547) vulnerability does not affect the software versions of the product.)

FortiDB 5.1.8

l l l l

Vulnerability assessment (VA) for MongoDB and Oracle 12c — FortiDB now supports VA for MongoDB version 2.6 and Oracle 12c.

DAM using the TCP/IP sniffer supports Microsoft SQL RPC variables and commands — FortiDB can now match DAM policies by parsing values generated by remote call procedure (RPC) operations generated by rightclicking in client-side database tools (for example, SQL Studio) and translating SQL commands beginning with 'rpc executesql' to standard SQL commands.

Reconnect when target is offline and send email notification — When a target is offline, FortiDB now makes up to 5 attempts to reconnect. FortiDB sends an email notification to an administrator if a connection fails.

Disk usage detection and reserve — FortiDB now reserves 1% of free disk space to help prevent system crashes.

FortiDB 5.1.7

l l

Oracle 12c support for DAM — For Oracle 12c, FortiDB now supports Database Activity Monitoring (DAM) using both the TCP/IP packet sniffer and native, audit-based data collection methods.

Support for Oracle syslog data collection — Oracle syslog data collection is now available when you use sniffer-based data collection.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

16

17

What’s new

For more information, see

Using the SYSLOG utility to collect audit data on page 84 .

l l l l

Fdbagent supports AIX and Linux 6 — For DAM, you can now use the Oracle XML file agent or DB2 agent to monitor databases installed on AIX 6 and Linux 6.

Monitor synonyms — You can now monitor synonyms (an alternative name for a database element such as a table, view, sequence, or procedure) on Oracle databases.

PostgreSQL support for DAM — DAM can now monitor PostgreSQL databases when you use sniffer-based data collection.

Configuration backup via CLI — You can now back up your FortiDB configuration using CLI commands, without backing up audit and other data.

For more information, see

execute backup configurations on page 279

.

l l l l

Security enhancements — A number of security enhancements have been added to address current threats and

SSL-related issues.

Support for Microsoft SQL RPC (remote procedure call) in native audit mode — FortiDB now supports

RPC (remote procedure call) when it monitors a Microsoft SQL Server database using the native auditing featuring.

DB2 version 10.x support for both VA and DAM — DAM and VA now support newer versions of IBM DB2.

Troubleshooting enhancements — FortiDB now provides more CLI commands that retrieve diagnostic data.

For more information, see

diagnose system coredump check on page 304

and

diagnose system coredump export on page 304

.

FortiDB 5.1.6

l

HIPAA compliance reports — In addition to SOX and PCI reports, FortiDB now has pre-defined HIPAA (Health

Insurance Portability and Accountability Act) reports to help customers meet regulatory requirements.

See

PCI, SOX, and HIPAA reports on page 242

.

l

SQL string detection in Alert policies — You can now specify a SQL string to detect in a Table and Column

DAM alert policy. This is useful for detecting attacks that use SQL injection.

See

Configuring a table and column policy on page 154

.

l

Support for encrypted Oracle traffic for database activity monitoring (DAM) — FortiDB now can monitor encrypted Oracle traffic in sniffer mode.

See

Monitoring encrypted Oracle traffic on page 83

.

l

Exclude policies from vulnerability assessment (VA) scans — You can now exclude policies from VA scans of specific targets. This feature allows you to scan databases with different policy sets without creating new scans for each case.

See

Adding or modifying assessments on page 181

.

l

Sysbase IQ support for VA — FortiDB now supports SybaseIQ for VA. (Penetration test and DAM are not supported.)

See

Adding (or modifying) a target connection on page 107 .

l

Performance enhancement — FortiDB now has an internal alert policy pre-filter that speeds up alert data processing.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

What’s new

FortiDB 5.1.5

l l

Tomcat upgrade — Tomcat (one of FortiDB’s internal components) has been upgraded to eliminate vulnerabilities found in the older version.

Mitigate vulnerability related to Bash (CVE-2014-6271) — FortiDB used Bash to allow access to the shell in its debug builds. It has been replaced to eliminate the CVE-2014-6271 vulnerability.

FortiDB 5.1.4

l l l l

Support for SQL Server 2014 VA — You can now scan the latest MS SQL server platform for vulnerabilities.

TCP/IP sniffer optimized for better performance and stability — Throughput and performance for the snifferbased data collection method has been improved.

Enhanced diagnose mode — FortiDB has a new command set that allows you to troubleshoot more efficiently.

See

Using the command line interface (CLI) on page 257

.

Security enhancements — Enhanced protection for Cross Frame Scripting (XSS), and cache control to prevent data from being saved by the browser.

FortiDB 5.1.3

l l l l l

Internal message queuing mechanism enhancement — The internal message queuing mechanism was upgraded. This improves the stability of data collection in high transaction volume environments.

Support for online context in help — FortiDB now supports online context in Help. This allows more comprehensive searches and more up to date information for end-users.

Support for partitions larger than 2TB in FortiDB 3000D — The large partition size enables more efficient audit data storage in the 3000D appliances.

For information on adjusting the RAID level for the FortiDB 3000D and other models, see

config system raid on page 275

.

Email notification enhancement — This enhancement alleviates the problems associated with configuring reports in the notification section of the Monitor setup.

FortiDB 5.1.2

l

No design changes. Bug fixes only.

FortiDB 5.1.1

l l

Support for FortiDB-1000D appliance — FortiDB-1000D is a stronger, faster platform supporting up to 30 databases that replaces the FortiDB-1000C.

tcpdump — FortiDB now includes tcpdump, a packet analyzer that you access using the command-line interface

(CLI). The tcpdump provides a reliable way for FortiDB deployments that use the TCP/IP sniffer to collect traffic data for troubleshooting purposes.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

18

FortiDB tutorials

FortiDB tutorials

Tutorial: Generating a vulnerability assessment (VA) report

Use the FortiDB tutorials to quickly create a basic, working assessment and monitoring configuration for your environment and familiarize yourself with the web UI.

For initial installation instructions (for the software-only version) and initial product configuration, see

Installation

(software-only) on page 36

and

How to set up your FortiDB on page 48

.

See also

l l l l l

Tutorial: Generating a vulnerability assessment (VA) report

Tutorial: Monitoring a database table using the TCP/IP sniffer

Tutorial: Monitoring a database table using the native auditing feature

Tutorial: Monitoring changes to metadata

Tutorial: Generating PCI, SOX, and HIPAA compliance reports

Tutorial: Generating a vulnerability assessment (VA) report

The following example FortiDB configuration provides step-by-step instructions for creating a vulnerability assessment (VA) report for an Oracle target database.

To complete this example, the Oracle target database requires the following privileges: l l l

CREATE SESSION

SELECT_CATALOG_ROLE

SELECT ON: l

SYS.AUDIT$ l l l l

SYS.REGISTRY$HISTORY

SYS.USER$

SYS.LINK$

SYSTEM.SQLPLUS_PRODUCT_PROFILE

For requirements for other types of target databases, see

Privileges for VA assessments, privilege summaries, and penetration tests on page 95 .

Use the following steps to complete this tutorial: l l l l l

Create a FortiDB administrator

Create a target

Create a target group

Run a vulnerability assessment of the target group

View the assessment results as a report

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

19

Tutorial: Generating a vulnerability assessment (VA) report FortiDB tutorials

Create a FortiDB administrator

The FortiDB admin account is required for administrative tasks related to vulnerability assessment (VA) (for example, making backups and creating new accounts). However, for general VA tasks, Fortinet recommends that you create additional administrators with appropriate roles to allow you to separate duties.

1. Log in to FortiDB using the following credentials:

User Name

Password

admin fortidb1!$

2. In the navigation menu (on the left side of the web UI), click Administration to expand it, and then click

Administrators.

3. On the Administrators page, click Add.

4. On General tab, enter information in the fields marked with an asterisk (*).

For this example, for User Name, enter vauser. For Password, enter fdb!23.

5. On the Roles tab, for Available Roles, select the following options, and then click

Assigned Roles list: l l l

Target Manager

Operations Manager

Report Manager

6. Click Save.

to add them to the

7. To log out the admin user, click ( Logout icon) at the top-right of the screen.

Create a target

A target specifies a database for FortiDB to assess.

1. Log in to FortiDB as the vauser user and the password fdb!23.

Because vauser cannot view or create other users,

Administration is not displayed in the navigation menu.

2. In the navigation menu, go to Target Database Server > Targets.

3. On the Targets page, click Add.

4. On the General tab, enter the following information. For this example, the target is an Oracle database:

Name

Type

DB Host Name/IP

vatarget

Oracle

The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)

20 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

FortiDB tutorials Tutorial: Generating a vulnerability assessment (VA) report

Port

DB Name

User Name

Password

The number of the port the database uses; the default port is 1521

The name of the database (for example, orcl)

The database user name

The password for the database user

5. To verify that the connection parameters are correct, click Test Connection.

The message “Success” is displayed at the top of the page.

6. Click Save.

The vatarget item is displayed in the list of targets.

Create a target group

You configure FortiDB to assess target groups, not individual targets. A target group can consist of one or more targets.

1. In the navigation menu, click Target Database Server > Target Groups.

2. On the Target Groups page, select Add.

3. On the Targets page, for Group Name, enter a name for your group. For this example, enter mygroup.

4. To filter the list of targets, select the following values:

Column

Operator

Value

Name

Contains

All or part of the name of the target (for example, vatarget or targ)

5. Click Search.

6. Ensure that only the target you created (vatarget) is displayed in the list, and then, to the right of the

Group Name field, click Save Group.

7. To verify that the target group you created is in the list of target groups, click Target Database Server >

Target Groups.

Run a vulnerability assessment of the target group

1. In the left-side menu, go to Vulnerability Assessment > Assessments.

2. On the Assessments page, click Add.

3. For Assessment Name, enter a name for your new assessment. For this example, enter myscan.

4. To add a target group to your assessment, on the Assessment page, click the Targets tab.

5. In the Available Target Groups list , select mygroup (the target group that you just created), and then select to move mygroup to the

Assigned Target Groups list.

6. To add FortiDB policies to your assessment, click the Policies tab.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

21

Tutorial: Generating a vulnerability assessment (VA) report FortiDB tutorials

7. In the Available Policy Groups list, select Oracle Policy Group, and then select

Oracle Policy Group name to the Assigned Policy Groups list.

to move

When you select a policy group in the

Available Policy Groups or Assigned Policy Groups list, the group’s policies are displayed in the

Active Policies list.

Although you can select items in the Active Policies list, you cannot use this list to select policies to execute.

8. Click Save.

On the

Assessments page, the myscan assessment is displayed.

9. To run your newly created assessment, select the check box for the myscan item, and then click Run.

In this example, you run the assessment manually and view the results in the web UI. However, FortiDB also allows you to schedule assessments and configure email and SNMP-trap notifications of assessment results.

(See

Running an assessment at a specified date and time on page 182

and

Sending alert notifications on page 207 .)

After approximately a minute, a stop date and time is displayed in the Last Run Time column of the myscan item.

View the assessment results as a report

FortiDB provides several pre-defined reports that can help you analyze your assessments. This example uses the

Target Summary Failed Report to view the assessment results. This report summarizes failed policies by number and type.

1. In the navigation menu, go to Report > Pre-Defined VA Reports.

2. On the Pre-Defined Reports page, click Target Summary Failed Report.

3. On the Vulnerability Assessment Target Summary Failed Report page, select the following values:

Assessment Name

Assessment Time

Target

myscan

A date and time when FortiDB ran myscan

The target group associated with myscan (for this example, vatarget

)

On the

Target Information tab, the parameters of the selected assessment are displayed.

4. Click the Preview Report tab.

After FortiDB complies it, the report is displayed.

5. To view your report in another formats, at the bottom of the page, for Export as, select one of the following formats, and then click Export: l l

PDF (.pdf)

Excel (.xls)

22 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

FortiDB tutorials l l

Tab (.txt) (tab-delimited)

CSV (.csv) (comma-separated values)

See also

l l l l l l

Administrators

Connecting to target databases

Adding or modifying a target group

Vulnerability assessment (VA) policies

Adding or modifying assessments

Reports

Tutorial: Monitoring a database table using the TCP/IP sniffer

Tutorial: Monitoring a database table using the TCP/IP sniffer

You can configure FortiDB to use a TCP/IP packet sniffer to monitor specific tables in a database and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report.

Database activity monitoring (DAM) using the TCP/IP sniffer is only available with

FortiDB appliance. DAM does not work for the software version of FortiDB.

This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see

Oracle target database pre-configuration on page 80 .

The TCP/IP sniffer for DAM requires the following network environment and connections: l

The database server and clients use the TCP/IP protocol and all database activity takes place on the LAN.

l

The network switch that FortiDB and the database server are connected to supports the port mirroring feature.

l

One of the FortiDB ethernet ports is connected to the switch’s mirror port (also known as SPAN port). This port allows FortiDB to receive copies of all network traffic that is associated with the database.

Create a target

A target specifies a database for FortiDB to monitor.

1. Log in to FortiDB using the following credentials (the default values):

User Name

Password

admin fortidb1!$

All DAM tasks require the user to log in as admin.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

23

Tutorial: Monitoring a database table using the TCP/IP sniffer FortiDB tutorials

2. In the navigation menu, go to Target Database Server > Targets.

3. On the Targets page, click Add.

4. On the General tab, enter the following information. For this example, the target is an Oracle database:

Name

Type

DB Host Name/IP

Port

DB Name

User Name

Password

DB Activity Monitoring

damtarget

Oracle

The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)

The number of the port the database uses; the default port is 1521

The name of the database (for example, orcl)

The database user name

The password for the database user

Select Allow.

5. To verify that the connection parameters are correct, click Test Connection.

The message “Success” is displayed at the top of the page.

6. Click Save.

The damtarget item is displayed in the list of targets.

Configure an alert policy for a database table

1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.

Your target database is listed on the Target Monitoring Management page.

2. Click damtarget (the name of the target you created).

3. On the General tab, use the following values to complete the Audit Configuration settings:

Collection Method

Version

Sniffer on Port

Enable Activity Auditing

Log All

Enable Activity Profiling

TCP/IP Sniffer

The database version (9, 10g, 11g, 12c)

The FortiDB appliance port that is connected to the switch's mirror port

Selected

Selected

Selected

When you create a target monitoring configuration, selecting Enable Activity Auditing, Log All, or Enable

Activity Profiling is optional.

4. Click Save.

24 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

FortiDB tutorials Tutorial: Monitoring a database table using the TCP/IP sniffer

5. Click the Alert Policies tab.

6. At the bottom-left of the page, for Data Policies, select Table, and then click Add.

7. On the Target Monitor:<target name> page, configure a table policy using the following values:

Policy Name

Description

Enable

Create new policy group for policy check box

Severity

Enter a policy name or use the default name

Enter an optional description

Selected

Selected

Informational (the default) or other value

When you create a table policy, selecting Enable or Create new policy group for policy check box is optional.

8. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by

Target.

9. For Schema, select a schema to use (for example, SCOTT).

10. In the Tables list, select a table to monitor (for example, EMP).

To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected.

11. Under Audit Actions, select Read, Write, or both.

12. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table.

13. Move any other tables you want to monitor to the Selected Objects table.

14. Beside Alert Rule, click the triangle icon to view the settings.

15. Select Issue alert if ANY of the enabled rules are triggered.

16. Select Security Violation (selected by default).

17. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings.

18. Select one or more user names, and then click > (right arrow) to move them to the Selected users list.

19. Select Alert any successful access if the database matches a selected entry.

20. Select Save.

On the

Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled.

Confirm the policy group was created and start monitoring

1. Click the Alert Policy Groups tab.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

25

Tutorial: Monitoring a database table using the TCP/IP sniffer FortiDB tutorials

2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created.

3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the

Selected Policy Group contents list.

4. To start monitoring the database, click the General tab, and then click Start Monitoring.

Monitor Status displays Starting and then Running.

View alerts generated by the policy and export them as a report

1. Using a database client-side application, execute one or more SQL statements that generate alerts.

2. To view alerts, click DB Activity Monitoring > Security Alerts.

3. In the Security Alerts list, click an item to display its details under Alert Details (below the list).

To hide the alert details, beside

Alert Details, click the triangle icon.

4. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.

5. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report.

6. Click the Table View tab

7. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list.

8. Click Save.

9. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click

Run.

10. After FortiDB has run the report, beside the report name, click [+] (plus sign).

A list of items with names created from the report name and run times is displayed.

11. Click a run report item to view the report.

12. To export the report, click one of the following file format icons: l l l l

PDF

TXT (tab-delimited)

XLS (Excel)

CSV (comma-separated values)

Your browser prompts you to download a file of the specified format.

View activity auditing and profiling

1. To view activity auditing, go to DB Activity Monitoring > Activity Auditing.

Database activity events for the specified dates are displayed.

2. Click an event to display its details under Activity Event Details (below the list).

3. To check activity profiling, click DB Activity Monitoring > Activity Profiling.

26 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

FortiDB tutorials Tutorial: Monitoring a database table using the native auditing feature

The Target DB Activity Profiling page lists the profiling status and summary information for the targets that FortiDB is monitoring.

4. To view details, click the name of the target.

See also

l l l l l l l

Connecting to target databases

Configuring monitoring using the TCP/IP sniffer (all database types)

Data policies

Viewing alerts

User-defined DAM reports

Viewing audit records (activity auditing results)

Activity profiling

Tutorial: Monitoring a database table using the native auditing feature

You can configure FortiDB to use your database’s auditing features to monitor specific database tables and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report

This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see

Oracle target database pre-configuration on page 80 .

FortiDB can use several different methods to collect information from the monitoring process. The value of your database’s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, the collection method is DB, EXTENDED.

For a description of other collection methods, see

Configuring Oracle monitoring on page 204

.

Create a target

A target specifies a database for FortiDB to monitor.

1. Log in to FortiDB using the following credentials (the default values):

User Name

Password

admin fortidb1!$

All DAM tasks require the user to log in as admin.

2. In the navigation menu, go to Target Database Server > Targets.

3. On the Targets page, click Add.

4. On the General tab, enter the following information. For this example, the target is an Oracle database:

Name

dam2target

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

27

Tutorial: Monitoring a database table using the native auditing feature FortiDB tutorials

Type

DB Host Name/IP

Port

DB Name

Oracle

The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)

The number of the port the database uses; the default port is 1521

The name of the database (for example, orcl)

User Name

Password

DB Activity Monitoring

The database user name

The password for the database user

Select Allow.

5. To verify that the connection parameters are correct, click Test Connection.

The message “Success” is displayed at the top of the page.

6. Click Save.

The dam2target item is displayed in the list of targets.

Configure an alert policy for a database table

1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.

Your target database is listed on the Target Monitoring Management page.

2. Click damtarget (the name of the target you created).

3. On the General tab, confirm that the following default Audit Configuration values are selected:

Collection Method

Polling Frequency

DB, EXTENDED

60 (default value)

4. To test the collection method, click Test.

The message "Success" is displayed the top of the page.

5. Click the Alert Policies tab.

6. At the bottom-left of the page, for Data Policies, select Table, and then click Add.

7. On the Target Monitor:<target name> page, configure a table policy using the following values:

Policy Name

Description

Enable

Enter a policy name or use the default name

Enter an optional description

Selected

28 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

FortiDB tutorials Tutorial: Monitoring a database table using the native auditing feature

Create new policy group for policy check box

Severity

Selected

Informational (the default) or other value

When you create a table policy, selecting

Enable or Create new policy group for policy check box is optional.

8. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by

Target (the default value).

9. For Schema, select a schema to use (for example, SCOTT).

10. In the Tables list, select a table to monitor (for example, EMP).

To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected.

11. Under Audit Actions, select Read, Write, or both.

12. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table.

13. Move any other tables you want to monitor to the Selected Objects table.

14. Select Issue alert if ANY of the enabled rules are triggered.

15. Select Security Violation (selected by default).

16. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings.

17. Select one or more user names, and then click > (right arrow) to move them to the Selected users list.

18. Select Alert any successful access if the database matches a selected entry.

19. Select Save.

On the

Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled.

Confirm the policy group was created and start monitoring

1. Click the Alert Policy Groups tab.

2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created.

3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the Selected Policy Group contents list.

4. To start monitoring the database, click the General tab, and then click Start Monitoring.

Monitor Status displays Starting and then Running.

View alerts generated by the policy and export them as a report

1. Using a database client-side application, execute several SQL statements that generate alerts.

2. To view alerts, click DB Activity Monitoring > Security Alerts.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

29

Tutorial: Monitoring changes to metadata FortiDB tutorials

3. In the Security Alerts list, click an item to display its details under Alert Details (below the list).

To hide the alert details, beside Alert Details, click the triangle icon.

4. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.

5. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report.

6. Click the Table View tab.

7. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the

Columns in Report list.

8. Click Save.

9. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run.

10. After FortiDB has run the report, beside the report name, click [+] (plus sign).

A list of items with names created from the report name and run times is displayed.

11. Click a run report item to view the report.

12. To export the report, click one of the following file format icons: l l l l

PDF

TXT (tab-delimited)

XLS (Excel)

CSV (comma-separated values)

Your browser prompts you to download a file of the specified format.

See also

l l l l

Connecting to target databases

Data policies

Viewing alerts

User-defined DAM reports

Tutorial: Monitoring changes to metadata

You can configure FortiDB to use your database’s auditing features to monitor for metadata changes and generate alerts based on the policies you specify. For example, you can configure FortiDB to generate alerts when database tables or columns are created, deleted, or modified. You can then use the alert information to generate a report.

This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see

Oracle target database pre-configuration on page 80 .

FortiDB can use several different methods to collect information from the monitoring process. The value of your database’s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, so the collection method is DB, EXTENDED.

30 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

FortiDB tutorials Tutorial: Monitoring changes to metadata

For a description of other collection methods, see

Configuring Oracle monitoring on page 204

.

Create a target

A target specifies a database for FortiDB to monitor.

1. Log in to FortiDB using the following credentials (the default values):

User Name

Password

admin fortidb1!$

All DAM tasks require the user to log in as admin.

2. In the navigation menu, go to Target Database Server > Targets.

3. On the Targets page, click Add.

4. On the General tab, enter the following information. For this example, the target is an Oracle database:

Name

Type

DB Host Name/IP

Port

DB Name

User Name

Password

DB Activity Monitoring

dam3target

Oracle

The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)

The number of the port the database uses; the default port is 1521

The name of the database (for example, orcl)

The database user name

The password for the database user

Select Allow.

5. To verify that the connection parameters are correct, click Test Connection.

The message “Success” is displayed at the top of the page.

6. Click Save.

The dam3target item is displayed in the list of targets.

Configure an alert policy for metadata

1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.

Your target database is listed on the

Target Monitoring Management page.

2. Click dam3target (the name of the target you created).

3. On the General tab, confirm that the following default Audit Configuration values are selected:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

31

Tutorial: Monitoring changes to metadata FortiDB tutorials

32

Collection Method

Polling Frequency

DB, EXTENDED

60

4. To test the collection method, click Test.

The message "Success" is displayed the top of the page.

5. Click the Alert Policies tab.

6. Locate the policy item Tables, which has a Type value of

(metadata policy icon), and then select by selecting its check box.

7. Click Enable.

Under Status, a green icon with an arrow is displayed.

Start monitoring

1. To start monitoring the database, click the General tab, and then click Start Monitoring.

Monitor Status displays Starting and then Running.

2. If the message "NEED_RECONFIGURE" is displayed, click the Alert Policies tab, and then click the

Reconfigure* button.

View alerts generated by the policy and export them as a report

1. Using a database client-side application, execute several SQL statements that generate alerts.

For example, execute the following SQL statements: create table table1 (column1 int, column2 char); drop table table1;

2. To view alerts, click DB Activity Monitoring > Security Alerts.

3. In the Security Alerts list, click an item to display its details under Alert Details (below the list).

To hide the alert details, beside Alert Details, click the triangle icon.

4. To change the alert status from "Unacknowledged" to "Acknowledged", do the following:

a. Select the check box(es) of the alerts to change, and then select "Acknowledged" in the

Status dropdown list.

b. Click Apply.

The color of the status icon changes.

5. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.

6. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report.

7. Click the Table View tab.

8. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list.

9. Click Save.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

FortiDB tutorials Tutorial: Generating PCI, SOX, and HIPAA compliance reports

10. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run.

11. After FortiDB has run the report, beside the report name, click [+] (plus sign).

A list of items with names created from the report name and run times is displayed.

12. Click a run report item to view the report.

13. To export the report, click one of the following file format icons: l l l l

PDF

TXT (tab-delimited)

XLS (Excel)

CSV (comma-separated values)

Your browser prompts you to download a file of the specified format.

See also

l l l l

Connecting to target databases

Metadata policies

Viewing alerts

User-defined DAM reports

Tutorial: Generating PCI, SOX, and HIPAA compliance reports

You can configure FortiDB to monitor a database and generate alerts based on the following regulatory compliance standards: l l l

Sarbanes-Oxley Act (SOX)

Payment Card Industry Data Security Standard (PCI DSS)

Health Insurance Portability & Accountability Act (HIPAA)

This example configures a Microsoft SQL Server database. Before you start the tutorial, ensure that the database has the required configuration. For more information, see

Microsoft SQL Server target database preconfiguration on page 94

.

Create a target

A target specifies a database for FortiDB to monitor.

1. Log in to FortiDB using the following credentials (the default values):

User Name

Password

admin fortidb1!$

2. In the navigation menu, go to Target Database Server > Targets.

3. On the Targets page, click Add.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

33

Tutorial: Generating PCI, SOX, and HIPAA compliance reports FortiDB tutorials

4. On the General tab, enter the following information. For this example, the target is a Microsoft SQL Server database:

Name

Type

DB Host Name/IP

Port

Connect At

DB Name

User Name

Password

DB Activity Monitoring

dam_pci_sox

Microsoft SQL Server

The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)

The number of the port the database uses; the default port is 1433

Server Level (default)

The name of the database. Because this target connects at the server level, the database name is master and you cannot change it.

The database user name

The password for the database user

Select Allow.

5. To verify that the connection parameters are correct, click Test Connection.

The message “Success” is displayed at the top of the page.

6. Click Save.

The dam_pci_sox item is displayed in the list of targets.

Add the PCI, SOX, and HIPAA policy groups to the target

1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.

2. Click dam_pci_sox (the name of the target you created).

3. On the General tab, confirm that the following default Audit Configuration values are selected:

Collection Method

Trace Folder

Polling Frequency

SQL Trace

Enter the full path of the existing trace folder (for example,

C:\SQLTrace

)

60 (default)

4. To test the collection method, click Test.

The message "Success" is displayed the top of the page.

5. Click the Alert Policy Groups tab.

6. Select PCI Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.

7. Select Sox Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.

8. Select HIPAA Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.

34 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

FortiDB tutorials Tutorial: Generating PCI, SOX, and HIPAA compliance reports

9. Click Save.

Start monitoring

To start monitoring the database, click the General tab, and then click Start Monitoring.

Monitor Status displays Starting and then Running.

Configure and export PCI and SOX reports

1. Using a database client-side application, execute several SQL statements that generate data.

For example, to generate data that is captured in a History of Privilege Changes report, execute SQL statements that change privileges.

2. To create a PCI compliance report, click Report > PCI Reports.

3. For this example, select PCI - Successful/Unsucessful Database Logins.

4. On the Generate Audit PCI Report page, configure the report using the following values:

Export as

W/P Reference

Date Range

PDF (default)

Enter the work paper reference value, if required.

This value is a tracking mechanism customers can use to identify and place controls around reports.

Enter start and end dates for report (click the calendar icons to select dates using the date picking tool)

5. Confirm that the target database is displayed in the Targets list.

If there is no data, the database name does not appear in the box.

6. In the bottom-right corner of the page, select Export.

Your browser downloads the report file.

7. Repeat the compliance report steps to generate the following report types: l l

Sox Report: History of Privilege Changes.

HIPAA Report: Privilege Changes

See also

l l l

Connecting to target databases

PCI, SOX, and HIPAA alert policies

PCI, SOX, and HIPAA reports

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

35

Installation (software-only)

Installation (software-only)

System requirements

The software-only version of FortiDB allows you to install FortiDB on hardware that you provide.

FortiDB software runs as a web application and uses Tomcat as the application server. You can install it on either

Windows or UNIX (Solaris, AIX, Linux) platforms.

FortiDB uses one of the following repositories for its internal data: l l l l

Apache Derby

PostgreSQL

Oracle

Microsoft SQL Server

The Apache Derby database is included with the FortiDB software. No manual setup is required.

Because the software-only version of FortiDB cannot monitor databases using the TCP/IP sniffer, the softwareonly version does not support the activity auditing and profiling features.

System requirements

To ensure both security and performance, install FortiDB on a dedicated computer that does not run any other memory or processor-intensive applications. Start with a clean installation of the operating system that has a minimum number of services running.

For a list of currently supported hardware and software, see the Supported Hardware section of the Release

Notes for your version of FortiDB.

Requirement Details

Disk space

300 MB of free disk space (minimum)

Additional space is required for the repository database, log files, reports and archives.

Memory

Processor

A minimum of 2048 MB of system memory, 1024 MB of which are dedicated to the FortiDB application

Windows and Linux: Intel-based platforms configured with one or more P4 (or higher) processors

Solaris: SPARC-based platform configured with one or more processors

These are minimum disk space and memory requirements. For optimal performance, consult with a FortiDB representative for recommendations that are best suited to your individual situation.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

36

Preparing to install Installation (software-only)

Preparing to install

Before you install FortiDB, ensure you have the following information:

Prerequisite Details

User account for

FortiDB installation

Windows: An Administrator-level account

Linux or Solaris: A non-root user account

Location for FortiDB

DB type for your repository database

You can install FortiDB in any directory.

Do not choose a path with a a name that contains one or more spaces. For example, because there is a space between Program and Files, do not use C:\Program Files\FortiDB.

Derby, Microsoft SQL Server, Oracle, or

PostgreSQL

Notes

If you choose a location where a previous version of FortiDB exists, the installation process upgrades the current installation.

The FortiDB installation process installs the compatible Derby database with the required configuration.

For Microsoft SQL

Server, Oracle, and

PostgreSQL, configure your repository database before you install

FortiDB. See

Configuring the

FortiDB repository database on page

38

.

Name of host machine for repository database

Port number for repository database

The hostname or IP address for the machine where the repository database resides

An available port number above 1024

37 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Installation (software-only) Configuring the FortiDB repository database

Prerequisite

Database name/SID for repository database

Username for repository database user

Password for repository database user account

Details

The name (or SID) of the repository database

The account name of the repository database user

The password for repository database user

Application Server

HTTP Port Number

Application Server

HTTPS Port Number

An available port number above 1024

An available port number above 1024

Application Server

Shutdown Port

Number

An available port number above 1024

Notes

Configuring the FortiDB repository database

When you use Derby for the FortiDB repository database, no configuration is required. For all other database types, follow the configuration instructions in this section.

For all repository types except Derby, verify that your character-encoding setting is UTF-8.

Do not use the FortiDB application to monitor or audit its own repository database.

To ensure best performance, do not install FortiDB and its repository database on the same computer. You cannot install the Derby repository that is included with

FortiDB software on the same computer as FortiDB.

See also

l l l

Configuring a PostgreSQL repository

Configuring an Oracle repository

Configuring an Microsoft SQL Server repository

Configuring a PostgreSQL repository

When you use a PostgreSQL 8.x repository, FortiDB requires a language pack for its archive feature.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

38

Configuring the FortiDB repository database Installation (software-only)

1. Create a database to use for the FortiDB repository (for example, “fortidb”) with UTF-8 encoding. Make note the following information, which is required for FortiDB installation: l l l

Database name

User name

Password

2. To create the language pack “plpgsql”, execute the following command: createlang -h 127.0.0.1 -d <database_name> -U <database_user> plpgsql where: l l

<database_name> is the name of the database

<database_user> is the name of the database user

3. To verify that the language pack is installed properly, execute the following command: psql -U <database_user> -c "select * from pg_language" where: l l

<database_user> is the name of the database

The row plpgsql is displayed in the pg_language table.

Configuring an Oracle repository

1. Create a tablespace for FortiDB with the following values:

Block Size (B)

Total SGA size

Total PGA size

Segment Space

Management

Extent Management

Minimum 16K

Minimum 500MB

Minimum 100MB

AUTO (Automatic)

LOCAL

2. Create a user for FortiDB that has the following privileges: l l l l

CREATE SESSION

CREATE TABLE

CREATE SEQUENCE

UNLIMITED QUOTA

for the FortiDB tablespace.

3. Make any changes to your configuration that can reduce the risk of competition for input/output resources (I/O contention).

For example, put your database and log files on separate disks.

4. Create a datafile for the FortiDB tablespace. For example:

39 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Installation (software-only) Configuring the FortiDB repository database

File Name

File Directory

Tablespace

File Size

AUTOEXTEND

FORTIDB.DBF

C:\oralce\product\10.2.0\oradata\orcl\

FORTIDB

500M

ON (automatically extends datafile when it is full)

Here is an example of the parameters in init.ora (for Oracle 10g):

*.db_name='fortidb'

*.db_block_size=8192

*.sga_target=584M

*.pga_aggregate_target=194M

*.db_create_file_dest='/home/oracle/product/10.2.0/db_1/oradata/fdb'

*.db_recovery_file_dest='/home/oracle/product/10.2.0/db_1/flash_recovery_area'

*.db_recovery_file_dest_size=2G

*.undo_management='AUTO'

*.undo_tablespace='UNDOTBS1'

*.audit_file_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/adump'

*.user_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/udump'

*.core_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/cdump'

*.background_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/bdump'

*.compatible='10.2.0.3.0'

*.control_files='/home/oracle/product/10.2.0/db_1/oradata/fdb/control01.ctl'

*.db_file_multiblock_read_count=16

*.job_queue_processes=10

*.open_cursors=300

*.processes=150

Configuring an Microsoft SQL Server repository

This procedure illustrates how to configure a repository using Microsoft SQL Server 2008 Management Studio.

The user ID and schema name must have the same name as the FortiDB repository.

Create a SQL database

1. Log in as sa.

2. Right-click Databases.

3. Click New Database.

4. For the database name, enter fortidb.

5. Configure the database using the following values:

Initial data-file size

300 MB (minimum)

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

40

Configuring the FortiDB repository database Installation (software-only)

Initial log-file size

Collation value

20 MB (minimum)

A value that supports case-sensitivity

The characters “CS” in a collation value indicate that it is casesensitive. For example, the collation value SQL_Latin1_General_

CP1_CS_AS is for U.S. English systems and is case-sensitive.

6. Click OK.

Create a SQL login

1. Go to Security.

2. Right-click Logins.

3. Click New Login.

4. For Login name, enter fortidb.

5. Select SQL Server authentication, and then enter and confirm a password.

6. Clear Enforce password expiration.

7. For Default database, select fortidb.

8. On the User Mapping page, for Users mapped to this login, select fortidb.

In the User column for the fortidb list item, fortidb is displayed.

9. Select the fortidb item in the list of users, and then, for Database role membership for: fortidb, select

db_owner.

10. Click OK.

Create the fortidb schema

Ensure that the schema uses the same name as login name that you created in the previous step.

1. Log in using the user (fortidb) and password.

2. Go to Databases > fortidb > Security.

3. Right-click Schemas, and then select New Schema.

4. For both Schema name and Schema owner, enter fortidb.

5. Click OK.

6. Go to Databases > fortidb > Security > Users.

7. Right-click the fortidb user, and then click Properties.

8. For Default schema field, enter fortidb.

9. Click OK.

41 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Installation (software-only) UNIX/Linux installation

Verify that the login is mapped to the correct schema and user

1. Log in as sa.

2. Go to Security > Logins.

3. Right-click fortidb, and then select Properties.

4. On the User Mapping page, verify that “fortidb” is both the user and default schema value for the fortidb item.

UNIX/Linux installation

You install FortiDB software on Unix and Linux using a console user interface, or command-line interface (CLI).

You can use a non-root user account to install FortiDB on the following operating systems: l l l

Solaris

AIX

Linux installations that use an Oracle repository database

To install FortiDB on UNIX/Linux, the following hardware and operating system are required: l l

Solaris with SPARC-based platform

64-bit Linux system with Intel-based platform, and 2.6 kernel

For detailed platform requirements, see the release notes for your version of FortiDB.

Obtain one of the following FortiDB installer files:

Solaris

Linux (without RPM Package Manager)

Unix

fdb-install-{version}-solaris-sparc.bin

fdb-install-{version}-linux-x64.bin

fdb-install-{version}-unix.bin

Execute the installer file supplied using the following command: sh <installer file>

For Linux installations that use RPM Package Manager, do the following: l l l

Obtain the FortiDB installer file fdb-install-{version}-linux-x64.rpm

Execute the installer file using the following command: rpm -ivh <installer file>

To install FortiDB on other UNIX systems like AIX, install the Java Runtime Environment version 1.6 or higher first, and then update FortiDB startup script. For details, please refer to the release notes for your version of

FortiDB or contact Fortinet.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

42

Windows installation

See also

l

Confirming the installation

Installation (software-only)

Windows installation

For detailed information on Windows installation requirements, see the release notes for your version of FortiDB.

To install FortiDB on Windows, you use the graphical user interface (GUI) and an Administrator account.

Obtain one of the following FortiDB installer files:

Windows 64-bit

Windows 32-bit

fdb-install-{version}-windows-x64.exe

fdb-install-{version}-windows-x86.exe

Log in as a user with administrator privileges, run the installer, and then follow the instructions provided by the installer.

Use the Add/Remove Programs control panel to uninstall FortiDB.

See also

l

Confirming the installation

Confirming the installation

To test whether your installation was successful, enter the following URL in your browser: http://<fortidb_ip>:<port_int>/fortidb where: l l fortidb_ip is FortiDB host name or IP address port_int is the port number on which the application server listens

If your installation is successful, the login page is displayed.

The default administrator user name is admin and the default password is fortidb1!$.

After you log in successfully, go to

Administration > Administrators to change the password for the admin account.For more information on changing passwords, see

Changing the “admin” account password on page 53

.

Starting or stopping FortiDB

In some situations, it is necessary to start and or stop FortiDB manually. For example, when you update or replace your FortiDB license file, or reboot UNIX.

43 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Installation (software-only) Installing a new license

When FortiDB stops, it saves state information in the internal database. When log in again, it retrieves this information and reopens the databases that were open at the time of the shutdown. Since state information is periodically saved during your session, FortiDB can restore most of the state, even if it goes down due to a power failure or similar problem.

To manually start FortiDB on Windows

Do one of the following: l l

Execute the <FortiDB install directory>\bin\start.bat batch file.

Click Start > Programs > FortiDB > Start FortiDB.

To manually start FortiDB on UNIX

Use the <FortiDB install directory>/bin/start script.

To manually stop FortiDB on Windows

Do one of the following: l l

Execute the <FortiDB install directory>\bin\stop.bat batch file.

Click Start > Programs > FortiDB > Stop FortiDB.

To manually stop FortiDB on UNIX

Use the <FortiDB install directory>/bin/stop script.

Installing a new license

FortiDB requires a license key in order to operate and ships with a temporary one. In some cases, a notice warning you that your license is about to expire is displayed about two weeks before your license expires. If this happens, contact your Fortinet sales representative to extend the license.

To install a new license

For information on starting and stopping FortiDB, see

Starting or stopping FortiDB on page 43

1. Stop FortiDB.

2. In <FortiDB install directory>/conf, replace license.properties with the new license file.

3. Restart FortiDB.

Managing disk space

FortiDB log, archive, and report files all consume disk space. To help conserve disk space, you can backup, delete, and restore these files, as required.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

44

Useful directories, files, and folders

See also

l l

Useful directories, files, and folders

Log files for troubleshooting

Installation (software-only)

Useful directories, files, and folders

The folders that the FortiDB installation directory contains include the following:

FortiDB directories

Directory

<FortiDB install directory>/bin

<

FortiDB install directory>/conf

<FortiDB install directory>/data/archives/VA

Contents

Utility files, including the files that allow you to manual start and stop FortiDB

Your license file, encryption-key files, installationproperties file, and report logo files

Vulnerability assessment archive files

<FortiDB install directory>/data/reports

Report files

<FortiDB install directory>/doc

Administration, Quick Start, and Installation Guides

<FortiDB install directory>/etc/conf/pentest

Files related to penetration tests

<FortiDB install directory>/etc/snmp

SNMP-trap dictionary file for FortiDB

<FortiDB install directory>/logs

Error and other log files

<FortiDB install directory>/tomcat/logs

Log files for the Tomcat application server

<FortiDB install directory>/uninstall

Uninstall executable file

The files that the FortiDB installation directory contains include the following:

FortiDB files and folders

File or folder name

<FortiDB install directory>/conf/license.properties

Description

Specifies the length of, and number of targetdatabases allowed during, the FortiDB license period

45 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Installation (software-only) Log files for troubleshooting

File or folder name

<FortiDB install directory>/conf/

.keyFile

<FortiDB install directory>/conf/

.keystore

<FortiDB install directory>/conf/reportlogos

<FortiDB install directory>/etc

Description

Needed for the encryption of passwords and assessment archives

Needed for target-database connections involving

SSH

Vontains images for report logos

Contains: l

Pentest dictionary and db-type-specific files l

XML files with samples of information that can be imported from a target-database l

FortiDB-specific MIB file for SNMP notifications server.xml

(for internal FortiDB use only)

<FortiDB install directory>/etc/templates

See also

l l

Managing disk space

Log files for troubleshooting

Log files for troubleshooting

FortiDB produces the following log files that are useful for troubleshooting and can help Fortinet Technical

Support to assist you:

General logs

<FortiDB install directory>/logs/*.log

<FortiDB install directory>/tomcat/logs/*.log

Tomcat logs

You can troubleshoot installation problems by reviewing information in Tomcat log files that are located in the following directories:

<FortiDB install directory>/logs

<FortiDB install directory>/tomcat/logs

<FortiDB install directory>/tomcat/webapps/fortidb/WEB-INF/logs

See also

l

Useful directories, files, and folders

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

46

Upgrading FortiDB Installation (software-only)

Upgrading FortiDB

For supported upgrade versions, see the release notes for your version of FortiDB.

To upgrade from an earlier version of FortiDB

1. Backup your repository database.

This step is optional, but recommended.

2. Shut down your existing FortiDB process or service.

For detailed steps, see

Starting or stopping FortiDB on page 43

.

3. Execute the FortiDB installer file.

For detailed information, see

UNIX/Linux installation on page 42

or

Windows installation on page 43 .

4. Specify the directory that contains your existing FortiDB installation as the destination directory.

5. Follow the subsequent instructions to complete upgrade installation, follow the remaining steps provided for an initial installation.

47 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

How to set up your FortiDB

How to set up your FortiDB

Registering your FortiDB

The basic setup instructions include information on planning network connections for FortiDB, connecting to the web UI or command line interface, and ensuring you have the latest version of the firmware (for appliance versions).

After the inital set up is complete, for example configurations for assessing and monitoring databases, see

FortiDB tutorials on page 19

.

See also

l l l l l l

Planning the network topology for database activity monitoring (DAM)

Connecting to the web UI and CLI

Updating the firmware

Changing the “admin” account password

Setting the system time

Configuring the network settings

Registering your FortiDB

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site: https://support.fortinet.com

Many Fortinet customer services such as firmware updates, technical support, and FortiGuard services require product registration.

For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions .

Planning the network topology for database activity monitoring (DAM)

Database activity monitoring (DAM) using the TCP/IP sniffer (also known as packet capture or network analyzer) is available for the appliance version of FortiDB only. It provides functions like policy-based activity auditing, activity profiling, and security alerts.

To use DAM with the TCP/IP sniffer, connect one or more of your FortiDB appliance's ports to the SPAN port of the switch that is connected to your database server. This configuration allows the appliance to monitor all traffic passing to and from the server.

See also

l

Tutorial: Monitoring a database table using the TCP/IP sniffer

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

48

Connecting to the web UI and CLI How to set up your FortiDB

Connecting to the web UI and CLI

The default IP address and subnet of port1 is 192.168.1.99/255.255.255.0. To connect to the appliance's web UI on port1, for example, go to https://192.168.1.99/.

To connect to the appliance's CLI, connect your computer’s serial communications (COM) port to the FortiDB appliance’s console port. Use terminal emulation software to connect with the appliance using the following configuration:

Serial line to connect to

Speed (baud)

Data bits

Stop bits

Parity

Flow control

COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)

9600

8

1

None

None

The default administrator account name and password is admin and fortidb1!$.

See also

l

Changing the “admin” account password

Updating the firmware

Your new FortiDB appliance ships with the latest operating system (firmware). However, if Fortinet has released a new version since it shipped your appliance, install the new firmware before you continue the installation. Fortinet periodically releases FortiDB firmware updates with enhancements and to address issues.

Before you can download firmware updates for your FortiDB appliance, you must first register it with Fortinet

Technical Support. For details, go to https://support.fortinet.com/ or contact Fortinet Technical Support.

FortiDB firmware is available for download at: https://support.fortinet.com

New firmware can also introduce new features which you must configure for the first time.

For late-breaking information specific to the firmware release version, see the release notes for the release.

When you update the firmware image, FortiDB keeps existing data and configuration. However, Fortinet recommends that you back up all FortiDB data and configuration settings before you upgrade. The backup operation safeguards data and configuration settings in case power is lost during the upgrade. For information on backup and restore procedures, see

Backups on page 59 .

49 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

How to set up your FortiDB Updating the firmware

See also

l l

Upgrading the firmware

Installing FortiDB firmware

Upgrading the firmware

When installing firmware, FortiDB keeps existing data and configuration.

If you want to reset all device settings and configuration and delete log data on the hard drive, the execute format disk

CLI command. For details, see

execute format disk on page 284

.

To upgrade your firmware using the web UI

1. Download the firmware image file to your management computer.

For FortiDB appliances with a valid technical support contract, you can download firmware images from the

Fortinet Technical Support web site, https://support.fortinet.com.

2. Log in as admin.

3. Go to System > System Information.

4. Under System Information, in the Firmware Version information, click Update.

5. Do one of the following to select the firmware image file: l l

Enter the path and file name of the file.

Click Choose File to navigate to and select the file.

6. Click Update.

After your browser uploads the firmware image file, FortiDB upgrades to the new firmware version, and then restarts. This process takes a few minutes.

To upgrade your firmware using the CLI

When you upgrarding the firmware using the CLI, FortiDB requires a TFTP or FTP server that it can connect to.

1. Start the FTP or TFTP server.

2. Copy the new firmware image file to the FTP or TFTP server.

3. Log in to the CLI as admin.

4. Verify that FortiDB can connect to the FTP or TFTP server.

For example, if the IP address of the TFTP server is 192.168.1.168, enter the following command: execute ping 192.168.1.168

5. Enter the following command to copy the firmware image from the TFTP server to FortiDB: execute restore image ftp <filename> <ftp_ip> execute restore image tftp <filename> <tftp_ip> where:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

50

Updating the firmware How to set up your FortiDB l l

<filename> is the name and location of the firmware image file

<ftp_ip> or <tftp_ip> is the IP address of the FTP or TFTP server.

For example, if the firmware image file name is image.out and the IP address of the FTP or TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168

FortiDB responds with the following message:

This operation will replace the current firmware version!

Do you want to continue? (y/n)

6. Type y .

FortiDB downloads the firmware image file, upgrades to the new firmware version, and then restarts. This process takes a few minutes.

7. Reconnect to the CLI.

8. To confirm that the new firmware image is successfully installed, enter: get system status

See also

l l

Updating the firmware

Installing FortiDB firmware

Installing FortiDB firmware

You can use the boot loader menu to install a specific firmware image and reset FortiDB to default settings. Use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version.

This procedure reverts the FortiDB system to its factory default configuration.

Installing a specific firmware image requires you to connect to the CLI using the FortiDB console port and a RJ-45 to DB-9 or null-modem cable. A TFTP server that you can connect from the FortiDB interface and that is on the same subnet as the internal interface is also required.

To install firmware using boot loader menu

1. Connect to the FortiDB CLI through your console port.

2. To get and copy your current network settings for reference, execute the following command: show

The process of installing a new image resets your network settings to the factory defaults. To access the web-based manager, re-configure network settings.

3. Verify that the TFTP server is running.

4. Copy the new firmware image file to the TFTP server.

51 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

How to set up your FortiDB Updating the firmware

5. Verify that the internal interface is connected to the same network as the TFTP server. To test the connection, enter the following command: execute ping <tftp_ip_address>

6. Enter the following command to restart FortiDB: execute reboot

The FortiDB system responds with the following message:

This operation will reboot the system !

Do you want to continue? (y/n)

7. Type y to display the boot loader menu.

As the FortiDB system starts, a series of system startup messages is displayed. When one of the following messages appears:

Press any key to display configuration menu.......

Immediately press any key to interrupt the system startup.

You have only 3 seconds to press any key. After 3 seconds, FortiDB reboots and you must log in and repeat the execute reboot command.

If you successfully interrupt the startup process, one of the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options.

Enter G,F,B,C,Q,or H:

8. Type G to get the new firmware image from the TFTP server.

The following message appears:

Enter TFTP server address [192.168.1.168]:

9. Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

10. Type an IP address that FortiDB can use to connect to the TFTP server.

The IP address can be any IP address that is valid for the network the interface is connected to. Verify that you do not enter the IP address of another device on this network.

The following message appears:

Enter firmware image file name [image.out]:

11. Enter the firmware image file name (and location) and press Enter.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

52

Changing the “admin” account password How to set up your FortiDB

The TFTP server uploads the firmware image file to the FortiDB unit. Some unit models may display the following message:

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]

12. Type

D .

FortiDB installs the new firmware image and restarts. The installation can take a few minutes to complete. If the installation is successfully, the FortiDB CLI prompt is displayed.

13. Configure your network settings. To configure your network settings, please refer to

Configuring network settings using the CLI on page 57 .

See also

l l

Updating the firmware

Upgrading the firmware

Changing the “admin” account password

1. Log in to the FortiDB web UI.

2. Select the Change Password link at the top of any page.

3. Enter your current password and new password, and then confirm your new password.

When you create a password, use the following rules:

Category

Mandatory Length

Mandatory contents

Prohibited contents

Description

By default, no mandatory length is set.

For information on setting the minimum length, see

User

Profile/Security properties on page 74 .

l

At least one number l

At least one special character from the following set: !@#$%^&*()_+|~-=\`

{}[]:";'<>?,./ l

Spaces l

User name l

User name reversed

For example, wru2rxy? is a valid password.

4. Click OK.

See also

l

Administrators

53 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

How to set up your FortiDB Setting the system time

Setting the system time

Setting the system time ensure correct report time ranges, scheduling, and logging.

To set the system time using the web UI

1. In the left-side navigation menu, click System > System Information.

2. In the System Time information, click Change.

The Time Settings page is displayed.

3. Use the following options to change the time settings:

Refresh

Time Zone

Set Time

Synchronize with NTP

Server

Updates the display with the current FortiDB system date and time.

Select the FortiDB unit's time zone.

Select

Automatically adjust clock for daylight saving changes

to automatically switch the clock between daylight saving time and standard time.

Note: Changes to the time zone setting do not take affect until after you reboot FortiDB.

Sets the FortiDB system date and time using the values you specify for

Year, Month, Day, Hour, Minute and Second.

Configures FortiDB to automatically update its system date and time using an NTP server.

For Server, enter the IP address or domain name of an NTP server.

To find an NTP server that you can use, go to http://www.ntp.org.

For

Sync Interval, specify how often the FortiDB unit synchronizes its time with the NTP server, in minutes.

For example, to synchronize its time once a day, enter 1440.

4. Select OK.

To set the system time using the CLI

1. To set the time zone, execute the following command: config system global set daylightsavetime {enable | disable} end set timezone <timezone_number> where:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

54

Configuring the network settings How to set up your FortiDB l l

{enable | disable} specifies whether FortiDB automatically switches to daylight savings time

<timezone_number> is a number that specifies the time zone (enter ? to list time zones and their numbers)

For example, to turn daylight saving time and chooses the Eastern timezone for US & Canada: config system global set daylightsavetime enable end set timezone 12

2. To set a network protocol (NTP) server, execute the following command: config system ntp set server <server_ip> end set status {enable | disable} end set sync_interval <minutes> where: l l l

<server_ip> is the IP address or fully qualified domain name of the NTP server

{enable | disable} specifies whether the server is enabled

<minutes> is a value in minutes that specifies how often the FortiDB system synchronizes its time with the

NTP server

For example: config system ntp set server 172.30.62.81

end set status enable end set sync_interval 120

For information on manually setting the time using the CLI, see

execute time on page 288

.

See also

l

System information and settings

Configuring the network settings

You can configure the FortiDB unit to operate in your network using either the web UI

Network Configuration

page or the CLI. These basic network settings include interfaces, DNS settings and static routes.

You can use either of the following formats to specify IP address/networkmask pairs: l

Dotted-decimal (for example, 192.168.1.1/255.255.255.0) l

Bit representation (for example, 192.168.1.1/24)

55 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

How to set up your FortiDB Configuring the network settings

See also

l

Configuring network settings using the CLI

Configuring network settings using the web UI

To configure the network interfaces using the web UI

1. Go to System > Network Setting.

On

Network Configuration page, the Interfaces tab displays the current configuration of the network interfaces.

Interface

Device IP/Netmask

Access

Status

The name of the network interface on the FortiDB unit.

The IP address and network mask configured for the interface.

A list of the administrative access methods available on the interface.

A green arrow indicates that the network interface is up.

Modify

Select the edit button to disable the port.

A red arrow indicates the interface is down.

Select the edit button

Select the edit button to enable the port.

to change the interface settings.

2. For the interface you want to configure, in the Modify column, click

3. Configure the following options:

Enable check box

Interface Name

Device IP/Netmask

Access

(edit icon).

Specifies whether the interface is enabled or disabled

Cannot be changed

Enter an IP address and network mask (for example,

192.168.10.3/255.255.255.0

)

Select the methods of administrative access that are available on this interface.

l

HTTP allows HTTP connections to the FortiDB. HTTP connections are not secure and can be intercepted by a third party.

l

HTTPS allows secure HTTPS connections to the FortiDB.

l

PING allows FortiDB to respond to ICMP pings, which are useful for testing connectivity.

l

SSH allows SSH connections to the FortiDB CLI.

l

TELNET allows Telnet connections to the FortiDB CLI. Telnet connections are not secure, and can be intercepted by a third party.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

56

Configuring the network settings How to set up your FortiDB

4. Select the Save button to save the interface settings.

To configure DNS using the web UI

You can configure primary and secondary DNS servers to provide the name resolution required by FortiDB features.

1. Go to System > Network Setting, and then click the DNS tab.

2. Enter an IP address for a primary and secondary DNS server.

3. To save and apply the DNS settings, click the Apply button .

To configure static routes using the web UI

To forward packets from FortiDB to the default gateway through a specified interface, you add a default static route entry.

For example, to allow FortiDB to access Internet in your private subnet, add a static route with a destination address of 0.0.0.0/0.0.0.0 and specify the gateway address to forward the packet to.

1. Go to System > Router.

The Static Route page displays the current static routes configuration.

Destination IP/Netmask

Gateway

Interface

Modify

The destination IP address and netmask for packets that FortiDB sends to.

The IP address of the router where FortiDB forwards packets.

The name of the FortiDB interface through which intercepted packets are received and sent.

Click (edit icon) to change the route settings.

Click (delete icon) to deleting the route.

2. Cick Add, and then configure the following options:

Destination IP/Netmask

Gateway

Interface

Enter the destination IP address and netmask of packets that FortiDB intercepts.

Enter 0.0.0.0/0.0.0.0 to specify any and all destinations.

Enter the IP address of the next-hop router that FortiDB routes traffic to.

Select the FortiDB network interface for incoming and outgoing packet traffic.

3. Click Save.

Configuring network settings using the CLI

For details about each command, see

Overview of commands on page 264 .

1. To set the IP address and netmask of a network interface, execute the following command:

57 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

How to set up your FortiDB Configuring the network settings config system interface edit {port1 | port2 | port3 | port4 } end set ip <ip_address> <netmask> set allowaccess {http https ping ssh telnet} where: l l l l

{port1 | port2 | port3 | port4 } is the network interface

<ip_address> is the interface IP address

<netmask> is the interface netmask

{http https ping ssh telnet} specifies the types of administrative access that are permitted

For example: config system interface edit port1 end set ip 192.168.100.159 255.255.255.0

set allowaccess ping https ssh

2. To set the DNS servers, execute the following command. The secondary DNS server is optional: config system dns end set primary <dns_server_ip> set secondary <dns_server_ip> where <dns_server_ip> is the IP address of the primary or secondary DNS server.

For example: config system dns set primary 65.39.139.52

end set secondary 65.39.139.62

3. To create a static route, execute the following command: config system route edit <seq_num> set device <port> end set gateway <gateway_ip> where: l l l

<seq_num> is an unused routing sequence number (numbering starts at 1)

<port> is the port for this route

<gateway_ip> is the default gateway IP address for the network

For example: config system route edit 1 end set device port1 set gateway 172.30.62.254

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

58

Backups

Backups

A configuration backup file allows you to reset FortiDB to its default configuration, if required.

When you update the firmware image, FortiDB keeps existing data and configuration. However, Fortinet recommends that you back up all FortiDB data and configuration settings before you upgrade. The backup operation safeguards data and configuration settings in case power is lost during the upgrade.

You should also back up the configuration before you use the execute format disk CLI command, which resets all device settings and configuration and deletes log data on the hard drive.

Always backup the configuration before installing firmware or when you reset FortiDB to factory defaults.

To back up your configuration settings using the CLI

Backing up data and the current configuration using the CLI requires an FTP server.

1. Log into the CLI.

For more information, see

Connecting to the web UI and CLI on page 49

.

2. Enter the following command to back up your local database, system-configuration settings, archives and reports: execute backup all-settings <ftp server> <filepath> <username> <password>

[cryptpasswd]

For details on this command, see

execute backup all-settings on page 278 .

3. After successfully backing up your configuration files from the CLI, proceed with upgrading FortiDB firmware.

To restore your configuration settings using the CLI

The following steps restore your FortiDB configuration settings using the CLI.

1. Log into the CLI.

2. Enter the following command to copy the backup configuration settings to restore the file on the FortiDB unit: execute restore all-settings <ftp server> <filepath> <username> <password> [crptpasswd]

This operation replaces your current settings and requires you to reboot FortiDB. For details about backup and restore using the CLI, see

execute backup all-settings on page 278

and

execute restore all-settings on page 286 .

Use the show shell command to verify your settings are restored, or log into the web-based manager.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

59

Administrators

Administrators

The Administrators page allows you to add, delete, enable and disable FortiDB administration users. You can display administrators by roles using the View By Role dropdown list.

Column

<selection check box>

<status>

User Name

First Name

Last Name

Email Address

Description

Selects an administrator to modify or delete. Select column heading to select all administrators.

l indicates an enabled administrator. An administrator who has the

Security Administrator role can enable an account at any time l indicates a disabled administrator. An administrator who has the

Security Administrator role can disable an account at any time.

l indicates a locked administrator account. FortiDB locks out an account after unsuccessful login attempts

The FortiDB user name for the administrator

The user's first name

The user's last name

The user's email address

To add or modify an administrator

When you add FortiDB administrators, you assign them one or more roles. The built-in FortiDB roles determine which FortiDB operations the administrator can perform.

1. Go to Administration > Administrators.

2. Do one of the following: l l

To create an administrator, click Add.

To edit the settings for an existing administrator, click the appropriate user name.

3. On the General tab, for User Authentication Type, select one of the following options:

Normal

LDAP

Specifies an administrator that FortiDB authenticates using the password in the administrator settings

Specifies an administrator that FortiDB authenticates by connecting to the

LDAP server specified in Global Configuration

4. Complete or edit the remaining General tab settings as required. Settings marked with an asterisk (*) are mandatory.

5. If you are creating a new user and do not want the administrator to be able to log in after you save its settings, select Set user status as "disabled" immediately.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

60

Configuring permissions Administrators

To disable an existing user, on the Administrators page, select the check box to the left of the administrator, and then click Disable.

6. Click the Roles tab, and then, in the Available Roles list, select one or more items. Click >> (right arrows) to add selected items to the

Assigned Roles list.

To unassign roles, select the role in the

Assigned Roles list and click << (left arrows).

For a description of the roles, see

Configuring permissions on page 61 .

7. Click the Targets tab, and then do one of the following: l l

Select

Manage All Targets.

Select Manage Limited Targets, select one or more of the items in the Available Targets list, and then click

>> (right arrows) to add the selected items to the Assigned Targets list.

To unassign targets, select the target in the Assigned Targets list and click << (left arrows).

The targets that an administrator can manage also depends on its role. For example, to edit any target, an administrator requires the

Target Manager role.

8. Click Save.

See also

l l l

Configuring permissions

Privileges by license type (software-only FortiDB)

Viewing and exporting an administrator report

Configuring permissions

The FortiDB roles allow you to assign privileges to administrators. For information on assigning roles to administrators, see

To add or modify an administrator on page 60

.

If you are using the software-only version of FortiDB, the privileges that are available depends on the FortiDB license. For more information, see

Privileges by license type (software-only FortiDB) on page 63

.

61 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Administrators Configuring permissions

Administrator privileges by role

Role

Operations Manager

Privileges

l

Review target-database connection information.

l

Review target group connection information l

View pre-defined policies and user-defined policies l

View DAM Policies (Data, Metadata, Privilege, PCI, SOX, and HIPAA policies) l

Create, modify, delete, and run assessments l

Start/Stop monitoring l

View DAM Alerts l

Read results of FortiDB-shipped reports l

Read results of Custom reports l

Perform penetration tests l

View the Privilege Summary

Policy Manager

Report Manager

Security Administrator

l

Import/export and enable/disable pre-defined policies (pre-defined policies) for VA l

Import/export and enable/disable Metadata, Privilege, PCI, SOX, and

HIPAA policies for DAM l

Import/export and enable/disable user-defined policies for VA and Data

Policies for DAM l

Add policy groups for VA and DAM l

Create, modify and delete user-defined policies for VA and Data Policies for DAM l

Review target-database connection information.

l

Review target group connection information l

Review Assessment settings l

Read results of FortiDB-shipped reports l

Generate DAM PCI, SOX, and HIPAA compliance reports l

Read results of Custom reports l

View the Privilege Summary l

Create, modify, delete, and enable/disable FortiDB users l

Configure and modify user-role assignments l

View the Entitlement report

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

62

Privileges by license type (software-only FortiDB) Administrators

Role

System Administrator

Target Manager

Privileges

l

Import/export and enable/disable pre-defined policies (pre-defined policies) l

Import/export and enable/disable user-defined policies l

Archive and restore assessment results l

Change system properties l

Enable/View Audit trail l

Create, modify, and delete and import/export connections to target databases l

Create, modify , and delete target groups l

Perform Auto Discovery of target databases l

Review Assessment settings l

Review the Privilege Summary

See also

l l l

Administrators

Privileges by license type (software-only FortiDB)

Viewing and exporting an administrator report

Privileges by license type (software-only FortiDB)

For the software-only version of FortiDB, the type of license that you use determines which privileges are available.

Privileges by license type

License Type

VA Only

Privileges

l

Policy Manager: View/Modify VA policies l

Operations Manager: Create, modify, delete, and run assessments l

Report Manager: Generate VA reports l

Target Manager: All privileges for this role enabled l

System Administrator: All privileges privileges for this role enabled l

Security Administrator: All privileges for this role enabled

63 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Administrators Viewing and exporting an administrator report

License Type

DAM Only

Privileges

l

Policy Manager: View/Modify DAM policies l

Operations Manager: start/stop monitoring, view DAM Alerts, view/edit

DAM Alert Groups l

Report Manager: Generate DAM reports l

Target Manager: All privileges for this role enabled l

System Administrator: All privileges for this role enabled l

Security Administrator: All privileges for this role enabled l

All privileges for the different roles enabled

VA and DAM

See also

l l l

Administrators

Configuring permissions

Viewing and exporting an administrator report

Viewing and exporting an administrator report

The

Entitlement Report tab displays all FortiDB administrators, their account status, and their roles.

To sort the entitlement report, click any column header. The header is used as your sort key.

For example, to sort by status value, click

Status.

The sorted result is preserved when you export a report.

To export the entitlement report as a PDF, Excel, comma-delimited, or tab-delimited file, for Export as, select a format and then click

Export.

Entitlement Report tab

Column

Status

Description

Username

First Name

indicates an enabled administrator indicates a disabled administrator indicates a locked administrator

Displays the user name from the

Administrator tab

Displays the first name from the Administrator tab

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

64

Viewing and exporting an administrator report Administrators

Column

Last Name

Other

Description

Displays the last name from the

Administrator tab

Displays other information specified for administrator

System Administrator role indicates that the user is assigned the role.

indicates that the user is not assigned the role.

Security Administrator role indicates that the user is assigned the Security Administrator role.

indicates that the user is not assigned the Security Administrator role.

Target Manager role indicates that the user is assigned the role.

indicates that the user is not assigned the role.

Policy Manager role indicates the user has the Policy Manager role.

indicates the user does not have the Policy Manager role.

Operations Manager role indicates the user has the Operations Manager role.

indicates the user does not have the Operations Manager role.

Report Manager role indicates the user has the Report Manager role.

indicates the user does not have the Report Manager role.

See also

l l l

Administrators

Configuring permissions

Privileges by license type (software-only FortiDB)

65 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Administrators FortiMonitor administrator

FortiMonitor administrator

You can configure FortiDB to collect audit and alert data for FortiMonitor and transmit it via SSH File Transfer

Protocol (SFTP).

To enable FortiMonitor integration with FortiDB, create a FortiDB administrator with the name fortisiem.

Ensure that the fortisiem administrator password and the FortiMonitor password that the FortiDB FTP server uses are the same.

By default, FortiMonitor uses the password fortidb1!$ for the FortiDB FTP server.

Because FortiDB ignores any settings for this administrator other than the name and password, you can enter any value for the other mandatory administrator settings.

For information on additional FortiMonitor settings for FortiDB, see

config system mapping on page 273 .

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

66

Advanced/optional system settings

Advanced/optional system settings

System information and settings

The System Information page displays basic information and settings for the FortiDB appliance, including the setting that allows you to view and change the FortiDB host name.

The

Global Configuration page allows you to change general assessment and monitoring settings. For example, you can specify settings that are used for any assessment that FortiDB performs.

See also

l l l

System information and settings

Changing the FortiDB host name

Global configuration

System information and settings

The

System Information page displays basic information and settings for the FortiDB appliance. FortiDB administrators have access profiles that permit read and write access for maintenace tasks and change the

FortiDB firmware.

Item

Host Name

Description

The name of the host name of FortiDB. For details on changing the name, see

Changing the FortiDB host name on page 68 .

Firmware Version

Serial Number

The version of the firmware installed on the FortiDB unit. Click Update to upload a new version of the firmware. For details on updating the firmware, see

Updating the firmware on page 49

.

The serial number of the FortiDB unit. The serial number is specific to the

FortiDB unit and does not change with firmware upgrades. Use this number to register your FortiDB appliance with Fortinet.

System Time

Uptime

The current time according to the FortiDB internal clock. Click

Change to change the time. For details on changing the time, see

Setting the system time on page 54 .

The time in days, hours, and minutes since the FortiDB was last started or rebooted.

Hard Disk RAID

The RAID information.

Check your hardware specification for RAID support

For raid creation and information, see

config system raid on page 275 .

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

67

Changing the FortiDB host name Advanced/optional system settings

Changing the FortiDB host name

1. In the navigation menu, go to System > System Information.

2. Under System Information, in the Host Name information, click Change.

The Edit Host Name dialog box is displayed.

3. For Host Name field, enter the new host name.

4. Click OK.

The new host name is displayed in the Host Name field.

See also

l

System information and settings

Global configuration

The Global Configuration page allows you to change FortiDB system property values using the following tabs.

To make changes to the global properties, log in as an administrator who is assigned the

System Administrator

role.

Tab Description

All

Displays properties as read-only. Select a tab to add or change property values.

Assessment

Notification

Properties related to assessment

Properties related to Email, SNMP and Syslog

Reporting

User profile/Security

Target

LDAP Server

Monitor

Properties related reports generation

Properties related to user profile and security

Properties for additional JDBC settings for each database type

Properties related LDAP server for user authentication

A property that specifies the number of the records that each SOX Audit

File contains

To restore the default values of global properties, on the appropriate tab, select one or more items using their checkbox, and then click

Restore Defaults(s).

68 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Advanced/optional system settings Global configuration

You cannot restore default values for the properties on the LDAP and Monitor tabs.

See also

l l l l l l l

Assessment properties

Notification properties

Reporting properties

User Profile/Security properties

Target properties

LDAP Server properties

Monitor properties

Assessment properties

Property Description

Enable

Localhost Auto

Discovery

Enables FortiDB to run auto discovery on the machine where the FortiDB application resides.

Valid values are

true or false.

Number of

Concurrent

Assessments

Total number of assessments which can run simultaneously.

The optimum value of this parameter depends on your environment but tuning this parameter affects assessment performance and CPU usage by FortiDB.

Note: Assuming that each assessment has at least one target database, the value of

Number of Concurrent

Assessments can never exceed the

Number of Concurrent Target

Assessments value.

Default false

5

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

69

Global configuration Advanced/optional system settings

Property

Number of

Concurrent

Target

Assessments

Description

Total number of target databases that can be assessed simultaneously during assessments.

The optimum value of

Number of

Concurrent Target Assessments

depends on your environment, but tuning this parameter affects assessment performance and CPU usage by FortiDB.

Note: Assuming that each assessment has at least one target database, the value of

Number of Concurrent

Assessments can never exceed the

Number of Concurrent Target

Assessments value.

SSH Key

File

(appliance version)

For Oracle OSVA and DB2 databases only, the file that contains the private key used for all SSH connections.

Click

Browse to select your SSH key file, and then click

Save.

You can upload an RSA or DSA private key file type.

If you upload a key file and a key file already exists in the appliance, FortiDB replaces the old key with the new key.

Uploaded key files are renamed id_rsa or id_dsa, depending on the type of key that was uploaded.

Warning: If you click Restore Default(s) and then Save button, FortiDB deletes your key file. Please keep a copy of the file in a safe place.

MSSQL Server

Level

Exclusions

A comma-separated list of databases that

FortiDB does not scan when it performs a

Server Level scan of a Microsoft SQL database.

Sybase Server

Level

Exclusions

A comma-separated list of databases that

FortiDB does not scan when it performs a

Server Level scan of a Sybase database.

Default

20

model,tempdb,pubs,msdb,Northwind model, tempdb, pubs2, pubs3,jpubs, sybsyntax,sybsecurity,sybsystemdb, sybsystemprocs

70 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Advanced/optional system settings

Property

Enable Pen

Test

Description

When set to

true, the penetration test

(pentest) capability is enabled.

When set to false, the pentest capability is disabled.

For more information on penetration tests, see

Penetration tests on page 137

.

Default false

Enable Pen

Test For All

Users in

Database

(software-only version)

Pen Test

Method

Specifies whether FortiDB uses the user names in <dbtype>user.txt.

For more information on the file, see

Files used for penetration tests on page 138

true

Specifies the method that FortiDB uses to connect to databases to perform penetration tests (pentests).

Caution: If the penetration test login attempts are unsuccessful, the database may prevent any users, including valid users, from logging in.

Valid values are: l

1 - FortiDB logs in to your target databases to perform pentests.(login method) l

2 - FortiDB uses the hash-based method. A

'hash' is the value obtained after encrypting a clear-text string.

l

3 - FortiDB attempts the best available method. FortiDB uses the hash-based method is available.

For more information on these methods, see

Connection options for penetration tests on page 137

3 (hybrid)

Global configuration

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

71

Global configuration Advanced/optional system settings

Property

Pen Test

Password

Dictionary

Description

Specifies either the default password dictionary or a file that contains the passwords to check when the penetration test uses the Dictionary policy.

Click

Choose File to select your dictionary file, and then click

Save button to complete your selection.

FortiDB does not display the name of the uploaded file.

To restore the default dictionary, select the

Pen Test Password Dictionary item, click

Restore Default(s), and then click

Save. Your dictionary file is deleted.

Note: When you restore the default dictionary by checking the checkbox, and selecting Restore Default(s) and then

Save, FortiDB deletes your dictionary file.

For more information on the password dictionary file, see

Files used for penetration tests on page 138

.

See also

l l l l l

Auto-discovery

Adding or modifying assessments

Configuring SSH connections to Oracle and DB2 databases

Adding (or modifying) a target connection

Penetration tests

Notification properties

Property Description

Email Server

Host Name

The SMTP email server hostname or IP address.

If no value is specified, FortiDB does not send email notifications.

Email Server

Port

The server port number associated with

Email

Server Host Name.

Default

Default

<no value>

25

72 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Advanced/optional system settings Global configuration

Property

Email Server

User Name

Email Server

Password

Description

The user name associated with

Email Server

Host Name.

The user name and password are required if the email server requires authentication to send email.

The password associated with

Email Server

Host Name.

The user name and password are required if the email server requires authentication to send email.

The SNMP community name.

Default

-

-

SNMP

Community

String

SNMP Receiver

Host

The SNMP receiver host name.

If no value is specified, FortiDB cannot send

SNMP-trap notifications.

The SNMP receiver port number.

SNMP Receiver

Port

Syslog Receiver

Host

The Syslog receiver host name or IP address.

If no value is specified, FortiDB cannot send

Syslog notifications.

public

-

162

-

Syslog Receiver

Port

The Syslog receiver port number.

ArcSight Syslog

Receiver Host

ArcSight Syslog

Receiver Port

The ArcSight Syslog receiver host name or IP address.

The ArcSight Syslog receiver port number.

From Address

514 partner.arcsight.com

514

The email address FortiDB uses in the 'From' field in email notification.

-

See also

l

Sending alert notifications

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

73

Global configuration Advanced/optional system settings

Reporting properties

Property Description

Company Name

The company name to display on VA reports.

Company Logo

An image file that is included in the layout of generated reports.

Click Choose File to select the image file, and then click Save.

FortiDB places the image file that you select in

<FortiDB-

.

install directory>/conf/reportlogo

DAM Report

Encoding

The charactor encoding that FortiDB uses when it generates DAM reports.

See also

l

Reports

User Profile/Security properties

Property Description

Idle Account

Expiration

The number of days an administrator account can be inactive before FortiDB locks the account.

When the value is -1 (the default), FortiDB does not lock administrator accounts because of inactivity.

This expiry mechanism does not apply to the admin account.

An administrator that is assigned the

Security

Administrator role can unlock an expired account.

Default

Fortinet

-

UTF-8

Default

-1

74 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Advanced/optional system settings Global configuration

Property

Max Number of

Failed Login

Attempts

Days Until

Password

Expiration

Description

The number of login attempts FortiDB allows before it locks an administrator account.

When the value is -1 (the default), FortiDB allows an unlimited number of login attempts.

This limitation does not apply to the admin account.

The number of days that a password remains valid. After the password expires, administrators are required to change their password.

FortiDB displays messages to warns administrators that their password is going to expire.

When the value is -1 (the default), passwords do not expire.

The minimum length of an administrator password.

Minimum

Password Length

When the value is -1 (the default), passwords can be any length.

To be valid, passwords are required to have the minimum number of characters and satisfy all other rules for passwords. For more information, see

Changing the “admin” account password on page 53 .

Enable Local

Audit Trail

When the value is true, the FortiDB local audit trail is enabled.

When the value is false, the local audit trail is disabled.

For more information on the local audit trail, see

Local audit trail on page 230

.

Default

-1

-1

-1

false

See also

l l

Administrators

Local audit trail

Target properties

FortiDB uses JDBC to connect to target databases. You can configure the JDBC settings for a target using the

Target page General tab. (For more information, see

Adding (or modifying) a target connection on page 107

.)

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

75

Global configuration Advanced/optional system settings

If you do not specify JDBC settings on the General tab, FortiDB uses the values of the following properties:

Property Description

Additional Oracle JDBC

Settings

A list of one or more key-value pairs to use for Oracle database connections.

Use a semicolon to separate list entries.

Additional SQL Server

JDBC Settings

Additional Sybase JDBC

Settings

Additional DB2 JDBC

Settings

Additional MySQL JDBC

Settings

A list of one or more key-value pairs to use for Microsoft SQL database connections.

Use a semicolon to separate list entries.

If you use NTLM version 2 authentication, in the list, enter useNTLMv2=true

.

In some cases, for Microsoft SQL server,

ForceEncryption is set to

No. To force the server to use SSL encryption, in the list, enter

SSL=require

.

Enter one or more additional key-value pairs to use for Sybase database connections.

Use a semicolon to separate list entries.

To use a Sybase Encrypted Password connection (in Sybase server, set net password encryption reqd to 1 or 2), enter:

ENCRYPT_PASSWORD=true;RETRY_WITH_NO_

ENCRYPTION=true;

JCE_PROVIDER_

CLASS=org.bouncycastle.jce.provider.BouncyCastleProvider

To support an SSL-encrypted connection to the Sybase database, enter the following:

SYBSOCKET_

FACTORY=com.fortinet.fortidb.target.internal.connection.SybaseSSL

Note: Database activity monitoring (DAM) using the TCP/IP sniffer is not available when FortiDB connects to Sybase using SSL.

A list of one or more key-value pairs for DB2 database connections.

Use a semicolon to separate list entries.

A list of one or more additional key-value pairs for MySQL database connections.

Use a semicolon to separate list entries.

See also

l

Adding (or modifying) a target connection

76 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Advanced/optional system settings Global configuration

LDAP Server properties

The

LDAP Server properties specify the server that authenticates FortiDB administrators when User

Authentication Type is LDAP.

Click Test Connection to test the LDAP server configuration.

Property Description Default

Server Name/IP

LDAP server name or IP address -

LDAP server port 389

Port

Common Name

Identifier

Name of user identifier in LDAP user path.

For example, if the path to the user is cn=username,ou=dept,dc=com

, enter cn

.

If the user path is un=username,ou=dept,dc=com

, enter un

.

Distinguished

Name

Distinguished name of LDAP user, which identifies its unique path.

For example, if the path to the user is cn=username,ou=dept,dc=com

, enter ou=dept,dc=com

.

Bind Type

LDAP authentication type.

Valid values are none or Simple.

Use Secure

Connection(SSL)

Use SSL for secure connection.

Valid values are

True or False.

-

Simple

False

See also

l

Administrators

Monitor properties

Property Description

Records contained by single

Compliance

Audit File

The number of the records that each

Compliance Audit File contains.

Enter a value between 100,000 and 400,000.

400000

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

77

Global configuration

See also

l

SOX audit

Advanced/optional system settings

78 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases

Connecting to target databases

Pre-configuration for monitoring target databases

To allow FortiDB to assess and monitor your databases, you first pre-configure the target database, and then configure the connection between FortiDB and the database. FortiDB can also look for databases on the network automatically.

See also

l l l l l

Pre-configuration for monitoring target databases

Privileges required by the FortiDB database user

Adding (or modifying) a target connection

Managing target groups

Auto-discovery

Pre-configuration for monitoring target databases

The pre-configuration that is required for target databases is determined by the type of database and the method that FortiDB uses for monitoring.

See also

l l l l l l

Network requirements for monitoring using the TCP/IP sniffer

Oracle target database pre-configuration

Microsoft SQL Server target database pre-configuration

Sybase target database pre-configuration

DB2 target database pre-configuration

MySQL target database pre-configuration

Network requirements for monitoring using the TCP/IP sniffer

For more information about the TCP/IP sniffer, see

Tutorial: Monitoring a database table using the TCP/IP sniffer on page 23 .

l l

Your target database and its clients connect via TCP/IP protocols.

Both FortiDB and the target databases are connected to the same switch. FortiDB is connected to the switch's mirroring (SPAN) port. For example: l port1 on FortiDB and the machines of FortiDB administrators are connected to a LAN, which is also the LAN that the target databases use for management connections.

l port2 on FortiDB is connected to the switch's mirror port, where it receives copies of all network traffic associated with the target databases.

See also

l

Configuring monitoring using the TCP/IP sniffer (all database types)

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

79

Pre-configuration for monitoring target databases Connecting to target databases

Oracle target database pre-configuration

Required privileges for monitoring or auditing Oracle databases

To prepare for database monitoring, ensure the FortiDB database user has the following privileges:

Policy type

Data

Required privileges

For DB, EXTENDED and XML File Agent collection methods: l

CREATE SESSION l

SELECT_CATALOG_ROLE l

DELETE_CATALOG_ROLE l

AUDIT ANY l

AUDIT SYSTEM l

SELECT SYS.AUD$ l

SELECT on the monitored tables or SELECT ANY TABLE

For

TCP/IP Sniffer collection method (privileges required for browsing database to define data policy): l

CREATE SESSION l

SELECT_CATALOG_ROLE l

SELECT on the monitored tables or SELECT ANY TABLE

Privilege

Metadata l

CREATE SESSION l

SELECT_CATALOG_ROLE l

DELETE_CATALOG_ROLE l

AUDIT SYSTEM l

CREATE SESSION l

SELECT_CATALOG_ROLE

For activity auditing: l

CREATE SESSION l

AUDIT SYSTEM l

SELECT_CATALOG_ROLE

To grant privileges to your database user, use a GRANT statement. For example:

GRANT SELECT_CATALOG_ROLE TO username

GRANT DELETE_CATALOG_ROLE TO username

See also

l l l

Configuring an Oracle database for PCI, SOX, and HIPAA policies

Enabling FortiDB to delete audit records

Oracle XML file agent installation and configuration (UNIX, Windows, AIX)

80 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Pre-configuration for monitoring target databases l l

Adding (or modifying) a target connection

Configuring Oracle monitoring

Configuring an Oracle database for PCI, SOX, and HIPAA policies

Regulatory compliance policies capture all types of activities and store the data in FortiDB's repository.

In some cases, this information does not appear in alerts as expected. To avoid this problem, you can execute

"create trigger" commands.

1. On your Oracle target database, add a file that contains the following script:

CREATE OR REPLACE TRIGGER FORTIDB_get_application AFTER LOGON ON DATABASE WHEN (user !=

'SYS')

DECLARE l_program VARCHAR2(50); l_computer VARCHAR2(50);

BEGIN

SELECT substr(program, 1, 43), substr(computer, 1, 20) INTO l_program, l_computer FROM v$session

WHERE audsid = sys_context('USERENV','SESSIONID'); dbms_session.set_identifier(l_program || ':' || l_computer);

EXCEPTION WHEN OTHERS THEN ROLLBACK;

END;

/

2. Log into your Oracle instance as sys as sysdba.

3. Execute the file.

See also

l

PCI, SOX, and HIPAA alert policies

Enabling FortiDB to delete audit records

To delete audit records from the SYS.AUD$ table, the FortiDB database user requires delete privileges on the

SYS.AUD$ table.

Because the SYS.AUD$ contains all audit records, when FortiDB deletes audit records, it deletes all audit records, not only the audit records generated for FortiDB monitoring. Therefore, grant this privilege to the FortiDB user only if you understand the implications.

Use the following statement to grant the FortiDB user delete privileges on the SYS.AUD$ table: grant delete on SYS.AUD$ to <username>

For more information on deleting audit records, see

Oracle audit management on page 213

.

See also

l

Adding (or modifying) a target connection

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

81

Pre-configuration for monitoring target databases Connecting to target databases

Oracle XML file agent installation and configuration (UNIX, Windows, AIX)

You can use FortiDB's Oracle XML file agent to monitor multiple Oracle databases. When it is active, the agent periodically transmits Oracle's audit log data to FortiDB for further processing.

To configure and run the Oracle XML file agent

1. Obtain login credentials for a user that has read and write access for the Oracle database audit log directories that you want to monitor.

Using the SQL*Plus utility, run show parameters audit_file_dest to view the location of the

Oracle database audit directory.

If Oracle is installed on Windows, ensure that the user is a member of the Administrators group. You can remove the user from this group after installation is complete.

2. Ensure that Java Virtual Machine (JVM) 1.6 or greater is installed, the JAVA_HOME environment variable is correctly configured, and that the bin directory is first on the execution path.

3. Complete the Oracle target database pre-configuration. See

Oracle target database pre-configuration on page 80 .

4. Configure a target that connects to the Oracle database. See

Adding (or modifying) a target connection on page 107 .

5. As the user with the credentials specified earlier, log in to the machine where the Oracle database is located, and then unpack a copy of the FortiDB Oracle XML file agent installer into a directory.

6. Copy the agent.properties.sample file from agent's doc directory to the agent's conf directory, and then change the file name to agent.properties.

7. Open the agent.property file in a text editor and edit the following values:

Parameter agentType brokerAddress brokerPort

Description

Enter ORA_XML.

Required?

Yes

Enter IP address or resolvable host name for FortiDB.

Yes

Enter the port FortiDB uses to listen for transmissions from the agent.

The default value is 9116.

No

agentDBAddress

Enter the IP address of the target database.

Use the same value that is specified by the target configuration (

General

tab).

Yes

82 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Pre-configuration for monitoring target databases

Parameter agentDBPort

Description

Enter the listening port on the target database.

Use the same value that is specified by the target configuration (

General

tab).

pollingInterval

Enter a positive integer that specifies the polling interval in milliseconds.

For the Oracle XML file agent, the default value is 60000 (60 seconds).

removeAuditFile

Not used for Oracle databases.

Required?

Yes

No

No

8. If Oracle is installed on Windows, do the following:

a. In the agent's bin directory, execute the following command:

b. fdbagent install

c. In the Windows Services Control Panel, configure the FortiDB Database Monitoring Agent to run using the same login credentials that you used to unpack the FortiDB agent installation file.

9. To start the FortiDB agent, do one of the following: l

For Windows, Linux, or Solaris: l

In the agent's bin directory, execute the following command: l

$ fdbagent start l l

To stop the agent, execute the following command:

$ fdbagent stop l

For other platforms (for example, AIX): l

In the agent's bin directory, execute the following command: l

$ nohup ./fdbagentapp &

10. Configure target monitoring for the database where the agent is installed. For detailed instructions, see

Configuring Oracle monitoring on page 204

.

Monitoring encrypted Oracle traffic

FortiDB can monitor encrypted Oracle database activity using its TCP/IP sniffer.

To make the database’s SSL configuration compatible with FortiDB DAM, ensure that Advanced Security is enabled and generate the security credentials using Oracle Wallet Manager.

In addition, ensure the cipher suite RSA 3DES_EDE_CBC SHA and one or more of the following cipher suites are enabled in the SSL configuration for the Oracle client: l l l

AES_256_CBC_SHA

AES_128_CBC_SHA

RSA_DES_CBC_SHA

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

83

Pre-configuration for monitoring target databases Connecting to target databases l l

RSA_RC4_128 SHA

RSA RC4_128 MD5

When you configure monitoring using the TCP/IP sniffer, you upload to FortiDB the self-signed certificate that you exported from the Oracle server wallet manager and imported into the wallet manager on the Oracle client machine. Depending on your SSL configuration, the certificate information is stored in PKCS #12 or X.509

format.

See

Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .

Using the SYSLOG utility to collect audit data

If required, you can configure the Oracle auditing feature to use the SYSLOG utility to write audit records to the system audit log.

In SQL*Plus, you can use the show parameter audit command to view the current audit option values.

To enable SYSLOG data collection, set the audit options in the following table to the specified values:

Parameter

audit_file_dest

Value

Specify the operating system directory into which the audit trail is written.

audit_sys_operations audit_syslog_level audit_trail

TRUE

LOCAL1.DEBUG

OS

MySQL target database pre-configuration

To set the MySQL general log table

1. To add the required parameters to server configuration file, go to the %MYSQL_HOME directory, open my.cnf (for UNIX) or my.ini (for Windows) in a text editor, and then add the following parameters under

[mysqld]

: general_log=1 log_output=TABLE

2. Restart the MySQL database.

3. To change the definition of the mysql.general_log table, use the following command to change the storage engine to MyISAM: mysql> SET GLOBAL general_log = 'OFF'; mysql> ALTER TABLE mysql.general_log ENGINE = MyISAM; mysql> SET GLOBAL general_log = 'ON';

4. To view the definition of the mysql.general_log table, use the following SQL command: mysql> show create table mysql.general_log;

The structure of the log table is displayed. For example:

84 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Pre-configuration for monitoring target databases

+-------------+-----------------------------------------------------------------

-----------------------------------------+

| Table | Create Table

-----------------------------------------+

| general_log | CREATE TABLE `general_log` (

`event_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,

`user_host` mediumtext NOT NULL,

`thread_id` int(11) NOT NULL,

`server_id` int(11) NOT NULL,

`command_type` varchar(64) NOT NULL,

`argument` mediumtext NOT NULL

) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='General log' |

+-------------+--------------------------------------------

5. To verify that the database is logging data, use the following command: mysql> select * from mysql.general_log;

Logging data is displayed. For example:

+---------------------+------------------------------------+-----------+--------

---+--------------+----------------------------------+

| event_time | user_host | thread_id | server_ id | command_type | argument |

+---------------------+------------------------------------+-----------+--------

---+--------------+----------------------------------+

| 2009-07-29 16:44:23 | root[root] @ localhost [127.0.0.1] | 1 |

0 | Connect | root@localhost on mysql |

| 2009-07-29 16:44:23 | root[root] @ localhost [127.0.0.1] | 1 |

0 | Query | select @@version_comment limit 1 |

| 2009-07-29 16:44:37 | root[root] @ localhost [127.0.0.1] | 1 |

0 | Query | show create table general_log |

| 2009-07-29 16:45:19 | root[root] @ localhost [127.0.0.1] | 1 |

0 | Query | set global general_log='OFF' |

| 2009-07-29 16:46:18 | root[root] @ localhost [127.0.0.1] | 1 |

0 | Query | select * from mysql.general_log |

+---------------------+------------------------------------+-----------+--------

---+--------------+----------------------------------+

5 rows in set (0.00 sec)

See also

l

Configuring MySQL monitoring

Required privileges for monitoring via SQL Trace

The following privileges are required when you monitor a Microsoft SQL Server database using the

SQL Trace

collection method and privilege and metadata policies.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

85

Pre-configuration for monitoring target databases Connecting to target databases

Policy type

Privileges

Metadata

Required privileges

SELECT on: l sys.columns

l sys.database_role_members

l sys.database_permissions

l sysobjects l sys.database_principals

l sys.sql_logins

EXECUTE on: l sp_helpsrvrolemember

SELECT on: l information_schema.columns

l sysindexes l sysobjects l information_schema.routines

l sys.objects obj l sys.sql_modules

information_schema.views

See also

l l

Adding (or modifying) a target connection

Configuring Microsoft SQL Server monitoring

Sybase target database pre-configuration

FortiDB’s database activity monitoring (DAM) features require you to pre-configure a Sybase target database but not a Sybase IQ database.

For Sybase IQ databases. FortiDB supports vulnerability assessment only, and not DAM. Therefore, Sybase IQ targets do not require pre-configuration.

Configuring the Sybase audit system and FortiDB database user

To create the sybsecurity database

Execute the following command. The physname parameter specifies the sybase path (in this example,

C:\sybase\data\

): disk init name = "auditdev", physname = "C:\sybase\data\sybaud.dat", size = 5120 go disk init name = "auditlog", physname = "C:\sybase\data\sybaudlog.dat", size = 1024 go create database sybsecurity on auditdev log on auditlog go

86 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Pre-configuration for monitoring target databases

To install the installsecurity script

The installsecurity SQL script contains all required stored procedures and audit tables.

1. Go to the scripts directory. For example, $SYBASE/ASE-15_0/scripts.

2. Execute the following command: isql -Usa -P<password> < instsecu

3. Restart the database.

To grant the mon_role role to the FortiDB database user

To grant the mon_role role to the FortiDB database user, use the following script: grant role mon_role to <username>

The mon_role role is applied the next time the user logs in. If you are currently logged in with that account, log out and log in again to allow the new privileges to take effect.

See also

l l l

Configuring the Sybase Monitoring and Diagnostic (MDA) tables

Adding (or modifying) a target connection

Configuring Sybase monitoring

Configuring the Sybase Monitoring and Diagnostic (MDA) tables

To set the size of tempdb for MDA

For best results, ensure the temporary database (tempdb) has more than 100MB of free space.

1. Connect to the master database as the sa user.

2. Check the size of tempdb.

For example, execute the following command: sp_helpdb go name db_size owner dbid created status

-------------- ------------- ----- ------ ------------------

-------------------------------------------------------------------master 13.0 MB sa 1 Dec 07, 2007 mixed log and data model 4.0 MB sa 3 Dec 07, 2007 mixed log and data sybmgmtdb 75.0 MB sa 4 Dec 07, 2007 select into/bulkcopy/pllsort, trunc log on chkpt, mixed log and data sybsystemdb 3.0 MB sa 31513 Dec 07, 2007 mixed log and data sybsystemprocs 120.0 MB sa 31514 Dec 07, 2007 trunc log on chkpt, mixed log and data tempdb 4.0 MB sa 2 Nov 11, 2008

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

87

Pre-configuration for monitoring target databases Connecting to target databases select into/bulkcopy/pllsort, trunc log on chkpt, mixed log and data text_db 5.5 MB sa 5 Dec 07, 2007 trunc log on chkpt, mixed log and data

3. Allocate an appropriate amount of disk space to tempdb.

For example, to allocate 500 MB, which is 256000 pages, execute the following command: disk init name = "tempdb_data01", physname = "/export/home/sybase/data/tempdb_data01.dat", size = 256000 go

4. Allocate disk space on the new device to tempdb.

For example, execute the following command: alter database tempdb on tempdb_data01 = 500 go

Extending database by 256000 pages (500.0 megabytes) on disk tempdb_data01

To configure the login trigger for session policies

Login triggers execute a specified stored procedure every time a user logs in.

1. Drop any existing FortiDB_audit table.

For example, to drop the table FortiDB_audit, use the following command: drop table master.dbo.FortiDB_audit

go

2. Create a table to store login information in.

For example, to create the table FortiDB_audit in the master database, use the following command: create table master.

dbo.FortiDB_audit

(  spid smallint, kpid int, suid int, loginname varchar(30), dbusername varchar(30), dbid smallint, dbname varchar(30), program_name varchar(30) null, hostprocess varchar(30) null, ipaddr varchar(64) null , loggedindatetime datetime

) go

3. Create a procedure for the login trigger.

For example, to create the procedure login_proc, use the following script: use master go drop procedure login_proc go

88 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Pre-configuration for monitoring target databases create procedure login_proc as begin insert into master.dbo.FortiDB_audit

select

S.spid,

S.kpid,

S.suid, suser_name(), user_name(),

S.dbid, db_name(),

S.program_name,

S.hostprocess,

S.ipaddr,

S.loggedindatetime

from master.dbo.sysprocesses S where S.spid = @@spid end go

4. Create the login trigger.

For example, use the following command: sp_logintrigger 'master.dbo.login_proc' go

Global login trigger updated.

If sp_logintrigger is not installed, recreate the master database procedures.

For example, for UNIX, execute the following script: isql -Usa -P<password> -i$SYBASE/ASE-15_0/scripts/installmaster

For Windows, execute the following script: isql -Usa -P<password> -i$SYBASE/ASE-15_0/scripts/installmstr

If you need to drop the global trigger, execute: sp_logintrigger 'drop' go

5. Grant permission to execute login_proc to public.

For example: grant execute on dbo.login_proc to public go

To set the MDA parameters

1. Configure MDA parameters.

For example, for Linux, use the following commands (for Windows, enter "go" for each execution): sp_configure "enable cis", 1 sp_addserver loopback, null, @@servername (not required for 15.0.2 or later) set cis_rpc_handling on (not required for 15.0.2 or later)

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

89

Pre-configuration for monitoring target databases Connecting to target databases exec loopback...sp_who (note: 3 dots) sp_configure "errorlog pipe active", 1 sp_configure "deadlock pipe active", 1 sp_configure "wait event timing", 1 sp_configure "process wait events", 1 sp_configure "object lockwait timing", 1 go

For the monSysStatement table: sp_configure "statement statistics active",1 sp_configure "statement pipe max messages",30000 sp_configure "per object statistics active",1 sp_configure "statement pipe active" ,1 go

For the monSysSQLText table: sp_configure "max SQL text monitored" , 8192 sp_configure "SQL batch capture", 1 sp_configure "sql text pipe max messages", 30000 sp_configure "sql text pipe active", 1 go

Additional parameter values to set: sp_configure "max memory" , 256000 sp_configure "event buffers per engine", 2000 sp_configure "plan text pipe max messages", 100 sp_configure "errorlog pipe max messages", 30000 sp_configure "deadlock pipe max messages", 100 go

2. Restart the database.

3. To configure the monitoring table to collect data, use the following command: sp_configure "enable monitoring" , 1 go

To connect to the Sybase database and clear the MDA buffer

Clear the MDA buffer only after the FortiDB database user has made an initial connection to the database.

1. Connect to the Sybase database that you have configured for monitoring by FortiDB.

See

Adding (or modifying) a target connection on page 107

.

2. To clear the MDA buffer, use the following commands: select top 1 * from dbo.monSysSQLText

go select top 1 * from dbo.monSysStatement

go

See also

l l

Configuring the Sybase audit system and FortiDB database user

Adding (or modifying) a target connection

90 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Pre-configuration for monitoring target databases l

Configuring Sybase monitoring

DB2 target database pre-configuration

Users and privileges required by the DB2 agent

The FortiDB DB2 agent periodically sends a request to the DB2 database to transmit its audit data to a file system location that belongs to the agent’s temporary directory. The agent then transmits the audit files to the

FortiDB repository You can also configure the agent to remove the audit data from the DB2 database.

To perform these tasks, the FortiDB DB2 agent requires read and write access to the audit data files. To give the agent this access, you configure it to run using the login credentials of the database instance owner (which are the credentials used to run the DB2 server).

In addition, to install the agent on Windows, the database user that runs the DB2 agent is required to be a member of the DB2ADMINS user group. You can remove the user from this group after installation is complete.

Required DB2 users Purpose Required privileges

DB2 instance owner DB2 instance owner Default DB2 instance owner privileges

FortiDB DB2 database user

Connects FortiDB to the DB2 target database

Security administration authority (SECADM), which is required to configure and manage database auditing

For databases installed on

Windows: l

DB2 instance owner l

Membership in DB2ADMNS or

DB2USERS user group

DB2 user for installing and running the agent

Runs the DB2 agent

DB2 instance owner

For installing on Windows, be a member of the DB2ADMNS user group

See also

l l l

Configuring the DB2 database and installing the agent

Adding (or modifying) a target connection

Configuring DB2 monitoring

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

91

Pre-configuration for monitoring target databases Connecting to target databases

Configuring the DB2 database and installing the agent

To configure the DB2 target database to work with the DB2 agent

1. If the database already has an audit configuration, to reset the instance level audit, use the following command: db2audit configure reset

2. To start the audit facility administrator tool, use the following command: db2audit start

3. To configure the audit facility to audit for failed logins, use the following command: db2audit configure scope context status failure

4. To set the size of the audit buffer, use the following command: db2 update dbm cfg using AUDIT_BUF_SZ 10000

The default audit buffer is 0 (no setting).

5. To grant security administration authority (SECADM) to the user FortiDB uses to connect to the database, use the following command: db2=> GRANT SECADM ON DATABASE TO USER <user name> where <user name> is the user name specified by the target configuration (

General tab).

For Windows, the FortiDB connection user needs to belong to the DB2ADMNS or

DB2USERS group. For UNIX, AIX, or Linux, the FortiDB connection user does not need to be an instance owner.

By default, the db2admin user does not have the SECADM authority.

To configure and run the DB2 agent

1. Ensure that Java Virtual Machine (JVM) 1.6 or greater is installed, the JAVA_HOME environment variable is correctly configured, and that the

bin directory is first on the execution path.

2. Obtain a copy of the FortiDB agent installer. For information on obtaining the installer, contact Fortinet technical support.

3. Ensure that the DB2 target database has the required configuration. See

To configure the DB2 target database to work with the DB2 agent on page 92 .

4. As the database user that runs the agent, log in to the machine where the DB2 database is located, and then unpack a copy of FortiDB agent installer to a directory.

For information on the premissions this user requires, see

Users and privileges required by the DB2 agent on page 91 .

92 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Pre-configuration for monitoring target databases

5. Copy the agent.properties.sample file from <agent install directory>/doc to

<agent install directory>/conf

, and then change the file name to agent.properties.

6. Using a text editor, change the agent.properties.sample properties to the following values:

Parameter

agentType brokerAddress brokerPort agentDBAddress agentDBPort pollingInterval removeAuditFile

Description

Enter DB2.

Enter the IP address or resolvable host name for

FortiDB.

Enter the port FortiDB uses to listen for transmissions from the agent.

The default value is 9116.

Enter the IP address of the target database.

Use the same value that is specified by the target configuration ( General tab).

Enter the listening port on the target database.

Use the same value that is specified by the target configuration ( General tab).

Enter the listening port on the target database.

Use the same value that is specified by the target configuration (

General tab).

Enter true or false.

To remove DB2 audit file outputs after the agent sends them to FortiDB, enter true (the default value).

Required?

Yes

Yes

No

Yes

Yes

No

No

7. To install the DB2 agent, go to <agent install directory>/bin, and then execute the following command:

DB2AgentSetup

8. If DB2 is installed on Windows, do the following:

a. In <agent install directory>/bin, execute the following command:

b. fdbagent install

c. In the Windows Services Control Panel (for example, in

Start > Control Panel > Administrative

Tools), configure the FortiDB Database Monitoring Agent to run using the same login credentials that you used to unpack the FortiDB agent installation file.

9. To start the FortiDB agent, do one of the following: l

For Windows, Linux, or Solaris: l

In <agent install directory>/bin, execute the following command: l

$ fdbagent start

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

93

Privileges required by the FortiDB database user Connecting to target databases l l

To stop the agent, execute the following command:

$ fdbagent stop l

For other platforms (for example, AIX): l

In <agent install directory>/bin, execute the following command: l

$ nohup ./fdbagentapp &

10. To confirm that the audit data path and audit archive path are correct, execute the following command: db2audit describe

The audit settings are displayed. For example:

DB2 AUDIT SETTINGS:

Audit active: "TRUE"

Log audit events: "FAILURE"

Log checking events: "FAILURE"

Log object maintenance events: "FAILURE"

Log security maintenance events: "FAILURE"

Log system administrator events: "FAILURE"

Log validate events: "FAILURE"

Log context events: "FAILURE"

Return SQLCA on audit error: "FALSE "

Audit Data Path: "C:\DB2\fdbagent\bin\..\tmp\db2audit\flush\"

Audit Archive Path: "C:\DB2\fdbagent\bin\..\tmp\db2audit\archive\"

AUD0000I Operation succeeded.

11. Configure target monitoring for the database where the agent is installed. For detailed instructions, see

Configuring DB2 monitoring on page 202 .

See also

l

Users and privileges required by the DB2 agent

Microsoft SQL Server target database pre-configuration

Database user account requirement

To monitor a Microsoft SQL Server database, FortiDB requires a database user that is a member of the sysadmin server role.

Use the following query to add a databaser user that is a member of sysadmin: sp_addsrvrolemember 'username', 'sysadmin'

See also

l

Adding (or modifying) a target connection

Privileges required by the FortiDB database user

When you configure a target that allows FortiDB to connect to a target database, you specify a database user.

This user requires specific privileges to allow it to perform assessments or monitor database activity.

94 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Privileges required by the FortiDB database user

To grant privileges to the FortiDB user, use the GRANT statement. For example:

GRANT SELECT_CATALOG_ROLE TO <username>

GRANT SELECT ON dbo.syscolumns TO <username>

GRANT SELECT ON SYSIBM.SYSCOLAUTH TO <username>

GRANT ROLE SSO_ROLE TO <username>

For Microsoft SQL Server, use the following command to add a login as a member of sysadmin: sp_addsrvrolemember '<user name>', 'sysadmin'

See also

l l l l l

Privileges for VA assessments, privilege summaries, and penetration tests

Privileges for monitoring data

Privileges for monitoring privileges

Privileges for monitoring metadata

Adding (or modifying) a target connection

Privileges for VA assessments, privilege summaries, and penetration tests

The FortiDB database user for a target database requires the following privileges to run assessments and related tasks:

Task Required privileges

DB2

Run VA Assessment (except penetration test)

CREATE TABLE

SELECT on the following SYSIBM tables: l

SYSCOLAUTH l

SYSDBAUTH l

SYSINDEXAUTH l

SYSPLANAUTH l

SYSSCHEMAAUTH l

SYSTABAUTH l

SYSTBSPACEAUTH

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

95

Privileges required by the FortiDB database user

Task

View a Privilege Summary

Run Penetration Test

Required privileges

SELECT on the following SYSCAT tables: l

COLAUTH l

DBAUTH l

INDEXAUTH l

PACKAGEAUTH l

SCHEMAAUTH l

TABAUTH l

TBSPACEAUTH

SELECT on the following SYSIBM tables: l

SYSCOLAUTH l

SYSDBAUTH l

SYSINDEXAUTH l

SYSPLANAUTH l

SYSSCHEMAAUTH l

SYSTABAUTH l

SYSSYSTABLESPACES l

SYSTBSPACEAUTH l

SYSUSERAUTH

SELECT on the following SYSCAT tables: l

COLAUTH l

DBAUTH l

INDEXAUTH l

PACKAGEAUTH l

SCHEMAAUTH l

TABAUTH l

TBSPACEAUTH

SELECT on the following SYSIBM tables: l

SYSCOLAUTH l

SYSDBAUTH l

SYSINDEXAUTH l

SYSPLANAUTH l

SYSSCHEMAAUTH l

SYSTABAUTH l

SYSTBSPACEAUTH l

SYSUSERAUTH

Microsoft SQL Server 2000

Connecting to target databases

96 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Privileges required by the FortiDB database user

Task

Run VA assessment (except penetration test)

View a Privilege Summary

Required privileges

SELECT on: l

MASTER.DBO.SPT_VALUES

l

MASTER.DBO.SYSALTFILES

l

MASTER.DBO.SYSDATABASES

l

MASTER.DBO.SYSLOGINS

l

MASTER.DBO.SYSXLOGINS

l

SYSCOLUMNS l

SYSMEMBERS l

SYSOBJECTS l

SYSPROTECTS l

SYSUSERS

EXECUTE on: l

MASTER.DBO.XP_CMDSHELL

l

MASTER.DBO.XP_INSTANCE_REGENUMVALUES

l

MASTER.DBO.XP_INSTANCE_REGREAD

l

MASTER.DBO.XP_LOGINCONFIG

l

MASTER.DBO.XP_LOGININFO

l

MASTER.DBO.XP_REGENUMVALUES

l

MASTER.DBO.XP_REGREAD

The database user requires the MS-SQL sysadmin role to use the following policies in assessments: l

DVA MSSQL 01.01 password field empty l

DVA MSSQL 01.02 password is the same as login name

For each individual MS-SQL 2000 database you want to connect to,

SELECT on: l

MASTER.DBO.SYSDATABASES

(for MS-SQL 2000 server-level connections) l

SYSMEMBERS l

SYSOBJECTS l

SYSPROTECTS l

SYSUSERS

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

97

Privileges required by the FortiDB database user Connecting to target databases

Task

Run Penetration Test

Required privileges

SELECT on: l

MASTER.DBO.SYSDATABASES

(for MS-SQL 2000 server-level connections) l

MASTER.DBO.SYSXLOGINS

l

SYS.DATABASE_ROLE_MEMBERS

l

SYSMEMBERS l

SYSOBJECTS l

SYSPROTECTS l

SYSUSERS

(for each individual MS-SQL 2000 database you want to connect to)

Microsoft SQL Server 2005 or 2008

98 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Privileges required by the FortiDB database user

Task

Run VA Assessment (except penetration test)

View Privileges Summary

Required privileges

SELECT on: l

MASTER.DBO.SPT_VALUES

l

MASTER.DBO.SYSALTFILES

l

MASTER.DBO.SYSDATABASES

l

MASTER.DBO.SYSLOGINS

l

MASTER.DBO.SYSXLOGINS

l

SYS.COLUMNS

l

SYS.MEMBERS

l

SYS.OBJECTS

l

SYS.PROTECTS

l

SYS.USERS

EXECUTE on: l

MASTER.DBO.XP_CMDSHELL

l

MASTER.DBO.XP_INSTANCE_REGENUMVALUES

l

MASTER.DBO.XP_INSTANCE_REGREAD

l

MASTER.DBO.XP_LOGINCONFIG

l

MASTER.DBO.XP_LOGININFO

l

MASTER.DBO.XP_REGENUMVALUES

l

MASTER.DBO.XP_REGREAD

The database user requires the MS-SQL sysadmin role to use the following policies in assessments: l

DVA MSSQL 01.01 password field empty l

DVA MSSQL 01.02 password is the same as login name l

DVA MSSQL 05.36 List database logins that are part of the local

Administrators group l

DVA MSSQL 05.37 Verify SQL Server not run as local System

Administrator l

DVA MSSQL 05.42 Default Microsoft SQL Listener Port Report

SELECT on: l

MASTER.SYS.DATABASES

(for Microsoft SQL 2005 Server server-level connections)

For each individual Microsoft SQL 2005 Server database that you want to connect to, SELECT on: l

SYS.DATABASE_PERMISSIONS

l

SYS.DATABASE_PRINCIPALS

l

SYS.DATABASE_ROLE_MEMBERS

l

SYS.OBJECTS

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

99

Privileges required by the FortiDB database user Connecting to target databases

Task

Run Penetration Test

Required privileges

SELECT on: l

MASTER.SYS.DATABASES

(for Microsoft SQL 2005 Server server-level connections) l

SYS.DATABASE_PERMISSIONS

l

SYS.DATABASE_PRINCIPALS

(for each individual Microsoft SQL 2005

Server database that you want to connect to) l

SYS.DATABASE_ROLE_MEMBERS

l

SYS.OBJECTS

l

SYS.SQL_LOGINS

Oracle

Run VA Assessment (except penetration test)

View Privilege Summary

Run Penetration Test

CREATE SESSION

SELECT_CATALOG_ROLE

SELECT on: l

SYS.AUDIT$ l

SYS.LINK$ l

SYS.REGISTRY$HISTORY

(Oracle 10g only) l

SYS.USER$ l

SYSTEM.SQLPLUS_PRODUCT_PROFILE

SELECT on: l

ALL_USERS l

DBA_COL_PRIVS l

DBA_ROLE_PRIVS l

DBA_ROLES l

DBA_SYS_PRIVS l

DBA_TAB_PRIVS

SELECT on: l

ALL_USERS l

DBA_COL_PRIVS l

DBA_ROLE_PRIVS l

DBA_ROLES l

DBA_SYS_PRIVS l

DBA_TAB_PRIVS l

SYS.USER$

Sybase and Sybase IQ

100 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Privileges required by the FortiDB database user

Task

Run VA Assessment (except for penetration test)

View a Privilege Summary

Run Penetration Test

Required privileges

SSO_ROLE

If the Sybase server is using SybSecurity: l

On the MASTER database, add the FortiDB user to the database and grant it SELECT permission on the following tables: l

SYSSRVROLES l

SYSLOGINROLES l

SYSSECMECHS l

SYSDATABASES (AUDFLAGS column) l

SYSLOGINS (AUDFLAGS column) l

On any user-defined databases, add the FortiDB user to the database and grant it SELECT permission on the following table: l

SYSUSERS

If the Sybase server is not using SybSecurity, grant the database user

SELECT permission on the following tables: l

SYSSRVROLES l

SYSLOGINROLES l

SYSSECMECHS l

SYSDATABASES

(AUDFLAGS column)

For each individual database you want to connect to, grant SELECT on: l

MASTER.DBO.SYSDATABASES

(for server-level connections) l

SYSOBJECTS l

SYSPROTECTS l

SYSUSERS

Grant SELECT on: l

MASTER.DBO.SYSDATABASES

(for server-level connections) l

SYSOBJECTS l

SYSPROTECTS l

SYSUSERS

(for each individual database that you want to connect to)

MySQL

Run a VA Assessment

(including penetration test)

SELECT on: l mysql.user

l mysql.db

l mysql.columns_priv

l mysql.tables_priv

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

101

Privileges required by the FortiDB database user Connecting to target databases

Task

View a Privilege Summary

Required privileges

SELECT on: l

`INFORMATION\_SCHEMA`.* l mysql.user

SHOW DATABASES

See also

l l l

Adding or modifying assessments

Viewing and exporting a privilege summary

Penetration tests

Privileges for monitoring data

To monitor data, the FortiDB user for your target database requires the following privileges:

RDBMS Type

Oracle

Required Privilege(s)

For DB, EXTENDED and XML File Agent collection methods: l

CREATE SESSION l

SELECT_CATALOG_ROLE l

DELETE_CATALOG_ROLE l

AUDIT ANY l

AUDIT SYSTEM l

SELECT SYS.AUD$ l

SELECT on the monitored tables or SELECT ANY TABLE

For the

TCP/IP Sniffer collection method (to support browsing database to define data policy): l

CREATE SESSION l

SELECT_CATALOG_ROLE l

SELECT on the monitored tables or SELECT ANY TABLE

Microsoft SQL Server

Sybase

Member of sysadmin

For the MDA collection method: l

No privilege is required for the MDA table

For the

TCP/IP Sniffer collection method (to support browsing database to define data policy): l

User who can browse database object

102 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Privileges required by the FortiDB database user

RDBMS Type

DB2

Required Privilege(s)

For the

DB2 Agent collection method: l

SECADM privilege

For the TCP/IP Sniffer collection method (to support browsing database to define data policy): l

User who can browse database object

See also

l l

Data policies

Configuring target database monitoring

Privileges for monitoring privileges

To monitor privileges, the FortiDB user for your target database requires the following privileges:

RDBMS Type Required Privilege(s)

Oracle l

CREATE SESSION l

SELECT_CATALOG_ROLE l

DELETE_CATALOG_ROLE l

AUDIT SYSTEM

Microsoft SQL Server

Sybase

DB2

For the SQL Trace collection method:

SELECT on: l sys.columns

l sys.database_role_members

l sys.database_permissions

l sysobjects l sys.database_principals

l sys.sql_logins

EXECUTE on: l sp_helpsrvrolemember

For

TCP/IP Sniffer and Net Agent collection methods: l

No privilege is required

No privilege is required for the MDA table or TCP/IP Sniffer

SECADM privilege for DB2 Agent

No privilege is required for TCP/IP Sniffer

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

103

Privileges required by the FortiDB database user Connecting to target databases

See also

l l

Privilege policies

Configuring target database monitoring

Privileges for monitoring metadata

To monitor metadata, FortiDB target database users need the following privileges:

RDBMS Type Required Privilege(s)

Oracle l

CREATE SESSION l

SELECT_CATALOG_ROLE for use with auditing: l

CREATE SESSION l

AUDIT SYSTEM l

SELECT_CATALOG_ROLE

Microsoft SQL Server

Sybase

For the

SQL Trace collection method:

SELECT on: l information_schema.columns

l sysindexes l sysobjects l information_schema.routines

l sys.objects obj l sys.sql_modules

l information_schema.views

For the TCP/IP Sniffer and Net Agent collection methods: l

No privilege is required

No privilege is required for the MDA table or TCP/IP Sniffer

DB2 UDB

SECADM privilege for DB2 Agent

No privilege is required for TCP/IP Sniffer

See also

l l

Metadata policies

Configuring target database monitoring

104 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Managing targets

Managing targets

To assess and monitor your databases using FortiDB, you first create connections to them. The completed configuration is called a target. Use the Targets page to organize your targets.

Columns

The

Target page displays the following columns:

Column Description

Status (Connection status)

l l indicates a target database for which the information is not complete indicates a target database for which the information is complete

Name

DB Name

DB Host Name/IP

Port

DB Type

Action

User defined target connection name. Clicked to display the target configuration settings ( General tab).

The name of the target database

Database host name or IP address the computer where the target database is located

Port number to use for the connection

One of the following types of databases: ORACLE, MSSQL, DB2,

SYBASE, or MYSQL

Click the Edit icon to modify the target, same as click the DB Name.

Buttons and fields

The Target page displays the following buttons and fields:

Buttons and Fields Descriptions

View dropdown

Filters the list of targets by database type

Search / New Group

Add

Delete

Import

Search the list of targets and, optionally, create a new target group using the search results

Create a target

Delete one or more selected targets

Import targets using an XML-format file

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

105

Managing targets Connecting to target databases

Buttons and Fields

Export selected to XML

Export all to XML

Export all to PDF

Descriptions

Export selected targets as XML-format file

Export all targets as XML-format file

Export the target list as a PDF file

See also

l l l

Searching or filtering the target list

Adding (or modifying) a target connection

Exporting target information

Searching or filtering the target list

You can search the list of targets or to create a filtered list of targets that you can place in a named group.

1. Do one of the following: l l

Click Target Database Server > Targets, and then click Search/New Group.

Click

Target Database Server > Target Groups, and then click Add.

2. For Column, Operator, and Value, select and enter values that specify the targets that you want in the list.

To add additional filtering criteria, click + (plus sign) and complete the settings for the new row.

Click - (minus sign) to delete a row.

The value you enter for Value is case-sensitive.

You cannot use the same

Column value in multiple rows. For example, you cannot create a row for Location = 'London' and a row for Location = 'New York'.

For example:

Attribute

Location

Database Type

Operator

Contains

Equals

Value

nd

DB2

Return Possibilities

all databases in London all DB2 databases

3. Click Search to apply the criteria.

4. Continue working with the filtered list, as required.

For example, click the name of a target to edit its properties. To use the list to create a target group, enter a name and click

Save Group.

See also

l l

Managing targets

Adding (or modifying) a target connection

106 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Adding (or modifying) a target connection

Adding (or modifying) a target connection

1. Go to Target Database Server > Targets.

2. Do one of the following: l l

To create a target, click Add.

To modify a target, click the name of a target database.

3. On the General tab, complete the following settings:

Name

Type

Do not use spaces in the name.

If you select

Oracle, complete the settings on the SSH tab.

If you select DB2, on the DB2 Options tab, do one of the following: l

Select SSH, and then complete the settings on the SSH tab.

For more information on

SSH tab settings, see

Configuring SSH connections to Oracle and

DB2 databases on page 109 .

l

Select an option other than SSH. For more information on these settings, see

Configuring

DB2 options on page 108

.

Enter the DB host name or IP address of the computer where the target database is located.

DB Host

Name/IP

Port

Connect

At

Enter the number of the port the database uses; the default port is 1521

Displayed for Microsoft SQL Server or Sybase only.

Select

Database Level or Server Level.

Select

Server Level to exclude the databases specified by the

MSSQL Server Level

Exclusions

or

Sybase Server Level Exclusions

global properties.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

107

Adding (or modifying) a target connection Connecting to target databases

Additional

JDBC

Settings

By default, the target uses the additional JDBC settings values that you set in the

Target

global properties. For more information on these properties, see

Target properties on page 75

.

To use different values, enter one or more key-value pairs separated by a semicolon.

For Microsoft SQL Server or Sybase databases only, you can also do the following: l

Microsoft SQL Server — To support an SSL-encrypted connection, in SQL Server, set

ForceEncryption to Yes. Then, for Additional JDBC Settings, enter SSL=require.

(To connect without encryption, in SQL server, set ForceEncryption to No.)

If you use NTLM version 2 authentication, enter useNTLMv2=true.

l

Sybase — To support an SSL-encrypted connection, enter SYBSOCKET_

FACTORY=com.fortinet.fortidb.target.internal.connection.SybaseSS

LSQL

Note: Database activity monitoring (DAM) using the TCP/IP sniffer is not available when

FortiDB connects to Sybase using SSL.

DB

Activity

Monitorin g

Select to monitor this database.

4. (Optional) Enter information on the Classification and Contact Info tabs.

You can use this information to filter the list of targets when you search the list of targets or create target groups.

5. To test your connection, select Test Connection.

6. Click Save.

See also

l l l l l l

Managing targets

Configuring DB2 options

Configuring SSH connections to Oracle and DB2 databases

SSH environment requirements (software-only version)

Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX

Auto-discovery

Configuring DB2 options

When you configure a connection to a DB2 database, on the DB2 Options tab, for Retrieval Method, select one of the following options. After you have completed the required settings, click Test Connection to verify them.:

108 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Adding (or modifying) a target connection

SSH

DB2 Level Command

Use SQL query for connection

Select to configure FortiDB to connect to the database using Secure

Shell (SSH), and then complete the settings on the

SSH tab.

For more information on the

SSH tab, see

Configuring SSH connections to Oracle and DB2 databases on page 109 .

Select to configure FortiDB to connect to the database using the output from DB2 commands. Then, complete the following settings: l

db2level Output — Enter the output of the db2level command

(show DB2 service level command).

l

dbm cfg Output — Enter the output of the db2 get dbm cfg command (get database manager configuration command).

Select to configure FortiDB to use a SQL query to connect to the DB2 server.

To use this option, ensure that the FortiDB database user is granted

EXECUTE permission on the stored procedure.

Configuring SSH connections to Oracle and DB2 databases

You can configure FortiDB to connect to Oracle and DB2 target databases using Secure Shell (SSH).

If you are using the software-only version of FortiDB and connecting using SSH, additional configuration is required. For more information on these requirements, see

SSH environment requirements (software-only version) on page 110

.

To configure a SSH connection

1. On the Target page, click the SSH tab.

2. Specify a port number.

The default port is 22.

3. For Access Method, select one of the following values:.

Password

Implicit Key Pair

Select to connect using the name of the database user and a password, and then enter the user information.

Select to connect using the name of the database user and the SSH key file specified by the

SSH Key File

global property, and then enter the user name.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

109

Adding (or modifying) a target connection Connecting to target databases

Explicit Key Pair

(software-only version)

Select to connect using a private key and passphrase (if you provided one when you generated the key), and then complete the following settings: l

User Name — Enter the FortiDB SSH user.

l

Key Path — Enter the directory on your SSH client computer where the private key is located. Then, in the specified directory, create the directory

./ssh and copy the private key to it.

l

Pass Phrase — Enter an optional passphrase. You enter a passphrase when you generate a private key.

4. If you want to use the operating system vulnerability assessment (OSVA) feature and the target is an Oracle database running on Solaris or AIX, select

Enable OSVA, and then compete the required settings.

For more information on these settings, see

Enabling operating system vulnerability assessment (OSVA) for

Solaris and AIX on page 111 .

5. To test the connection, click Test SSH Connection.

SSH environment requirements (software-only version)

When you use the software-only version of FortiDB, the following SSH environment is required to allow FortiDB to connect to target databases using a SSH connection.

In addition, for some Oracle databases, additional configuration is required to use the operating system vulnerability assessment (OSVA) feature.

If you need help setting up a working SSH environment, contact your System Administrator.

The target configuration SSH tab provides two Access Method options: Implicit Key Pair (key pair is specified by the

SSH Key File

global property) and

Explicit Key Pair (the key pair information is specified on the SSH tab). For more information on the SSH tab, see

Configuring SSH connections to Oracle and DB2 databases on page 109

.

Item Description

Public Key handling

For either the

Explicit Key Pair

or

Implicit Key Pair

methods, use secure copy (SCP) to copy the public key that you generate on the SSH client to your SSH server. Then, append the key to the authorized_keys file located in the .ssh directory within the home directory of the FortiDB SSH user.

Private Key handling

SSH Client Location

For either the

Explicit Key Pair

or

Implicit Key Pair

methods, generate id_dsa or id_rsa private keys and copy them to the .ssh directory under user's home directory on the SSH client machine.

In a Windows environment, the private key resides in the /.ssh

directory under the user's home directories. The exact directory depends on the OS version. For example, C:\Documents and

Settings\All Users

.

The SSH client runs on your FortiDB machine.

110 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Adding (or modifying) a target connection

Item

SSH Server Location

Description

The SSH server runs on your target database machine.

User account for SSH User

To configure a SSH connection, a user account on your target database machine is required.

DB2 Target Specific

Instructions

In some cases, additional configuration is required for the FortiDB OS user that you created on a DB2 target database machine.

For example, if the user is db2inst3 and you use the

bash shell, add the following entry to your .bashrc file: if [ -f /home/db2inst3/sqllib/db2profile ]; then

. /home/db2inst3/sqllib/db2profile fi

Operating system vulnerability assessment

(OSVA) with Oracle targets

If the target is an Oracle database on Solaris, to use the FortiDB operating system vulnerability assessment (OSVA) feature, specify the

Home Directory, Owner, and owner's Group of your target database.

For more information on these settings, see

Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page

111

.

Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX

If the target is an Oracle database running on Solaris or AIX, additional configuration is required to use the

FortiDB operating system vulnerability assessment (OSVA) feature.

For information on other SSH settings, see

Configuring SSH connections to Oracle and DB2 databases on page

109

.

To enable operating system vulnerability assessment (OSVA)

1. On your target computer, ensure that the opatch command path is included in the $PATH environment variable.

2. On the SHH tab, select Enable OSVA, and then complete the following settings. If you do not have this information, contact your Oracle administrator:

Operating System

Home Directory

Owner

Group

Select Solaris or AIX.

Enter the Oracle home directory ($ORACLE_HOME).

Enter the name of the Oracle owner.

Enter the name of the Oracle user group. In most cases, it is dba or oinstall

.

3. Click Save.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

111

Exporting target information Connecting to target databases

Exporting target information

You can use the

Targets page to export all targets or targets you select. You can also use the page to import targets using an XML format file.

When you export target information in PDF format, the file contains only parts of the target information and you cannot use it to import targets.

To export information for all targets as an XML or PDF file

1. On the Targets page, for View, select All.

2. Do one of the following: l l

Click

Export all to XML.

Click Export all to PDF.

To export one or more selected targets as an XML file

1. On the Targets page, do one of the following: l l

For

View, select a target group.

Click Search/New Group and use the filters to search for targets.

For information on using the filter options, see

Searching or filtering the target list on page 106 .

2. Do one of the following: l l l

Select the checkbox beside one or more target names, and then click

Export selected to XML.

Select the checkbox in the column heading to select all list items.

Click

Export all to XML.

See also

l l

Managing targets

Importing targets

Importing targets

You can use the Targets page to import target information in XML format. For example, you can import targets that you exported from another FortiDB appliance.

When you export target information in PDF format, the file contains only parts of the target information and you cannot use it to import targets.

To view an example of a file that you can import, export an existing target. The software-only version of FortiDB provides example files in the following directory:

<FortiDB install directory>/etc/import-target

Before you import a target, do the following:

112 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Managing target groups l l

Ensure that the target name is unique. If you import a target with the same name as an existing target, FortiDB overwrites the existing target information with the information in the imported file.

Ensure that the file provides values for all required elements. If an imported XML file does not have all the required values, FortiDB displays it in the list of targets with an incomplete status icon .

Do not change any encrypted values. For passwords, use clear text. FortiDB encrypts this text during the importing process.

Do not change the value of <databaseType>.

To import a target

1. In the navigation menu, go to Target Database Server > Targets.

2. Click Import.

The Target Import page is displayed.

FortiDB imports target information based on the value of Name. If the Name value already exists in the target list, FortiDB overwrites the existing target with the imported data.

3. Click Choose file, and then navigate to the file and select it.

4. Select Import.

The following information is displayed.

Column

Name

Results

Complete

Message

Description

The value of the <name> elements

Indicates the status of the imported target: New, Updated, or Failed

Indicates whether one or more required elements are missing a value

Indicates the reason why Failed is displayed in the Results column

5. Click the Continue button to complete the import.

See also

l l

Managing targets

Exporting target information

Managing target groups

The

Target Database Server > Target Groups page displays all pre-defined and user-defined target groups.

Use it to complete the following tasks:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

113

Pre-defined target groups Connecting to target databases l l l

To add a target group, select Add. For more information, see

Adding or modifying a target group on page 114 .

To modify a target group, click its name.

To delete a user-defined target group, select it, and then click Delete.

You can select more than one target group for deletion.

You can modify or delete a pre-defined target group. However, you cannot revert a target group to its original content or restore a target group you deleted.

See also

l l

Pre-defined target groups

Adding or modifying a target group

Pre-defined target groups

FortiDB provides the following pre-defined target groups: l l l l l l l

DB2 Database Group

MySQL Database Group

Oracle Database Group

Microsoft SQL Server Database Group

Sybase Database Group

Sybase IQ Database Group

MungoDB Database Group

See also

l l

Managing target groups

Adding or modifying a target group

Adding or modifying a target group

1. On the navigation menu, go to Target Database Server > Targets.

2. Do one of the following: l l

To create a target group, click Add.

To modify a target group, click the name of the group.

3. On the Targets page, complete the required settings.

For Group Name, enter or edit the name that is displayed in the list of target groups.

For Description, enter an description. For example, your filtering or grouping criteria.

To cancel the target group creation process, click

Cancel.

114 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases

4. Use the filtering options to display the targets you want in the group in the list of targets.

For information on filtering the list, see

Searching or filtering the target list on page 106

.

5. Click Save Group.

The new group is displayed in the

Target Groups page.

See also

l l

Managing target groups

Pre-defined target groups

Auto-discovery

Auto-discovery

Auto-discovery facilitates the creation of target-database connections by searching your network for potential target databases.

Auto-discovery scans for potential target databases according to your specified IP address range, database-type specification, and port numbers.

See also

l l l l

How to discover DB2 databases

How to discover Microsoft SQL Server

Running auto-discovery

Adding targets from auto-discovery

How to discover DB2 databases

When attempting to discover DB2 target databases: l l

The FortiDB appliance must be able to connect to TCP port 523. If the connection fails, examine firewall policies, router rules, and other causes.

The DB2 Administration Server (DAS) must be running.

How to discover Microsoft SQL Server

When attempting to discover Microsoft SQL Server target databases, in order to display the correct database version, verify that: l l

Your SQL Server instance is running.

Your SQL Server Browser service is running.

Running auto-discovery

This topic describes how to perform auto-discovery.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

115

Auto-discovery Connecting to target databases

To run auto-discovery, the FortiDB Administrator (the admin user that ships with

FortiDB) or an administrator with the Target Manager role is required.

1. Go to

Target Database Server > Auto Discovery of the left-side menu.

2. In order to discover a single database, enter the IP address in the From field and leave the To field blank. If you want to discover multiple databases, enter a range of IP addresses by using both the

From field and To field.

3. Select the

Add button. The discovered IP address(es) should be added to the list of IP addresses.

In order to delete an IP address (or address range) already on the list, select the check box on the left of the IP address or range and select the Remove button

4. Specify database types to attempt discovery for and their respective port ranges to discover from the list.

a. Select or clear the check box(es) on the left of the list.

b. Add or edit the port ranges in the

To

and

From

fields.

5. Select one or more IP address rows and then select the Begin Discovery button. One of the following status messages will be displayed at the top of the screen.

Status

Running...

No databases found

Idle

Meaning

This status appears on the right side of the view header next to the

"Status". The "processing" icon appears next to the page title. The

Discovery Result page will display.

There was no database of the specified IP address found.

Has one of these meanings: l

User cancelled the auto-discovery process before completion.

l

This is the status after Running...

l

This is the status after No databases found

To stop running auto-discovery before the process is complete, select Abort.

6. The Auto Discovery Results page is displayed.

l l indicates that this database was discovered.

indicates that this database was added to the targets list.

116 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Connecting to target databases Auto-discovery

Adding targets from auto-discovery

This topic describes how to add target-database configuration to the

Targets page from the Auto Discovery

Results.

1. Run auto-discovery.

2. Mark the check box(es) next to the targets you want to add to your list of target databases.

3. Select the Add to Targets button at the bottom.

4. Go to the Targets page where you should see that the auto-discovered targets databases have been added to the Targets list.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

117

Vulnerability assessment (VA) policies

Vulnerability assessment (VA) policies

Vulnerability assessment (VA) policies are best-practice business rules that FortiDB uses to assess databases.

FortiDB has hundreds of pre-defined policies that address industry and governmental compliance requirements, as well as security best practices.

See also

l l l l

Types of VA policies

Managing VA pre-defined policies

VA user-defined policies

VA policy groups

Types of VA policies

You can use the following two types of policies for database vulnerability assessments: l l

Pre-defined policies — Fortinet adaptation of best practice database security policy. In addition to numerous database vulnerability policies, Fortinet also provides policies that help you perform OS-level assessments, such as making sure that your OS version is appropriate for the version of your target database.

User-defined policies — Customer or third-party adaptation of an industry or company-specific security policy.

You create these types of policies using conventional or procedural SQL.

You can use the policy groups that ship with FortiDB or create your own.

See also

l l

Managing VA pre-defined policies

VA user-defined policies

Updates to VA policies

Fortinet updates its policies several times a year with an XML file containing new or enhanced policies. Fortinet recommends that you import this list to keep your policies current. You can download the latest policies from

FortiGuard Center . For more information, see

Managing VA pre-defined policies on page 120

.

Exporting and importing VA policies

If you want to move FortiDB policies to another computer, you can export the source from the FortiDB repository as XML files and then import them into the target FortiDB repository.

Before you import policies, verify that the XML file contains the correct elements.

FortiDB does not validate Database Type, Severity, and Classification when it imports policies. To view a sample of correct content, export one or more policies.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

118

Vulnerability assessment (VA) policies

See also

l l

Exporting user-defined policies

Importing user-defined policies

VA policy version

The policy version tracks the following information: l

Pre-defined policies you imported and used for assessments.

l

The policy version number is incremented when you import pre-defined policies updates.

User-defined policies you updated.

When you use the

Modify User Defined Policy page to update a user-defined policy, FortiDB does not change the policy version number. To update the policy version number, export your user-defined policy, change the policy version number, and then import the policy. You cannot import a user-defined policy that has a policy number that is equal to or lower than the original policy number.

When you restore data restored from an old archive (prior to FortiDB version 3.2.1), the data has the latest version of policies at the time you restored.

See also

l l

Exporting user-defined policies

Importing user-defined policies

VA policy groups

You add policies to assessments using policy groups. A policy group must contain at least one policy.

FortiDB has the following pre-configured policy groups: l l l l l l l

DB2 Policy Group

MySQL Policy Group

Oracle Policy Group

Pen Test Policy Group

SQL Server Policy Group

Sybase Policy Group

Sybase IQ Policy Group

See also

l

VA policy groups

VA policy states

A FortiDB policy can have one of the following states:

119 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies Managing VA pre-defined policies

State and icon

Enabled (

)

Description

FortiDB is currently using this policy when it runs assessments.

Disabled ( )

FortiDB is currently not using this policy when it runs assessments.

Modified and Enabled

(  ) The policy has been modified and FortiDB is currently using it when it runs assessments.

Modified and Disabled ( )

The policy has been modified but FortiDB is not currently using it when it runs assessments.

New and Enabled (

)

New and Disabled ( )

The policy is new and FortiDB is currently using it when it runs assessments.

The policy is new but FortiDB is not currently using it when it runs assessments.

See also

l

Managing VA pre-defined policies

Keywords and user keywords for VA policies

Keywords are read-only, pre-defined policy keywords.

User Keywords are keywords specified by you. You can use keywords to help you create policy groups.

See also

l

Adding user-defined policies

Managing VA pre-defined policies

Use the

Pre-Defined Policies tab to manage pre-defined policies. To view only certain policies, you can use the

View dropdown list at the top of the page. You can also import additional polices or updates to existing policies.

The pre-defined policies list has the following columns:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

120

Managing VA pre-defined policies Vulnerability assessment (VA) policies

Columns

Status

Name

DB Type

Severity

Classification

Descriptions

Enabled ( )

Disabled ( )

New and Enabled ( )

New and Disabled ( )

Modified and Enabled ( )

Modified and Disabled ( )

Pre-defined policy name

Oracle, Sybase, DB2, Microsoft SQL Server, MySQL, or SYBASEIQ.

User defined severity level. There are 5 levels of severity: l

Informational (default) l

Cautionary l

Minor l

Major l

Critical

Unclassified, Configuration, Password, Privilege, Database server, Host

System.

l l l l l

To view policies in a specific policy group only, for View, select the name of the group.

Click

Search/New Group to create a new policy group.

To enable or diable a policy, select the policy in the list and then click Enable or Disable.

Click

Import button to import new or updated policies into the FortiDB repository.

Click Export to export the all policies in the current list as an XML file.

To export pre-defined policies

1. In the navigation menu, go to Policy > VA Policies.

2. On the Pre-Defined Policies tab, for View, select All or a policy group you want to export.

The state of the checkboxes next to the individual policies does not effect which policies FortiDB exports. FortiDB always exports all items in the current list.

3. Click Export.

Your browser downloads the XML file.

121 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies Managing VA pre-defined policies

See also

l l l

Importing pre-defined policies (appliance)

Importing pre-defined policies (software-only FortiDB)

OS-Level pre-defined policies

Importing pre-defined policies (appliance)

To keep your policy sets current and effective, you can use the the Fortinet Distribution Network (FDN) to import new and updated policies that FortiDB periodically offers its customers.

1. In the navigation menu, go to Policy > VA Policies.

Alternatively, go to Policy > VA Policy Groups, and then click the name of a policy group.

2. Click Import.

The Pre-Defined Policy Update page is displayed.

3. Do one of the following: l l

To automatically disable any new or modified policies you import, select the

Disable new and modified

rules after import.

To automatically enable any new or modified policies you import, clear the

Disable new and modified rules

after import.

4. Do one of the following: l l

To use icons that identify whether a policy is new or modified with the imported policies, select

Identify new

and modified rules with icons.

To use icons that do not indicate whether a policy is new or modified with the imported policies, clear

Identify

new and modified rules with icons.

Fortinet recommends that you select

Identify new and modified rules with icons.

5. Select Import Updates from FortiGuard Center.

FortiDB connects to FortiGuard Center and downloads any updates. Then, a message like “Updated 12 policies of 544 found in file” is displayed.

The downloaded update file contains all policies. However, FortiDB only updates modified policies. For example, in the sample message, the downloaded update file contains a total of 544 policies only 12 of which needed to be updated in your system. The other 532 policies in the update file are identical to those already in your system.

Appliance users can also import policy updates by using the

Select XML file to be

uploaded field. After clicking the Browse button and selecting the xml file to upload, and select the Import button.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

122

Managing VA pre-defined policies Vulnerability assessment (VA) policies

See also

l l

Managing VA pre-defined policies

Importing pre-defined policies (software-only FortiDB)

Importing pre-defined policies (software-only FortiDB)

You can import pre-defined policies (pre-defined policies) by uploading XML files containing these policies.

Before performing this task, you may need to download one or more XML files from a designated FortiDB web or

FTP site.

This task includes importing those new and updated policies that FortiDB periodically offers its customers in order to keep their policy sets current and effective.

1. In the navigation menu, go to Policy > VA Policies.

Alternatively, go to

Policy > VA Policy Groups, and then click the name of a policy group.

2. Click Import.

The Pre-Defined Policy Update page is displayed.

3. For Select XML file to be uploaded, click Choose File, and then navigate to and select the update file.

4. Do one of the following: l l

To automatically disable any new or modified policies you import, select the

Disable new and modified

rules after import.

To automatically enable any new or modified policies you import, clear the

Disable new and modified rules

after import.

5. Do one of the following: l l

To use icons that identify whether a policy is new or modified with the imported policies, select

Identify new

and modified rules with icons.

To use icons that do not indicate whether a policy is new or modified with the imported policies, clear

Identify

new and modified rules with icons.

Fortinet recommends that you select Identify new and modified rules with icons.

6. Select Import.

The policies are added to the list on the

VA Policies page.

See also

l l

Managing VA pre-defined policies

Importing pre-defined policies (appliance)

123 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies Managing VA pre-defined policies

OS-Level pre-defined policies

The FortiDB OS-Level pre-defined policies gather and evaluate information about the target database's operating system (OS). They use SSH and a client-side script that contains OS commands.

To assess Oracle target computers using OS-Level pre-defined policies, see

Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 111 .

The OS-Level pre-defined policies require the following permissions:

Guarded Item Description (proposed change)

Purpose

OSVA ORCL 01.01 Oracle Critical

Patches (opatch)

Returns: l opatch version l applied critical patch numbers

Required Permissions

Oracle 9i, 10g, 11g, 12c: l

The SSH user needs execute permission on opatch l

The SSH user's PATH variable should include the location of opatch

Oracle 10g, 11g, 12c: l

The SSH user needs read, write, and execute permissions on opatch l

The SSH user needs read, write, and execute permissions on $ORACLE_

HOME/cfgtoollogs/opatch/lsin v

SVA ORCL 01.02 Oracle Owner-

Login Check

OSVA ORCL 01.03 Oracle DBA-

Group Check

OSVA ORCL 01.04 Oracle DBA-

Group-Member List

OSVA ORCL 01.05 Oracle Process-

Owner Check

Alerts if Oracle owner, which is specified on the FortiDB

Database Connection GUI, is not in /etc/passwd.

The SSH user needs read permission on /etc/passwd with cat and grep commands

Alerts if dba is not in

/etc/group file

Returns a list of members of the dba group from

/etc/passwd and /etc/group

The SSH user needs read permission on /etc/group with cat and grep command

The SSH user needs read permission on /etc/passwd and

/etc/group with cat and grep command

Alerts if Oracle process is being run by a non-Oracle user such as root, or bin.

The SSH user needs execute permission ps and grep command

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

124

Managing VA pre-defined policies Vulnerability assessment (VA) policies

Guarded Item Description (proposed change)

Purpose Required Permissions

OSVA ORCL 01.06 Oracle Excessive

Directory & File Permissions Check

Alerts if other permissions, on the Oracle Home directory

(and its contents) specified on the Create/Modify Database

Connection screen, include both read and write (and not execute)

The SSH user needs other read and execute permissions on the

$ORACLE_HOME directory.

For example setup instructions, see Using Minimally-Privileged

User with an ACL.

OSVA ORCL 01.07 Oracle Correct

Directory/File Owner & Group Check

Alerts if files and directories under the

Oracle Home directory specified on the

Create/Modify Database

Connection screen, do not have correct owner and group permissions.

Exempt from this check are: l

$ORACLE_

HOME/bin/oracle l

$ORACLE_

HOME/bin/oradism l

$ORACLE_

HOME/bin/dbsnmp

The SSH user needs other read and execute permissions on the

$ORACLE_HOME directory.

For example setup instructions, see Using Minimally-Privileged

User with an ACL.

OSVA ORCL 01.08 Oracle setuid/setgid File Check

Alerts if setuid or setgid permissions are assigned to files and directories under the

Oracle Home directory specified on the

Create/Modify Database

Connection screen.

Exempt from this check are: l

$ORACLE_

HOME/bin/oracle l

$ORACLE_

HOME/bin/oradism l

$ORACLE_

HOME/bin/dbsnmp

The SSH user needs other read and execute permissions on the

$ORACLE_HOME directory.

For example setup instructions, see see Using Minimally-

Privileged User with an ACL.

125 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies Managing VA pre-defined policies

Guarded Item Description (proposed change)

Purpose

OSVA ORCL 01.09 Oracle Database-

Configuration-Change Check

This policy checks if these database configuration files change between the previous and current assessments: l init.ora

l spfle.ora

OSVA ORCL 01.10 Oracle Network-

Configuration-Change Check

This policy check if network configuration files changed between between the previous and current assessments l listener.ora

l tnsnames.ora

l sqlnet.ora

Required Permissions

l l l l

The SSH user needs execute permission on ls for the

$ORACLE_HOME/dbs/ directory

The SSH user needs read permission on the $ORACLE_

HOME/dbs/ directory

The SSH user needs execute permission for ls on the

$ORACLE_

HOME/network/admin/ directory

The SSH user needs read permission on the $ORACLE_

HOME/network/admin/ directory

OSVA ORCL 01.11 Oracle Installed-

Operating-System Info

Returns OS name and version l

The SSH user needs execute permission for cat on the

/etc/release file l

The SSH user needs read permission on the /etc/release file

OSVA ORCL 01.12 Oracle External-

Procedure Processes Running

Check

Alert if external-procedure process is running on target server.

The SSH user needs execute permission for ps and grep

OSVA ORCL 01.13 Oracle EXTPROC

Alerts if any EXTPROC settings are listed in listener.ora.

For example:

(SID_NAME = PLSExtProc) l

The SSH user needs execute permission for cat on the listener.ora file l

The SSH user needs read permission on the listener.ora

file

OSVA ORCL 01.14 Oracle Missing-

Listener-Password Check

Alerts if a PASSWORD setting is missing in listener.ora.

l

The SSH user needs execute permission for cat on the listener.ora file l

The SSH user needs read permission on the listener.ora

file

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

126

Managing VA pre-defined policies Vulnerability assessment (VA) policies

Guarded Item Description (proposed change)

Purpose

OSVA ORCL 01.15 Oracle Missing-

Listener- ADMIN_RESTRICTIONS

Check

OSVA ORCL 01.16 Oracle Default-

Listener Check

OSVA ORCL 01.17 Oracle Default-

Port (1521) Check

Alerts if a ADMIN_

RESTRICTIONS setting is missing in listener.ora.

Required Permissions

l

The SSH user needs execute permission for cat on the listener.ora file l

The SSH user needs read permission on the listener.ora

file

Alerts if default LISTENER is set in listener.ora.

l

The SSH user needs execute permission for cat on the listener.ora file l

The SSH user needs read permission on the listener.ora

file

Alerts if default PORT is set in listener.ora.

l

The SSH user needs execute permission for cat on the listener.ora file l

The SSH user needs read permission on the listener.ora

file

Alerts if any Oracle

Advanced Security settings are missing in sqlnet.ora.

OSVA ORCL 01.18 Oracle Advanced-

Listener-Security Settings Check

For example, the presence of the following would not cause an alert:

SQLNET.ENCRYPTION_

SERVER = Requested

OSVA ORCL 01.19 Oracle

Configured Listener List

Display all listener names l l

The SSH user needs execute permission for grep the sqlnet.ora file

The SSH user needs read permission on the sqlnet.ora

file l

The SSH user needs execute permission for cat on the listener.ora file l

The SSH user needs read permission on the listener.ora

file

127 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies Managing VA pre-defined policies

Guarded Item Description (proposed change)

Purpose

OSVA ORCL 01.20 Oracle

Unencrypted Listener Password

Check

Alerts if password in listener.ora is unencrypted. Encrypted passwords should be 16 characters long and consist only of uppercase letters from A to F or numbers.

For example, the following is an acceptably encrypted password and would not generate an alert:

PASSWORDS_LISTENER =

F56401ADBA6810DS

Required Permissions

l

The SSH user needs execute permission for cat on the listener.ora file l

The SSH user needs read permission on the listener.ora

file

Use your known_hosts file to give access to certain hosts only.

See also

l

Setting an access control list (ACL) for minimally-privileged users

Setting an access control list (ACL) for minimally-privileged users

To provide more secure access to target databases, create an access control list (ACL). For example, an ACL that enables a minimum-permission user to perform, via SSH, the OS-level operations used by the FortiDB OS-level pre-defined policies.

In general, you create a user, belonging to the nobody group, on your target database machine. Then, use

ACL to give that user only the specific permissions necessary to execute the OS-level pre-defined policies that you are interested in.

The following examples grant the SSH user read and execute permissions on the $ORACLE_HOME directory, which is required by some operating system vulnerability assessment (OSVA) pre-defined policies.

Example one: Set ACL on an Oracle 10g target server for OSVA ORCL 01.01

1. Assume the SSH user is fortidb.

$setfacl -m user:fortidb:rwx,mask:rwx $ORACLE_HOME/cfgtoollogs/opatch/lsinv

2. To confirm permissions:

$getfacl $ORACLE_HOME/cfgtoollogs/opatch/lsinv

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

128

Managing VA pre-defined policies Vulnerability assessment (VA) policies

This command returns something like the following response:

# file: /export/home/ora1020/product/10.2.0/Db_1/cfgtoollogs/opatch/lsinv

# owner: ora1020

# group: oinstall user::rwx user:fortidb:rwx #effective:rwx <--- Please check it group::r-x #effective:r-x mask:rwx other:r-x

Example two: Set ACL on an Oracle 9, 10g, 11g, or 12c target server for OSVA ORCL 01.06,

01.07, and 01.08

This example describes how to set ACL on an Oracle 10g target server for OSVA ORCL 01.01.

1. In order to find the directories within $ORACLE_HOME for which the required permissions do not exist, execute the following, as the Oracle owner (see o_owner), on your target-database machine:

$ find $ORACLE_HOME \( -type d \) -a \( ! -perm -o+rx \)

-ls|awk '{print $3,$11}' which might return something like: drwx------ /oracle/db1/Apache/Apache/conf/ssl.key

drwxr-x--- /oracle/db1/.patch_storage

2. Using the File Access Control List program, grant the appropriate permissions to sshuser:

$ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/Apache/Apache/conf/ssl.key

$ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage

3. (Optionally) confirm that correct permissions were granted with:

$ getfacl /oracle/db1/Apache/Apache/conf/ssl.key

$ getfacl /oracle/db1/.patch_storage

which would return something like:

# file: /export/home/ora1020/product/10.2.0/Db_1/.patch_storage

# owner: ora1020

# group: oinstall user::rwx user:mitagaki:rwx #effective:r-group::r-- #effective:r-mask:r-other:---

4. (Optionally) you can revoke permissions with:

$ setfacl -d user:sshuser:r-x,mask:r-x oracle/db1/Apache/conf/ssl.key

$ setfacl -d user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage

If you can not give read(r)/exec(x) permission to the directory, FortiDB VA will produce a "Permission denied" error on the report which you can ignore.

129 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies

See also

l

OS-Level pre-defined policies

VA user-defined policies

VA user-defined policies

On the

Policies page, you can manage user-defined policies in the User-Defined Policies tab. Use the View list at the top of the page to filter the list. You can also import additional polices or updates to existing policies.

Columns Descriptions

Status

l

Enabled ( ) l

Disabled ( ) l

New and Enabled ( ) l

New and Disabled ( ) l

Modified and Enabled ( ) l

Modified and Disabled ( )

User-defined policy name

Name

DB Type

Severity

Oracle, Sybase, DB2, Microsoft SQL Server, MySQL or SYBASEIQ

User defined severity level. There are 5 levels of severity: l

Informational (default) l

Cautionary l

Minor l

Major l

Critical

Classification

Unclassified, Configuration, Password, Privilege, Database server, Host

System.

l

The

View dropdown enables you to limit the policies that you view to only those within a certain policy group l l l l l l l

The button enables you to create a new policy group.

The

Add button enables you to create your own User-Defined policy.

The Delete button enables you to delete the policies for which a check box has been checked.

The

Enable button enables you to activate the policies for which a check box has been checked.

The Disable button enables you to deactivate the policies for which a check box has been checked.

The

Import button enables you to import new or updated policies into the FortiDB repository.

The Export button enables you to export all policies on the screen as an XML file.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

130

VA user-defined policies Vulnerability assessment (VA) policies

See also

l l l l

Adding user-defined policies

Deleting user-defined policies

Exporting user-defined policies

Importing user-defined policies

Adding user-defined policies

1. Go to Policy> VA Policies of the left-side menu.

2. Select the User-Defined Policies tab.

3. Select the Add button.

4. Fill in the appropriate fields. Some of the fields to note are:

Field Name

ID

SQL query

Result Column Name(s)

Descriptions

Enter a unique designator that can include any character, including alphanumerics, special characters, and white spaces.

Enter the query that will be used when this User-Defined Policy is applied during an assessment.

Entries in this field are the column names referred to in the

SQL

query field. Multiple entries are delimited by semicolons.

The names can either be actual column names in your query, like empno in 'SELECT empno FROM scott.emp' or aliases like enumber in 'SELECT empno AS " enumber" FROM scott.emp

'

Leading or trailing spaces in the alias expression must also be specified in this field for the column's values to appear in your report.

For example, if there are two leading spaces in " enumber", include both spaces in the Result Column Name(s) value.

You can use the '*' column wild card in your queries; however, you must separately specify the name of each column for which you want report results. If, for example, you use 'SELECT * FROM scott.emp

' against an Oracle target database, you must enter

"empno;ename;job;mgr;hiredate;sal;comm;deptno" in this field in order to get a report on all columns in scott.emp

Note: Do not put spaces before or after the semicolons unless your aliased column names also have leading or trailing spaces, respectively.

131 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies VA user-defined policies

Field Name

Result Column Label(s)

Descriptions

Entries in this field are the column names that you would like to see in your reports. Multiple entries are delimited by semicolons.

Note: If you don't populate this field, your report's column headers will be the entries used for the Result Column Name(s) field.

Entries in this field can be used when using a filter to create policy groups.

Keywords

5. Select the Save button.

Here is an Oracle example, which assumes you have access to the SCOTT schema:

a. Create a policy with these entries: l

ID: unique designator l l l l l l

Database type

:

Oracle

SQL query

:

SELECT empno, ename from scott.emp

Result Column Name(s)

: empno

;

ename

Result Column Label(s)

:

Employee Number

;

Employee Name

Severity

:

Informational

Classification

:

Unclassified

b. Select Save to save

myOracleUDP1

.

c. Create a policy group,

myUDPGroup

, containing the new policy.

d. Create an assessment that runs against an Oracle target group and which uses

myUDPGroup

.

e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of

Scan

Results like this in the Informational Vulnerabilities section: l

Employee Number 7369 Employee Name

:

SMITH

Here is another, slightly different, Oracle example, which uses column-name aliasing and, again, assumes you have access to the SCOTT schema:

a. Create a policy with these entries: l

ID

:

can be any value

l

Name

:

myOracleUDP2

l l l l

Database type

:

Oracle

SQL query

:

SELECT empno as "EmpID", ename as "Worker" from scott.emp

Result Column Name(s)

:

EmpID

;

Worker

Result Column Label(s)

:

Employee Number

;

Employee Name l l

Severity

:

Informational

Classification

:

Unclassified

b. Select the Save in order to save

myOracleUDP1

.

c. Create a policy group,

myUDPGroup

, containing the new policy.

d. Create an assessment that runs against an Oracle target group and which uses

myUDPGroup

.

e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of

Scan

Results like this in the Informational Vulnerabilities section: l

Employee Number 7369 Employee Name

:

SMITH

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

132

VA user-defined policies Vulnerability assessment (VA) policies

See also

l l l l

VA user-defined policies

Deleting user-defined policies

Exporting user-defined policies

Importing user-defined policies

Deleting user-defined policies

This topic describes how to delete user-defined policies.

1. Go to Policy > VA Policies of the left-side menu.

2. Select the User-Defined Policies tab.

3. Mark the check box(es) corresponding to the user-defined policy you want to delete.

4. Select the Delete button.

See also

l l l l

VA user-defined policies

Adding user-defined policies

Exporting user-defined policies

Importing user-defined policies

Exporting user-defined policies

This topic describes how to export user-defined policies.

1. Go to Policy > VA Policies of the left-side menu.

2. Select the User-Defined Policies tab.

3. In the View dropdown list, select All or a policy group you want to export.

The checkboxes next to the individual policies have no effect when exporting. FortiDB exports all policies in the list regardless of whether the checkbox for an item is selected.

4. Select the Export button.

5. Save the XML file.

See also

l l l l

VA user-defined policies

Adding user-defined policies

Deleting user-defined policies

Importing user-defined policies

133 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies VA policy groups

Importing user-defined policies

This topic describes how to import user-defined policies.

1. Go to Policy > VA Policies of the left-side menu.

2. Select the User-Defined Policies tab.

3. Select the Import button.

4. Enter the path to the XML file you want to import, or select the Browse button and select the XML file you want to import.

To successfully import your policies, you mustincrease the value of the version attribute (for example, you must change from version="3" to version="4") which can be found in <VaPolicy> element.

5. Select or clear the Deactivate new and modified rules after import check box.

l l

If you select this, the new and modified rules after import are deactivated.

If you clear this, the new and modified rules after import are activated.

6. Select or clear the Identify new and modified rules with icons check box.

l l

If you select this, you can identify new and modified rules with icons.

If you clear this, you cannot identify new and modified rules with icons.

7. Select the Import button.

See also

l l l l

VA user-defined policies

Adding user-defined policies

Deleting user-defined policies

Exporting user-defined policies

VA policy groups

The

Policy Groups page displays all policy groups with groups names and descriptions.

Use the Policy Groups page to perform the following tasks: l l l

Add a new policy group by selecting Add. See

Adding VA policy groups on page 135 .

Modify the policy group by selecting the group name. See

Modifying VA policy groups on page 136

Delete policy groups by selecting the group check box, and click Delete.

The following pre-defined policy groups are available:

Groups/Policies

DB2 Policy Group

Policies included

DB2 policies

MySQL Policy Group MySQL policies

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

134

VA policy groups Vulnerability assessment (VA) policies

Groups/Policies

Oracle Policy Group

SQL Server Policy Group

Sybase Policy Group

Pen Test Policy Group

CIS Policy Group

Sybase IQ Policy Group

See also

l l l

Adding VA policy groups

Modifying VA policy groups

Deleting VA policy groups

Policies included

Oracle policies

SQL Server policies

Sybase policies

Penetration tests on page 137

CIS benchmark policies

Sybase IQ policies

Adding VA policy groups

This topic describes the task of creating groups for predefined or user-defined policies by using filtering criteria.

1. Go to Policy > VA Policy Groups of the left-side menu.

2. Select the Add button.

3. On the subsequent Policies page, choose either the Pre-Defined Policies tab or the User-Defined

Policies tab and then fill in the text boxes

a. Use the Policy Type dropdown in order to create a group consisting of just pre-defined policies, userdefined policies, or both (All).

b. Use the

Group Name text box to enter a name that will show up in the saved policy-group list. Use the optional Description text box to describe your filtering/grouping criteria.

c. To create a filtering condition, enter an Column on which you would like to filter, an Operator that associates the

Column with a Value, and a Value that the Column must match.

d. You can add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.

You cannot use the same Column in multiple rows. For example, you cannot establish a criteria that includes all the policies with a Severity of Minor and all the policies with a Severity of Major.

In order to cancel creating a new policy-group filter and go back to the main

Policies page, select the icon.

Here are some examples of filtering criteria:

135 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies VA policy groups

Attribute

Severity

Database Type

Operator

Equals

Equals

Value

Minor

DB2

Return Possibilities

all policies with a Severity of

Minor all policies associated with DB2 databases

4. To test your filtering criteria, select the Apply button.

5. To save the group you created, select the icon.

In order to modify an existing group, select the Name of the group on the Policy

Groups page.

See also

l l l

VA policy groups

Modifying VA policy groups

Deleting VA policy groups

Modifying VA policy groups

This topic describes modifying the existing policy group.

1. Go to Policy > VA Policy Groups from the left-side menu.

2. In the Policy Groups page, click the name of a policy group that you want to modify.

3. Modify the policy name or description if necessary.

4. Select the Policy Type from the dropdown list (All, Pre-efined, or User)

5. To create a filtering condition, enter an Column on which you would like to filter, an Operator that associates the Column with a Value, and a Value that the Column must match .

6. You can add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.

You cannot use the same

Column in multiple rows. For example, you cannot establish a criteria that includes all the policies with a Severity of Minor and all the policies with a Severity of Major.

In order to cancel modifying the policy-group filter and go back to the main

Policies page, select the icon.

7. To test your filtering criteria, select the Apply button.

8. Click to save.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

136

Penetration tests Vulnerability assessment (VA) policies

See also

l l l

VA policy groups

Adding VA policy groups

Deleting VA policy groups

Deleting VA policy groups

This topic describes how to delete a policy group.

1. Go to Policy > VA Policy Groups of the left-side menu.

2. Check the check box(es) corresponding to the policy group(s) you want to delete.

3. Click the Delete button.

See also

l l l

VA policy groups

Adding VA policy groups

Modifying VA policy groups

Penetration tests

A penetration test (or pentest) examines your target databases for weak passwords.

Like any other type of assessment, you can run pen tests either immediately or schedule them for a convenient time.

FortiDB does not support penetration tests for Sybase IQ target databases.

See also

l l l

Connection options for penetration tests

Files used for penetration tests

Configuring and running penetration test assessments

Connection options for penetration tests

For penetration tests, FortiDB uses one of the following options to connect to target databases: l l l

Login — The login connection method is available for all target database types.

Hash-based — A 'hash' is the value that is the result of encrypting a clear-text string. The hash-based method is a safer, offline approach, but it is available for Oracle and Microsoft SQL target databases only. If you use the hashbased method for Sybase or DB2 targets, FortiDB cannot apply any of the pentest polices, the assessment result is essentially empty, and no error is reported.

Hybrid — FortiDB uses the hash-based method if it is available (that is, when the database is Oracle or Microsoft

SQL). Otherwise, it uses the login method.

137 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies Penetration tests

If the penetration test login attempts are unsuccessful, the database may prevent any users, including valid users, from logging in.

See also

l

Configuring and running penetration test assessments

Files used for penetration tests

Penetration test policies use username and password information stored in a set of text files to assess databases.

For the Dictionary pen test policy, FortiDB allows you to select a password dictionary text file to use instead of the default dictionary.

In addition, if you are using the software version of FortiDB, you can customize the other pentest policy text files.

The custom files allow you to specify the usernames and passwords to use in the test instead of testing all database usernames. These files are <dbtype>default.txt and <dbtype>user.txt, where

<dbtype> specifies the type of database using one of the following strings: l l l l l ora for Oracle sql for MS-SQL db2 for DB2 syb for Sybase mysql for MySQL

If you are using either the appliance or software version of FortiDB, you can use the Assessment properties to select an alternative password dictionary file. However, appliance version users cannot access or change the default dictionary.txt, <dbtype>default.txt and <dbtype>user.txt files.

Policy name

Default Password

File

<dbtype>default.txt

Content evaluated

All the username-password pairs in the file.

The values in

<dbtype>default.txt

represent system accounts that ship with a RDBMS and their default passwords. For example, for Oracle,

SYS, SYSTEM, and SCOTT, and for

Microsoft SQL, SA.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

138

Penetration tests Vulnerability assessment (VA) policies

Policy name

Dictionary

Number Following

Username

Same as Username

Username Following

Number

Username Reversed

File

<dbtype>user.txt, dictionary.txt

<dbtype>user.txt

<dbtype>user.txt

<dbtype>user.txt

<dbtype>user.txt

See also

l

Configuring and running penetration test assessments

Configuring and running penetration test assessments

Content evaluated

The pairing of each username in the

<dbtype>user.txt

file with every password in dictionary.txt

file.

Note: When FortiDB executes the pentest Dictionary policy, it automatically adds the domain name to the password list.

The paring of usernames in the file with a password created by adding one or more numbers to the end of the username.

The pairing of usernames in the file with a password that is the same as the username.

The pairing of usernames in the file with a password created by adding one or more number to the begining of the username.

The pairing of usernames in the file with a password created by spelling the username backwords.

To configure and run penetration testing against target databases

1. Ensure that the FortiDB database user specified in the target configuration for the database you want to test has the required privileges.

For more information see

Privileges for VA assessments, privilege summaries, and penetration tests on page

95

.

2. In the navigation menu, go to Administration > Global Configuration, and then click the Assessment tab.

3. Complete the following settings:

Enable Pen Test

Select True.

139 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies Penetration tests

Enable Pen Test For All

Users in Database

(software-only version)

Pen Test Method

Pen Test Password

Dictionary

When set to false, all pentest policies except Default

Password test the database using the usernames in

<dbtype>user.txt

only.

When set to true, the policies test using all database usernames.

For information on creating the <dbtype>user.txt

file, see step

step 5 .

For more information on the file, see

Files used for penetration tests on page 138 .

Specify the method that FortiDB uses to connect to databases for penetration tests using one of the following values: l

1 - Login method l

2 - Hash-based method (available for Oracle or Microsoft

SQL databases only) l

3 - Hybrid method (FortiDB uses the hash-based method when it is available)

For more information on these settings, see

Connection options for penetration tests on page 137 .

Specify the file that contains the passwords that the

Dictionary policy checks.

If you do not select a file, the policy uses the default dictionary.

The

Browse button allows you to select a dictionary file. Click

Save to complete your selection.

FortiDB does not display the name of the uploaded file.

To restore the default dictionary, select the

Pen Test

Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted.

For software-only versions of FortiDB, for information on creating the dictionary.txt file, see step

step

5 .

For more information on the password dictionary file, see

Files used for penetration tests on page 138

.

4. To make your pentest settings take effect, restart FortiDB.

5. For software version users: l

If you set

Enable Pen Test For All Users in Database to false, copy the <dbtype>user.txt file from

<FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest

, where <dbtype> is the string that specifies the type of database to

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

140

Data discovery policies and policy groups Vulnerability assessment (VA) policies l l l l assess. Replace the system account and password values in the file with the values that you want the pentest policies to use (except the Default Password policy).

For the oradefault.txt file, ensure that the system account and password values are in uppercase.

If you want the Default Password policy to use a custom list of system accounts with default passwords instead of the default list, copy the <dbtype>default.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the usernames and password values in the file with the values that you want the Default Password policy to use.

For the orauser.txt file, ensure that the usernames and passwords are in uppercase.

If you did not use the

Pen Test Password Dictionary property to select a password dictionary file and want the Dictionary policy to use a custom dictionary, copy the dictionary.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest

. Replace the password values in the file with the values that you want the

Dictionary policy to use.

For more information on the files, see

Files used for penetration tests on page 138

.

6. Go to Policy > VA Policy Groups, and then click Pen Test Policy Group.

7. To enable or disable pentest policies, select the checkbox for one or more polices, and then click Enable or

Disable.

8. Optionally, to edit a policy, click the policy name, edit the settings, and then click Save.

9. Assign the Pen Test Policy Group to a new or existing assessment.

For detailed instructions, see

Adding or modifying assessments on page 181

.

10. Run the assessment.

For detailed instructions, see

Running assessments on page 182

.

11. Evaluate the results of your assessment.

"Failed" means your passwords are weak and may not protect you from malicious login attempts.

See also

l l

Connection options for penetration tests

Files used for penetration tests

Data discovery policies and policy groups

The FortiDB sensitive data discovery feature uses the data discovery policies to search a target database for sensitive information located in tables and columns. You use data discovery policy groups to add these policies to the sensitive data discovery configuration for a target database.

For information on running sensitive data discovery, see

Sensitive data discovery on page 193 .

141 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment (VA) policies Data discovery policies and policy groups

Managing data discovery policies

Go to

Policy > Data Discovery Policies to perform data discovery policy tasks such as adding or enabling a policy.

To edit a policy, click its name.

To create a policy, click Add.

The

Data Discovery Policies and Edit Alert Policy pages display the following columns and settings.

Column/settings Descriptions

Status (policy list only)

(enabled)

(disabled)

To enable or disable policies, select the checkbox for one or more policies, and then click

Enable or Disable.

Policy name

Policy Name

Policy Type

Either BUILT_IN or USER_DEFINED.

You cannot delete built-in policies.

Match Rule

Column Name Pattern

Data Pattern

Specifies the type of data FortiDB searches for: l

TEXT — Simple text l

CREDIT_CARD — 16-digit number l

EMAIL — Email address l

SSN — 9-digit Social Insurance number (SSN)

FortiDB searches for this criteria after any specified

Column Name

Pattern and Data Pattern criteria.

Specifies the pattern FortiDB searches for in table column names.

Can be a specific value or a regular expression.

If left blank, FortiDB does not search table column names.

Specifies the pattern FortiDB searches for in the first 40 rows of the database.

Can be a specific value or a regular expression.

If left blank or the value is .+ (decimal followed by plus sign),

FortiDB does not search the sample set of rows.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

142

Data discovery policies and policy groups Vulnerability assessment (VA) policies

Column/settings

(checkbox)

If checked, either column name pattern or data pattern matched lead to result. Or, both matched lead to result.

(edit policy only)

Description (edit policy only)

Descriptions

Specifies whether search results include matches for either the value of

Column Name Pattern and Data Pattern, or matches for both patterns.

A description of the policy.

To export a policy as an XML format file, select the checkbox for one or more policies, and then click

Export.

Your web browser downloads the file.

To import a policy, click Import, use the file selection option to navigate to and select an XML format file, and then click Import.

Data discovery policy groups

You add data discovery policy groups to a target’s Sensitive Data Discovery configuration to specify the types of data FortiDB searches for.

Go to

Policy > Data Discovery Policy Groups to manage data discovery policy groups.

Click a group name to edit group or

Add to add new group.

To delete a group, select the check box for one or more groups, and then click Delete.

See also

l

Sensitive data discovery

143 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies

Database Activity Monitoring (DAM) policies

Types of DAM policies

Database activity monitoring policies specify the database activities that can generate security alerts or audit records.

See also

l l

Types of DAM policies

Managing DAM policies

Types of DAM policies

There are two types of DAM policies: l l

Alert — Policies that generate an alert when database activity violates a policy rule.

Audit — Policies that generate an audit record when FortiDB detects the database activity specified in the policy rules. FortiDB uses these policies only when it monitors target databases with the TCP/IP sniffer.

The following sub-types are available for both alert and audit policies: l l l l

Metadata Policies — Pre-defined policies that generate alerts or audit logs when FortiDB detects metadata activity.

Privilege Policies — Pre-defined policies that generate alerts or audit logs when FortiDB detects privilege activity.

Sys Operations Policy — Pre-defined policy that generate alerts or audit logs when FortiDB detects SYS user operations.

Data Policy — Policies that you create to generate alert or audit logs when FortiDB detects data manipulation activity.

The following table describes the differences between the two types of DAM policy.

Used For

Alert Policy

Generates an alert if an activity violates a policy rule

Audit Policy

Logs the specified activity

Available

With

All DAM collection methods

Types of Data

Policies

Table

Table and Column

Session

User

Database Query Policy

TCP/IP sniffer collection method only

Database

Table

Table and Column

Session

User

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

144

Managing DAM policies Database Activity Monitoring (DAM) policies

Alert Policy

"Read and Write" audit actions for Table, Table and

Column

Data Policy

Configuration

Options

"Alert Rule" for violations

“SQL query” for "Database

Query Policy"

PCI, SOX, and HIPAA

Policies

Severity

Attribute

Yes

Yes

See also

l l l l l l

Managing DAM policies

Data policies

Privilege policies

Metadata policies

PCI, SOX, and HIPAA alert policies

Alert and audit policy groups

Audit Policy

"Select/Insert/Update/Delete/Truncate" audit actions for Table

"Select/Insert/Update/Delete" audit actions for Database, Table and

Column

No "Alert Rule" settings

No

No

Managing DAM policies

The DAM Alert Policy and DAM Audit Policy pages display all policies with status, policy name, and supported databases information.

Use these pages to perform the following tasks: l l l l l l

Use the Data Policies list at the bottom of the page to create a new policy (see

Data policies on page 148

).

Modify the pre-defined policies by clicking the policy name (see

Privilege policies on page 166

,

Metadata policies on page 172

,

PCI, SOX, and HIPAA alert policies on page 176 , and PCI, SOX, and HIPAA alert policies on page 176 ).

Delete user-defined policies by selecting the policy's check box, then clicking Delete.

Filter the view by selecting an option from the

View list.

Navigate to the modifying the group page by clicking the Edit button.

Search and create a new group page by clicking the

Search / New Group button.

The following table describes each icon in the policy table list.

145 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies

Columns

Type

Status

Policy Name

Severity

Supported Databases

Descriptions

Managing DAM policies

Data Policy: l

Table Policy monitors/audits suspicious reads and writes on specific tables l

Table and Column Policy monitors/audits suspicious reads and writes on specific table columns l

Session Policy monitors/audits suspicious session behavior l

User Policy monitors/audits suspicious reads and writes by specific users l

Database Policy(for Auditing) audits activities reads and writes on specific databases l

Database Query Policy(for Alert) queries database data value at intervals that you specify indicates a privilege policy indicates a metadata policy indicates a PCI, SOX, and HIPAA l l l indicates the policy has a problem.

indicates the policy is disabled.

indicates the policy is enabled.

User defined policy name, or pre-defined name

User configurable severity level (Not available for Audit Policy). There are 5 levels of severity: l

Informational (default) l

Cautionary l

Minor l

Major l

Critical

All, or specify database type, or have fixed setting for each database

Configuring policy information for a policy

When you add or edit a policy, complete the following settings under Policy Info: l l l

Policy Name — Enter unique name for policy, duplicate with exist policy name is not allowed.

Description — Enter a description if necessary.

Enable — Select to enable the policy.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

146

Automatically generating alert policies Database Activity Monitoring (DAM) policies l l l

Create new policy group for policy — FortiDB automatically creates a policy group and adds it to the monitoring configuration for the target database (This option is available for the target-based configuration: Data

Access Monitoring > Monitors > click on the target name > Alert/Audit Policies tab > Data Policies dropdown).

Severity — For alert policies only. Specifies a severity.

Supported Database — For data policies, select the type of target database the policy is used with. PCI, SOX, and HIPAA policies are supported on all database types. Privilege and metadata policies are restricted to specific database types.

You cannot change the value of

Supported Database if FortiDB is currently using the policy to monitor a target database. Use the target monitoring settings (

DB Activity

Monitoring > Monitoring Management) to stop monitoring, change the value of

Supported Database, and then re-start monitoring.

See also

l l l l l l

Types of DAM policies

Data policies

Privilege policies

Metadata policies

PCI, SOX, and HIPAA alert policies

Alert and audit policy groups

Automatically generating alert policies

You can use the

Start Generate Alert Policies option to automatically create table, session, and user policies for Oracle and Microsoft SQL Server target databases. The policies work with all the collection methods that are available for these database types.

When you activate the option, FortiDB starts to track target database activity. When you stop the option, FortiDB analyzes the information it has gathered. It considers the activity it observed during the monitoring period to be normal activity and generates policies that are appropriate for the target.

The

Start Generate Alert Policies option creates a DAM Alert policy group that has the same name as the target database. You can manage and modify these policies and policy groups the same way you manage other used-defined policies.

The names of the user and session policies in the group use the following format:

<target name>_<username>_<policy type> where <policy type> is UserDataPolicy or SessionPolicy.

The table policies use the following format:

<target name>_<username>_TableDataPolicy_<monitored objects> where <monitored objects> is either inclusive or exclusive. If the policy name contains inclusive, the policy monitors the objects that are specified under

Audit Settings. For exclusive, the policy monitors all objects except those specified under

Audit Settings.

147 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

Because it monitors all users and tables, the generation process can affect the performance of the monitored database.

To automatically generate data policies

1. Go to DB Activity Monitoring > Monitoring Management, and then click a target name.

2. On the General tab, click Start Generate Alert Policies.

3. After FortiDB has monitored the target for an appropriate length of time, click Stop Generate Alert

Policies.

4. To view the generated policies, go to Policy > DAM Alert Policy Groups.

See also

l l l

Managing DAM policies

Data policies

Alert and audit policy groups

Data policies

FortiDB uses data policies to monitor or audit reads and writes on specific database objects. It also uses them to monitor database access that takes place via your application server, location, or OS user.

To configure a data policy

1. Do one of the following: l l

To configure a policy that is available to add to multiple target monitoring configurations, go to

Policy > DAM

Alert Policies or Policy > DAM Audit Policies.

To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the

Alert Policies or Audit Policies tab.

2. In the Data Policies list, select a type of data policy.

3. Click Add, and complete the policy settings: l l l

For detailed information about the Policy Info settings, see

Managing DAM policies on page 145

.

For information on

Audit Settings settings, see the topic for the appropriate data policy type. For example, for a table policy, see

Configuring audit settings for a table policy on page 149

.

For information on Alert Rule settings, see the topic for the appropriate data policy type. For example, for a table policy, see

Configuring alert rules for a table policy on page 149 .

4. Click Save to save the policy configuration.

See also

l l l l

Managing DAM policies

Data policies

Automatically generating alert policies

Privilege policies

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

148

Data policies Database Activity Monitoring (DAM) policies l l l

Metadata policies

PCI, SOX, and HIPAA alert policies

Alert and audit policy groups

Configuring a table policy

For basic policy configuration information, see

Data policies on page 148

.

See also

l l l

Configuring audit settings for a table policy

Configuring alert rules for a table policy

Table policy alert rules for different databases

Configuring audit settings for a table policy

1. Click the triangle icon of the Audit Settings section to expand it.

2. Select one of the following options: l l

Manually Select Object: You enter the specific object name.

Browse Object by Target: You can select one from the dropdown list (default).

3. If you are configuring the policy using Policy > DAM Alert/Audit Policies and selecting an object by browsing, for

Target, select a target.

4. Do one of the following: l l

For policies for Oracle and DB2 databases, for Schema, enter a schema name or select a name from the list.

For policies for Microsoft SQL Server and Sybase databases, for

Database, enter a database name or select a name from the list. Then, for

Schema, enter a schema name or select a name from the list.

5. In the Tables list, select one or more tables.

For Oracle databases, you can also select a synonym.

6. Under Audit Actions, do one of the following: l l

For an alert policy, select the

Read (Select), Write (Insert/Update/Delete), or both.

For an audit policy, select one or more of the following options: Select, Insert, Update, Delete, Truncate.

7. Click > (right arrow) to move your selection to the Selected Objects table.

If you want to remove the objects from the Selected Objects list, select the object you want to remove and then click < (left arrow). To remove all objects, click << (double left arrow).

See also

l l

Configuring alert rules for a table policy

Table policy alert rules for different databases

Configuring alert rules for a table policy

1. Click the triangle icon of the Alert Rules section to expand it.

149 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

2. In the Combination Rule field, select one from the dropdown list:

Options

Issue alert if ANY of the enabled rules are triggered

Issue alert if ALL of the enabled rules are triggered

Descriptions

if you select this, each rule generates alerts individually.

If you select this, the combination of selected policies generates alerts.

3. Mark the check box of your interests from the following rules:

Options

Security Violation

Suspicious OS User

Suspicious Location

Descriptions

Alert any failed attempt to access selected object without proper permission.

Alert any successful access to selected object by certain OS users.

You can specify one or more OS usernames by typing the specific name or using a regular expression.

1. Click

Add

2. Select an operator from the dropdown list.

3. Enter OS username depending on the operator you selected.

l

To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.

l

To generate alerts for the OS user(s) you didn't specified in the list, check

"Alert any successful access if the OS user is not specified in the list" check box.

Alert any successful access to selected object from certain locations.

You can specify one or more locations by typing the specific location or using a regular expression.

1. Click Add.

2. Select an operator from the dropdown list.

3. Enter a location name depending on the operator you selected.

4. Repeat steps 1 to 3 if necessary.

l

To generate alerts for any successful access from locations you specified in the list, check "Alert any successful access from locations in the list" check box.

l

To generate alerts for any successful access from locations not in the list, check "Alert any successful access from locations in the list Alert any successful access from locations not in the list" check box.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

150

Data policies Database Activity Monitoring (DAM) policies

Options Descriptions

Suspicious Database Users

Alert any successful access to selected object by certain database users.

You can specify one or more users as follows:

1. Select one or more users from the Users list.

2. Click the right arrow to move the selections the Selected Users list.

Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.

l

To generate alerts for the database user(s) you specified in the list, check

"Alert any successful access if the database user is in the list" check box.

l

To generate alerts for the database user(s) you didn't specified in the list, check "Alert any successful access if the database user is not in the list" check box.

Suspicious Login Names

Suspicious Client

Application (Client Id)

Alert any successful access to selected object by certain login users.

You can specify one or more users as follows:

1. Select one or more users from the

Users list.

2. Click the right arrow to move the selections the Selected Users list.

Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.

l

To generate alerts for login user(s) you specified in the list, check "Alert any successful access if the login user is in the list" check box.

l

To generate alerts for login user(s) you didn't specified in the list, check

"Alert any successful access if the login user is not in the list" check box.

Alert any successful access to selected object by certain client applications.

You can specify one or more client applications by typing the specific client application or using a regular expression.

1. Click Add.

2. Select an operator from the dropdown list.

3. Enter a client application depending on the operator you selected.

4. Repeat steps 1 to 3 if necessary.

l

To generate alerts for the client application you specified in the list, check

"Alert any successful access if the client application is in the list" check box.

l

To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.

151 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

Options Descriptions

Excessive Access Violation

Alert excessive access to selected object within the specified time slot.

You can specify the maximum accesses allowed within a certain time period.

1. Enter the number of accesses allowed.

2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list.

Tracking Strategy - Tracking rule selection for time violation.

l

The threshold you set for time violation can be incremented by OS User,

Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.

Time Range Violation

Alert any access to selected object by certain time range.

You can specify one or more time range.

1. Click Add.

2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format.

3. Repeat above if necessary.

l

To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".

l

To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".

Suspicious Client IP (only for Collection Method "TCP/IP

Sniffer")

Alert any successful access to selected object by certain client IPs.

This rule only has effect for monitoring with Collection Method

"TCP/IP Sniffer".

You can specify one or more IP address, IP address Range or subnet.

1. Click Add.

2. Enter Start/End IP address, or IP/Netmask. For example, "192.168.1.1"

- "192.168.1.254" for IP range, "192.168.2.0/255.255.255.0" for subnet.

3. Repeat above if necessary.

l

To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".

l

To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".

4. Select Save.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

152

Data policies Database Activity Monitoring (DAM) policies

See also

l

Table policy alert rules for different databases

Table policy alert rules for different databases

The alert rules that are available for a table policy are determined by the database type.

DB

Oracle

Available Alert Rules

l

Security Violation l

Suspicious OS User l

Suspicious Location l

Suspicious Database Users (Login Name) l

Suspicious Client Application (Client Id) l

Excessive Access Violation l

Time Range Violation l

Suspicious Client IP (only for "TCP/IP Sniffer")

Microsoft SQL Server

DB2

l

Security Violation l

Suspicious OS User l

Suspicious Location l

Suspicious Database Users l

Suspicious Login Names l

Suspicious Client Application l

Excessive Access Violation l

Time Range Violation l

Suspicious Client IP (only for "TCP/IP Sniffer") l

Security Violation l

Suspicious OS User l

Suspicious Location l

Suspicious Database Users l

Excessive Access Violation l

Time Range Violation l

Suspicious Client IP (only for "TCP/IP Sniffer")

Sybase

l

Security Violation l

Suspicious OS User l

Suspicious Location l

Suspicious Login Names l

Excessive Access Violation l

Time Range Violation l

Suspicious Client IP (only for "TCP/IP Sniffer")

153 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

DB

MySQL

Available Alert Rules

l

Security Violation l

Suspicious Location l

Suspicious Login Names l

Excessive Access Violation l

Time Range Violation

See also

l

Configuring alert rules for a table policy

Configuring a table and column policy

For basic policy configuration information, see

Data policies on page 148

.

For information on setting rules for alert policies, see

Configuring alert rules for a table policy on page 149 .

To configure audit settings for a table and column policy

1. Click the triangle icon of the Audit Settings section to expand it.

2. Select one of the following options: l l

Manually Select Object: You enter the object parameters.

Browse Object by Target: You can select an object from the dropdown list (default).

3. If you are configuring the policy using Policy > DAM Alert/Audit Policies and selecting an object by browsing, for Target, select a target.

4. Do one of the following: l l

For policies for Oracle and DB2 databases, for

Schema, enter a schema name or select a name from the list.

For policies for Microsoft SQL Server and Sybase databases, for Database, enter a database name or select a name from the list. Then, for Schema, enter a schema name or select a name from the list.

5. In the Tables list, select a table.

For Oracle databases, you can also select a synonym.

6. In the Column list, select one or more columns for the table you selected.

7. If you are configuring an alert policy, for MatchSQL, enter a SQL string that generates alerts when FortiDB detects it.

8. Under Audit Actions, do one of the following: l l

For an alert policy, select the

Read (Select), Write (Insert/Update/Delete), or both.

For an audit policy, select one or more of the following options: Select, Insert, Update, Delete, Truncate.

9. Click > (right arrow) to move your selection to the Selected Objects table.

If you want to remove the objects from the Selected Objects list, select the object you want to remove and then click < (left arrow). To remove all objects, click << (double left arrow).

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

154

Data policies Database Activity Monitoring (DAM) policies

10. Repeat steps

step 5

through

step 9

to add additional columns to the Selected Objects table, if required.

Configuring a session policy

For basic policy configuration information, see

Data policies on page 148

.

See also

l l

Configuring audit settings for a session policy

Configuring alert rules for a session policy

Configuring audit settings for a session policy

1. Click the triangle icon at Audit Settings to expand it.

2. Select the Any User or Specify Users radio button

3. For Specify Users, input username in Enter user input box. Or click the Browse by target dropdown list, select one or more users from the Users selection box, and click the right arrow to move the selection to the

Selected Users table.

If you want to remove the user from the selected users list, select the user you want to remove and click the left arrow.

See also

l

Configuring alert rules for a session policy

Configuring alert rules for a session policy

1. Click the triangle icon at Alert Rules to expand it.

2. In the Combination Rule field, select one from the dropdown list: l l

Issue alert if ANY of the enabled rules are triggered

Issue alert if ALL of the enabled rules are triggered

3. Mark the check box of your interests from the following rules:

Options

Login/Logout Activity

Descriptions

Generate alerts for login/logout activity. Select option "Alert Login Failure" to alert for failure login only, or select option "Alert All Login/logout Activity".

155 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

Options

Suspicious Login Time

Extremely Long Session

Excessive Read Activities

High Read Ratio

Suspicious Os User

Descriptions

Time of login is beyond specified normal hours.

You can specify the time, entering numbers:

1. In the From and To field, enter the starting and ending times you want to specify as suspicious login time.

2. If necessary, click + sign to add more time range, or - sign to remove the time range.

l

To generate alerts for the login time you specified in the list, check "Alert if login time is within one of the time ranges in the list" check box.

l

To generate alerts for the login time you didn't specified in the list, check

"Alert if login time is NOT within one of the time ranges in the list" check box.

Generate alerts when duration of session is abnormally long.

You can specify the threshold by entering how many hours allowed for a session.

Generate alerts when number of logical page reads is abnormally high.

You can specify the threshold by entering how many page reads are allowed for a session.

Generate alerts when number of logical reads/minute is abnormally high.

You can specify the threshold by entering how many page reads are allowed for a session.

Alert any successful access to selected object by certain OS users.

Note: For Microsoft SQL Server, this rule is applicable for only

Windows authentication.

You can specify one or more OS usernames by typing the specific name or using a regular expression.

1. Click Add.

2. Select an operator from the dropdown list.

3. Enter OS username depending on the operator you selected.

4. Repeat steps 1 to 3 if necessary.

l

To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.

l

To generate alerts for the OS user(s) you didn't specified in the list, check

"Alert any successful access if the OS user is not specified in the list" check box.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

156

Data policies

Options

Suspicious Location

Suspicious Client

Application

Database Activity Monitoring (DAM) policies

Descriptions

Alert any successful access to selected object from certain locations.

You can specify one or more locations by typing the specific location or using a regular expression.

1. Click Add.

2. Select an operator from the dropdown list.

3. Enter a location name depending on the operator you selected.

4. Repeat steps 1 to 3 if necessary.

l

To generate alerts for location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.

l

To generate alerts for location(s) you didn't specified in the list, check

"Alert any successful access from locations not in the list" check box.

Alert any successful access to selected object by certain client applications.

You can specify one or more client applications by typing the specific client application or using a regular expression.

1. Click Add.

2. Select an operator from the dropdown list.

3. Enter a client application depending on the operator you selected.

4. Repeat steps 1 to 3 if necessary.

l

To generate alerts for the client application you specified in the list, check

"Alert any successful access if the client application is in the list" check box.

l

To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.

157 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

Options Descriptions

Excessive Access Violation

Alert excessive access to selected object within the specified time slot.

You can specify the maximum accesses allowed within a certain time period.

1. Enter the number of accesses allowed.

2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list.

Tracking Strategy - Tracking rule selection for time violation.

The threshold you set for time violation can be incremented by OS

User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.

Suspicious Client IP (only for Collection Method

"TCP/IP Sniffer")

Alert any successful access to selected object by certain client IPs.

This rule only has effect for monitoring with Collection Method

"TCP/IP Sniffer".

You can specify one or more IP address, IP address Range or subnet.

1. Click Add.

2. Enter Start/End IP address, or IP/Netmask. For example,

"192.168.1.1" - "192.168.1.254" for IP range,

"192.168.2.0/255.255.255.0" for subnet.

3. Repeat above if necessary.

l

To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".

l

To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".

4. Click Save.

See also

l

Configuring alert rules for a session policy

Configuring a user policy

For basic policy configuration information, see

Data policies on page 148

.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

158

Data policies Database Activity Monitoring (DAM) policies

See also

l l l

Configuring audit settings for a user policy

Configuring alert rules for a user policy

User policy alert rules for various databases

Configuring audit settings for a user policy

1. Click the triangle icon of the Audit Settings section to expand it.

2. Select the Any User or Specify Users radio button.

3. In Specify Users, input the account name in Enter user input box. Alternatively, click the Browse by target dropdown list to browse available users from target.

4. For Alert Policy, select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit

Actions field.

5. For Audit Policy, select the Select,Insert,Update, Delete, Truncate checkboxes in the Audit Actions field.

6. Click the right arrow to move the selection to the Selected Users table.

If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.

7. Configure Alert Rule (for Alert Policy).

See also

l l l

Data policies

Configuring alert rules for a user policy

User policy alert rules for various databases

Configuring alert rules for a user policy

1. Click the triangle icon of the Alert Rules section to expand it.

2. In the Combination Rule field, select one from the dropdown list:

Options

Issue alert if ANY of the enabled rules are triggered

Descriptions

if you select this, each rule generates alerts individually.

Issue alert if ALL of the enabled rules are triggered

If you select this, the combination of selected policies generates alerts.

3. Mark the check box of your interests from the following rules:

159 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

Options

Security Violation

Suspicious OS User

Suspicious Object Access

Descriptions

Alert any failed attempt to access selected object without proper permission.

Alert any successful access to selected object by certain OS users.

You can specify one or more OS usernames by typing the specific name or using a regular expression.

1. Click

Add.

2. Select an operator from the dropdown list.

3. Enter OS username depending on the operator you selected l

To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.

l

To generate alerts for the OS user(s) you didn't specified in the list, check

"Alert any successful access if the OS user is not specified in the list" check box.

Alert any successful access to selected object(s). There are the following options to select objects: l

Manually Select Object l

Browse Object by Target (default)

You can specify one or more objects as follows:

1. Select a target from the Target dropdown list.

2. Select a schema from the dropdown list.

3. Select one or more tables from the Tables list.

4. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field.

5. Click the right arrow to move the selections the Selected Objects list.

Note: If you want to remove the users from the selected objects list, select the objects you want to remove and click the left arrow.

l

To generate alerts for the object(s) you specified in the list, check "Issue alert if the accessed object is specified in the list" check box.

l

To generate alerts for the object(s) you didn't specified in the list, check

"Issue alert if the accessed object is not specified in the list" check box.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

160

Data policies Database Activity Monitoring (DAM) policies

Options

Suspicious Location

Descriptions

Alert any successful access to selected object from certain locations.

You can specify one or more locations by typing the specific location or using a regular expression.

1. Click Add.

2. Select an operator from the dropdown list.

3. Enter a location name depending on the operator you selected.

4. Repeat steps 1 to 3 if necessary.

l

To generate alerts for the location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.

l

To generate alerts for the location(s) you didn't specified in the list, check

"Issue alert if the accessed object is not specified in the list" check box.

Suspicious Client

Application (Client Id)

Alert any successful access to selected object by certain client applications.

You can specify one or more client applications by typing the specific client application or using a regular expression.

1. Click Add.

2. Select an operator from the dropdown list.

3. Enter a client ID depending on the operator you selected.

4. Repeat steps 1 to 3 if necessary.

l

To generate alerts for the client application you specified in the list, check

"Alert any successful access if the client application is in the list" check box.

l

To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.

Excessive Access Violation

Alert excessive access to selected object within the specified time slot.

You can specify the maximum accesses allowed within a certain time period.

1. Enter the number of accesses allowed.

2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown lis

Tracking Strategy - Tracking rule selection for time violation.

l

The threshold you set for time violation can be incremented by OS User,

Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.

161 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

Options

Time Range Violation

Suspicious Client IP (only for Collection Method

"TCP/IP Sniffer")

Descriptions

Alert any access to selected object by certain time range.

You can specify one or more time range.

1. Click Add.

2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format.

3. Repeat above if necessary.

l

To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".

l

To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".

Alert any successful access to selected object by certain client IPs.

This rule only has effect for monitoring with Collection Method

"TCP/IP Sniffer".

You can specify one or more IP address, IP address Range or subnet.

1. Click Add.

2. Enter Start/End IP address, or IP/Netmask. For example, you could enter "192.168.1.1" - "192.168.1.254" for the IP range, or

"192.168.2.0/255.255.255.0" for a subnet.

3. Repeat the above step if necessary.

l

To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".

l

To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".

4. Click Save.

See also

l

User policy alert rules for various databases

User policy alert rules for various databases

The alert rules that are available for user policies depends are determined by the type of database.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

162

Data policies Database Activity Monitoring (DAM) policies

Database

Oracle

Microsoft SQL Server

DB2

Sybase

MySQL

Available Alert Rules

l

Security Violation l

Suspicious OS User l

Suspicious Object Access l

Suspicious Location l

Suspicious Client Application (Client Id) l

Excessive Access Violation l

Time Range Violation l

Suspicious Client IP (only for "TCP/IP Sniffer") l

Security Violation l

Suspicious OS User l

Suspicious Object Access l

Suspicious Location l

Suspicious Client Application l

Excessive Access Violation l

Time Range Violation l

Suspicious Client IP (only for "TCP/IP Sniffer") l

Security Violation l

Suspicious OS User l

Suspicious Object Access l

Suspicious Location l

Excessive Access Violation l

Time Range Violation l

Suspicious Client IP (only for "TCP/IP Sniffer") l

Security Violation l

Suspicious OS User l

Suspicious Object Access l

Suspicious Location l

Excessive Access Violation l

Time Range Violation l

Suspicious Client IP (only for "TCP/IP Sniffer") l

Security Violation l

Suspicious Object Access l

Suspicious Location l

Excessive Access Violation

See also

l

Configuring alert rules for a user policy

163 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Data policies

Configuring a database policy

Database policies generate audit records only. You do not configure them to generate alerts.

To configure a database policy

1. Do one of the following: l l

To configure a policy that is available to add to multiple target monitoring configurations, go to

Policy > DAM

Audit Policies.

To configure a policy for a specific target, go to

DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the

Audit Policies tab.

2. In the Data Policies list, select Database, and then click Add.

3. Complete the Policy Info settings. For detailed information about the settings, see

Managing DAM policies on page 145 .

4. To expand Audit Settings, click the triangle icon beside the section name.

5. Do one of the following: l l

Select

Manually Select Object and then enter the specific database or schema name.

Select Browse Object by Target to select a specific database or schema name from the list.

6. If you are configuring the policy using Policy > DAM Audit Policies and selecting an object by browsing, for

Target, select a target. Then, select one or more items from the Database or Schema list.

Enter text in the

Search field to filter the list of databases and schemas.

7. For Audit Actions, select one of more of the following values: Select, Insert, Update, Delete.

8. Click > (right arrow) to move the selected items to the Selected Objects table.

To remove items, select the item, and then click < (left arrow). Click << (double left arrow) to remove all items.

9. Select Save.

The new policy is displayed in the list of policies.

See also

l

Data policies

Configuring a database query policy

A database query policies is an alert policy that allows you to query the target database with SQL and save the result as an alert. You do not configure them to generate audit records.

For example, for Microsoft SQL Server databases, create a database query policy with the following

SQL Query

value: select @@version which returns the following result in the alerts:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

164

Data policies Database Activity Monitoring (DAM) policies

Microsoft SQL Server 2012 - 11.0.2100.60 (Intel X86) Feb 10 2012 19:13:17 Copyright (c) Microsoft Corporation Express Edition on Windows NT 6.0 <X86> (Build

6002: Service Pack 2) (Hypervisor)

FortiDB runs the database query policy according to a schedule you specify.

To configure a database query policy and add it to a target monitoring configuration

1. Do one of the following: l l

Go to

Policy > DAM Alert Policies.

Go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the

Alert Policies tab.

2. In the Data Policies list, select Database Query, and then click Add.

3. Complete the Policy Info settings. For detailed information about the settings, see

Managing DAM policies on page 145 .

4. Complete the following settings, which are specific to database query policies:

SQL query

Return Records Count

Limit

Targets

Enter the query text.

Enter the maximum number of returned records that FortiDB includes in the alert that this policy generates.

For example, if you enter 5, the database returns the first 5 records of the table that you queried, which FortiDB displays in the details for the corresponding alert.

Default value is 1.

Select the target database to query.

5. If you are creating the policy using the monitoring configuration for a specific target, you can ensure the policy is added to the configuration by selecting Create new policy group for policy.

6. To test if the SQL query is valid, click Test.

If it is valid, the message "Success" is displayed.

7. Click Save.

The policy you created is displayed in the data policy list.

8. Go to DB Activity Monitoring > Monitoring Management, and then click a target name.

9. On the Alert Policy Groups tab, ensure that a group that includes the database query policy that you created is selected.

For example, the policy is added if the Data Policies policy group is selected.

For more information on adding policies, see

Adding policy groups to target database monitoring on page

180 .

10. Click the Query Schedule tab, select Enable Schedule for Database Query Policy, and then use the following settings to specify a schedule:

165 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Privilege policies

Schedule type

Starts at

Recurrence pattern

Ends by

Specify Run Once or Recurring.

Specify a start time and date for the policy.

Specify at what interval FortiDB runs the policy. For example, select

Weekly, and then select a day of the week.

Displayed only when

Recurring is selected.

Specify

No end date or select a date.

Displayed only when

Recurring is selected.

11. Click Save.

Privilege policies

The target database monitoring and auditing features use privilege policies monitor or track changes to privilege settings in selected databases.

You cannot create privilege policies, but you can modify some of the settings of the pre-defined privilege policies.

To view predefined privilege policies, on the

DAM Security Alert Policies or DAM Activity Auditing

Policies page, from the View list, select Privilege Policies.

To configure a privilege policy

1. Do one of the following: l l

To configure a policy that is available to add to multiple target monitoring configurations, go to

Policy > DAM

Alert Policies or Policy > DAM Audit Policies.

To configure a policy for a specific target, go to

DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the

Alert Policies or Audit Policies tab.

2. To identify privilege policies, do one of the following: l

If you are using the

DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Privilege Policies.

The View menu filters policies using the pre-defined Privilege Policies group, which include privilege policies for all database types. To view privilege policies for a specific database type, modify the filter of the Privilege Policies group or create a new policy group. For details about modifying a policy group, see

Alert and audit policy groups on page 179

.

l

If you are using the target monitoring configuration, under

Type, look for the icon.

3. Click the name of the policy you want to configure.

4. On the Edit Audit Policy page, under Policy Info, enter an optional description, and then select Enable.

5. If you are configuring an alert policy, for Severity, select one of the following options:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

166

Privilege policies Database Activity Monitoring (DAM) policies l l l l l

Informational (default, lowest severity level)

Cautionary

Minor

Major

Critical (highest severity level)

6. Click Save.

See also

l l l l l

Oracle privilege policies

Microsoft SQL Server privilege policies

Sybase privilege policies

DB2 privilege policies

MySQL privilege policies

Oracle privilege policies

FortiDB provides the following privilege policies:

Policy Names Contents

Column Privileges

Profiles

Role Privileges

Column-level privilege granting

Description

This policy generates alerts when the column privileges are modified.

For example, user SCOTT can grant

SELECT privileges on a column of a table to a user, without letting that user SELECT on other columns in the same table.

Resources (I/O, etc.) assigned to users

This policy generates alerts when the profiles are modified.

Changes to any profile setting could have wide-reaching effects.

Roles granted to users and other roles

This policy generates alerts when the role privileges are modified.

It also contains information about which role has been assigned to other roles. Change of user’s role means changes in user’s access privileges. Role changes should be closely monitored in order to ensure data security.

167 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Privilege policies

Policy Names

Roles

System Privileges

Table Privileges

User Privileges

Contents

Database roles

All granted system privileges

All granted schema- object privileges

Database users

Description

This policy generates alerts when the roles are modified.

Contains information about all existing roles in the database.

This policy generates alerts when the system privileges are created, deleted, or modified.

Contains all granted system privileges to all users or roles.

System privileges are powerful privileges and should be granted with great cautions. Monitoring system-privilege changes should be mandatory.

This policy generates alerts when the table privileges are modified.

Lists all granted privileges on schema objects. These include privileges on tables, views, sequences, procedures, functions and packages.

This policy generates alerts when the users privileges are modified.

Contains information about users in the database. Although this view has no privilege information, it contains the users to whom privileges may be assigned or changed.

See also

l

Privilege policies

Microsoft SQL Server privilege policies

The following privilege policies are available for Microsoft SQL databases:

Policy Names Privileges involved Description

Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

168

Privilege policies Database Activity Monitoring (DAM) policies

Policy Names

Member Privileges

Object Privileges

Roles

Server Roles

User Privileges

Privileges involved

Role- and group-membership assignments

Description

This policy generates alerts when the members are modified.

Column- and table-and other object-level privileges

This policy generates alerts when the object privileges are modified.

All objects that are accessible by the current user

This policy generates alerts when the roles are modified.

Contains information about all existing roles in the database.

Default server roles assigned to users.

This policy generates alerts when the server roles are modified.

Lists valid database users and the groups to which they belong

This policy generates alerts when the user privileges are modified.

See also

l

Privilege policies

Sybase privilege policies

The following privilege policies are available for Sybase databases:

Policy Names Privileges involved Description

Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified.

Member Privileges

Object Privileges

Role- and group-membership assignments

Column- and table-and other object-level privileges

This policy generates alerts when the members privileges are modified.

This policy generates alerts when the object privileges are modified.

Procedures

Roles

Roles and Groups

Procedure privilege

All role groups as the server level.

This policy generates alerts when the procedures are modified.

This policy generates alerts when the role groups are modified.

All roles and groups. A group is a user group as the database level.

This policy generates alerts when the roles and groups are modified.

169 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Privilege policies

Policy Names

System Privileges

User Privileges

Privileges involved

All granted system privileges

Description

This policy generates alerts when the system privileges are modified.

Lists valid database users and the groups to which they belong

This policy generates alerts when the user privileges are modified.

See also

l

Privilege policies

DB2 privilege policies

The following privilege policies are available for DB2 databases:

Policy Names Contents

Column Privileges column privileges

Description

Database Privileges

Index Privileges database system privileges

Index privileges This view contains the right to DROP the indfor example The creator of an index automatically has this CONTROL privilege.

Package Privileges

A package is a database object grouping related procedures, functions, associated cursors, and variables together.

CONTROL: Provides the ability to rebind, drop, execute, and extend these package privileges to others.

Only SYSADM and DBADM authorities can grant CONTROL privilege.

BIND: Provides the privilege to rebind an existing package.

EXECUTE: Provides the privilege to execute a package.

Schema Privileges Objects within a schema : tables, views, indexes, packages, data types, functions, triggers, procedures, and aliases

CREATEIN: Provides the privilege to create objects within the schema.

ALTERIN: Provides the privilege to alter objects within the schema.

DROPIN: Provides the privilege to drop objects within the schema

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

170

Privilege policies Database Activity Monitoring (DAM) policies

Policy Names

Table and View Privileges

Tablespace Privileges

Contents

Tables and view privileges tablespace privileges

Description

CONTROL: Provides the privilege to

DROP the table or view and GRANT table or view privileges to somebody else.

ALTER: Provides the privilege to add columns, comments, primary key or unique constraint, in order to create triggers, and create or drop check constraints

DELETE: Provides the privilege to delete rows

INDEX: Provides the privilege to

CREATE INDEX

INSERT: Provides the privilege to

INSERT rows. REFERENCES:

Provides the privilege to CREATE or

DROP a foreign key. SELECT:

Provides the privilege to retrieve data. UPDATE: Provides the privilege to change existing entries.

A SYSADM or SYSCTRL authority can create Tablespace and grant USE privilege to others

See also

l

Privilege policies

MySQL privilege policies

The following privilege policies are available for MySQL databases:

Policy Names Privileges involved Description

Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified.

Object Privileges

Procedures

Column- and table-and other object-level privileges

Procedure privilege

This policy generates alerts when the object privileges are modified.

This policy generates alerts when the procedures are modified.

171 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies

See also

l

Privilege policies

Metadata policies

Metadata policies

The target database monitoring and auditing features use metadata policies monitor or track changes in metadata in selected databases.

You cannot create metadata policies, but you can modify some of the settings of the pre-defined metadata policies.

To view predefined metadata policies, on the

DAM Security Alert Policies or DAM Activity Auditing

Policies page, from the View list, select Metadata Policies.

To configure a metadata policy

1. Do one of the following: l l

To configure a policy that is available to add to multiple target monitoring configurations, go to

Policy > DAM

Alert Policies or Policy > DAM Audit Policies.

To configure a policy for a specific target, go to

DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the

Alert Policies or Audit Policies tab.

2. To identify metadata policies, do one of the following: l

If you are using the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Metadata Policies.

The View menu filters policies using the pre-defined Metadata Policies group, which include metadata policies for all database types. To view metadata policies for a specific database type, modify the filter of the

Metadata Policies group or create a new policy group. For details about modifying a policy group, see

Alert and audit policy groups on page 179 .

l

If you are using the target monitoring configuration, under

Type, look for the icon.

3. Click the name of the policy you want to configure.

4. On the Edit Audit Policy page, under Policy Info, enter an optional description, and then select Enable.

5. If you are configuring an alert policy, for Severity, select one of the following options: l l l l l

Informational (default, lowest severity level)

Cautionary

Minor

Major

Critical (highest severity level)

6. Click Save.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

172

Metadata policies Database Activity Monitoring (DAM) policies

See also

l l l l l

Oracle metadata policies

Microsoft SQL Server metadata policies

Sybase metadata policies

DB2 metadata policies

MySQL metadata policies

Oracle metadata policies

The following metadata policies are available for Oracle databases:

Policy Names

Packages

Contents

packages

Description

This policy generates alerts when database packages are modified.

Synonyms

Tables

Tablespaces

Triggers synonyms tables, columns and indexes tablespaces triggers

This policy generates alerts when database synonyms are modified.

This policy generates alerts when tables, columns, or indexes are modified.

This policy generates alerts when table spaces are modified.

This policy generates alerts when triggers are modified.

Views views

This policy generates alerts when views are modified.

See also

l

Metadata policies

Microsoft SQL Server metadata policies

The following metadata policies are available for Microsoft SQL Server databases:

Policy Names Contents Description

Routines

routines This policy generates alerts when database packages are modified.

Tables

tables, columns and indexes

This policy generates alerts when tables, columns, or indexes are modified.

173 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Metadata policies

Policy Names

Triggers

Views

Contents

triggers views

Description

This policy generates alerts when triggers are modified.

This policy generates alerts when views are modified.

See also

l

Metadata policies

Sybase metadata policies

The following metadata policies are available for Sybase databases:

Policy Names Contents Description

Indexes

indexes This policy generates alerts when indexes are modified.

Stored Procedures

Tables

stored procedures tables, columns and indexes

This policy generates alerts when stored procedures are modified.

This policy generates alerts when tables, columns, or indexes are modified.

Triggers

Views

triggers views

This policy generates alerts when triggers are modified.

This policy generates alerts when views are modified.

See also

l

Metadata policies

DB2 metadata policies

The following metadata policies are available for DB2 databases:

Policy Names Contents Description

Aliases aliases This policy generates alerts when aliases are modified

Indexes indexes

This policy generates alerts when indexes are modified

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

174

Metadata policies Database Activity Monitoring (DAM) policies

Policy Names

Packages

Tables

Tablespaces

Triggers

Views

Contents

packages tables tablespaces triggers views

Description

This policy generates alerts when database packages are modified.

This policy generates alerts when tables and columns are modified.

This policy generates alerts when table spaces are modified.

This policy generates alerts when triggers are modified.

This policy generates alerts when views are modified.

See also

l

Metadata policies

MySQL metadata policies

The following metadata policies are available for MySQL databases:

Policy Names

Events

Contents

events

Description

This policy generates alerts when events are modified.

Indexes

Stored Procedures

Tables

Triggers

Views indexes stored procedures tables triggers views

This policy generates alerts when indexes are modified.

This policy generates alerts when stored procedures are modified.

This policy generates alerts when tables and columns are modified.

This policy generates alerts when triggers are modified.

This policy generates alerts when views are modified.

See also

l

Metadata policies

175 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies PCI, SOX, and HIPAA alert policies

PCI, SOX, and HIPAA alert policies

Regulatory compliance policies record all types of database activities and store the data in the FortiDB repository.

You can use these policies to generate the following compliance reports: l l l

Sarbanes-Oxley (SOX)

Payment Card Industry Data Security Standard (PCI DSS)

HIPAA (Health Insurance Portability and Accountability Act)

You cannot create these types of policies, but you can change the configuration of the pre-defined metadata policies.

For details about compliance reports, see

PCI, SOX, and HIPAA reports on page 242

.

To view regulatory compliances policies:

1. Go to Policy > DAM Alert Policies.

2. Select the policy type from the View dropdown.

For example, select

PCI Policies.

For Oracle databases, if the

Security Alerts pages does not display alerts generated by regulatory compliance policies as expected, you can run a script that can fix the problem. See

Configuring an Oracle database for PCI,

SOX, and HIPAA policies on page 81 .

See also

l l l

Configuring PCI, SOX and HIPAA policies

Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options)

Select users to audit for PCI and SOX reports (User Audit Options)

Configuring PCI, SOX and HIPAA policies

Some regulatory compliance reports require you to set either Object Audit Options or User Audit Options for the corresponding policy group item.

1. Go to Policy > DAM Alert Policies.

2. For View, select PCI Policies, Sox Policies, or HIPAA Policies.

3. Click the policy name.

The Edit Alert Policy page for the policy is displayed.

4. Enter the following information if necessary.

a. Enter a description.

b. Select Enable to enable the policy.

5. Select one of the following severity options from the dropdown list.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

176

PCI, SOX, and HIPAA alert policies Database Activity Monitoring (DAM) policies l l l l l

Informational (default, lowest severity level)

Cautionary

Minor

Major

Critical (highest severity level)

6. For generating reports, set Object Audit Options or User Audit Options, if required. See

Selecting which tables

FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options) on page 177

and

Select users to audit for PCI and SOX reports (User Audit Options) on page 178 .

See also

l l l

Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options)

Select users to audit for PCI and SOX reports (User Audit Options)

PCI, SOX, and HIPAA reports

Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit

Options)

Some regulatory compliance reports require you to select the tables on which FortiDB tracks data changes. The reports display the activity in the tables you specify.

You select the objects to audit for the following regulatory compliance reports using the corresponding PCI or

SOX policy: l l l l l l l l l

Abnormal or Unauthorized Changes to Data

Abnormal Use of Service Accounts

Abnormal Termination of Database Activity

End of Period Adjustments

PCI - Invalid Operation

PCI - Access to Credit Card Tables

HIPAA Privilege Changes

HIPAA Access to EPHI data

HIPAA User Privileges on EPHI data

To configure the Object Audit Options settings for a policy

1. Go to the editing page for the policy. (See

Configuring PCI, SOX and HIPAA policies on page 176

.)

2. Under Object Audit Settings, in the Select Objects to Audit section, select one of the check boxes. The following steps are based on the default setting of this field.

l l

Manually Select Object: You enter the specific object name.

Browse Object by Target: You can select one from the dropdown list (default).

3. In the Target field, select a target from the dropdown list.

4. For Oracle and DB2, in the Schema field, select one from the dropdown list. For Microsoft SQL Server and

Sybase, select one from the dropdown list in the

Database field, and then select one in the Schema field.

5. From the Tables selection box, select one or more tables.

177 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies PCI, SOX, and HIPAA alert policies

For Oracle databases, you can also select a synonym.

6. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field.

7. Click the right arrow to move the selection to the Selected Objects table.

If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.

8. Click Save.

9. Optionally, configure the User Audit Options for the following policies: Sox Abnormal or Unauthorized

Changes to Data, Sox Abnormal Termination of Database Activity, Sox Abnormal Use of Service Accounts policies, and PCI - User Audit Options. For more information, details about setting the User Audit Options, go to "Setting or Modifying User Audit Options".

See also

l l

Configuring PCI, SOX and HIPAA policies

PCI, SOX, and HIPAA reports

Select users to audit for PCI and SOX reports (User Audit Options)

This action is required for the following policies to generate the corresponding reports: Abnormal Use of Service

Accounts, Abnormal Termination of Database Activity, Sox Abnormal or Unauthorized Changes to Data, and PCI-

Privileged User Action.

1. To edit the policy, in the list of SOX or PCI policies, click its name. For example, click Sox Abnormal or

Unauthorized Changes to Data.

2. In the User Audit Options section, select a target from the Browse by target dropdown list. You can enter a username in the

Enter user field.

3. Click the right arrow to move the selection to the Selected Objects table.

If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.

4. Click Save.

See also

l l

Configuring PCI, SOX and HIPAA policies

PCI, SOX, and HIPAA reports

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

178

Alert and audit policy groups Database Activity Monitoring (DAM) policies

Alert and audit policy groups

FortiDB provides pages that display all DAM alert and audit policy groups with descriptions and allow you to perform the following tasks: l l l

Add a new policy group by selecting Add.

Click the group name to modify the policy group, including selecting which target databases FortiDB monitors using the policies in the group.

Delete the user-defined policy groups by selecting the group and clicking Delete.

Because you use filtering criteria to specify which policies are members of a group, any time you create a new policy that matches the filtering criteria, FortiDB automatically adds it to the corresponding policy group.

See also

l l l

Creating or modifying an alert or audit policy group

Adding policy groups to target database monitoring

Deleting a policy group

Creating or modifying an alert or audit policy group

1. Do one of the following: l l

Go to

Policy > DAM Alert Policy Groups

Go to Policy > DAM Audit Policy Groups

2. Do one of the following: l l l

To add a new group, click Add. Then, for Group Name, enter a name for the policy group.

You can click

Cancel to cancel creating a new policy-group filter and go back to the main policies page.

To modify a group, click its name.

3. Optionally, for Description, add or edit text that describes your grouping criteria or other helpful information.

4. On the Filters tab, use the following settings to create or edit your filtering criteria:

Operator

Column

Operator

Value

- (minus) and + (plus)

Values And and Or are not available for the first row.

Specify a column to use for filtering.

Specify an operator.

Enter a value or select one from the list of available values. If you are using a list, click > (right arrow) to add selected items to the right-hand list.

Click to add or remove rows that define criteria.

For example:

179 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database Activity Monitoring (DAM) policies Alert and audit policy groups

Column

Database Type

Policy Type

Operator

Equals

Equals

Value

DB2

Metadata

Policies

Returns

All policies associated with DB2 databases

Metadata policies associated with

DB2 databases

5. To apply your filtering criteria, click Search.

6. To save the configuration, select Save Group.

7. To associate the policy group to a target database:

a. Select the

Targets tab.

b. In the box on the left, select targets to associate with the policy group, and then click the right arrow to move the selection to the box on the right.

8. Click Save.

See also

l

Adding policy groups to target database monitoring

Adding policy groups to target database monitoring

You use the

DAM Alert Policy Groups and DAM Audit Policy Groups pages to add alert or audit policy groups to the monitoring configuration for one or more target databases.

Go to Policy > DAM Alert Policy Groups or Policy > DAM Audit Policy Groups, click a group name, and then use the Targets tab to select targets.

Alternatively, you can use the target database monitoring configuration to add policies to an individual target. For information, see

Adding alert and audit policies to monitoring on page 205

and

Adding policy groups to target monitoring on page 206

.

Deleting a policy group

You can delete user-defined policy groups but not pre-defined policy groups.

1. Do one of the following: l l

Go to Policy > DAM Alert Policy Groups

Go to

Policy > DAM Audit Policy Groups

2. Select the check box for one or more user-defined policies.

3. Click Delete.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

180

Vulnerability assessment

Vulnerability assessment

Adding or modifying assessments

You configure and run vulnerability assessments (VAs) from the Assessments page. This assessment management page allows you to create a database group, add policy groups and a schedule, and run the scan.

See also

l l l l l l

Adding or modifying assessments

View VA global summary information

Assessment history

Viewing and exporting a privilege summary

Sensitive data discovery

Viewing VA and sensitive data discovery event logs

Adding or modifying assessments

This topic describes the task of adding (or modifying) FortiDB assessments. For a successful assessment, you must: l l

Create, or use an existing, target-base group which contains at least one valid target database

Create, or use an existing, policy group which contains at least one working policy l

FortiDB does not perform an automatic session timeout after a certain period of time has elapsed. For example, if you leave assessment results on your screen while at lunch, unauthorized individuals could see this information. Therefore, you should logout or close your browser if you expect to leave your computer unattended.

l

Items marked with an asterisk (*) on data-entry forms are mandatory.

1. Go to Vulnerability Assessment > Assessments.

2. Do one of the following: l l

To add an assessment, click

Add.

To modify an assessment, click its name.

3. On the General tab, enter the requested items: an Assessment Name so that you can reuse it later and

(optionally) a Description of your assessment. Then configure your assessment using the tabs on the web page.

4. In the Targets tab, specify which target groups you want to assess.

Select one or more target groups from the

Available Target Groups list on the left and click >> (right arrows) to add them to the

Assigned Target Groups list.

You can remove a target group from Assigned Target Groups list on the right by clicking << (left arrows).

5. In the Policies tab, specify which target groups you want to assess.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

181

Adding or modifying assessments Vulnerability assessment

a. Select one or more target groups from the Available Policy Groups list on the left and add them to the

Assigned Policy Groups list by selecting the right-arrow button. (In order to remove a policy group from the Assigned Policy Groups list , select the left-arrow button.)

b. In order to see the policies associated with a policy group, select the group in either the

Available Policy

Groups list or the Assigned Policy Groups list. The list of policies is displayed in the Active Policies list .

6. Optionally, to specify policies to exclude from assessments by target:

a. Click

Vulnerability Assessment > Assessments Exempted Policies.

b. Double-click the name of the target to view the list of policies you can exempt from assessments for that target.

c. In the Available Exempted Policies list, select the policy to exclude, and then click >> (double arrows) to add it to the Selected Exempted Policies list.

d. Click

Save.

See also

l l l l

Running assessments

Configuring assessment notifications

Selecting the type of report an assessment generates

Reviewing, deleting, and aborting assessment results

Running assessments

The

Scheduling tab of the Assessment page provides the following options: l l

Run once — Enables you to specify the time and date for a single assessment run

Recurring — Enables you to schedule a series of assessments

Running an assessment immediately

1. Go to Vulnerability Assessment > Assessments.

2. Click the name of an assessment.

3. Click Run.

Running an assessment at a specified date and time

1. Select the Run once radio button.

2. In the Starts at field group, specify a starting date directly, use the default, or alternatively, select the calendar icon, and then select a date.

3. Select the Enable Schedule check box if you want to activate your schedule. (By default, your assessment schedule is disabled so that you can configure it without activating it.)

4. Select the Save button to save your schedule.

Running scheduled assessments

1. Select the Recurring radio button.

182 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment Adding or modifying assessments

2. In the Starts at field group, specify a starting date directly, use the default, or alternatively, select the calendar icon, and then select a date.

3. Select one of the radio buttons in the Recurrence pattern field group.

l l l l

If you choose the

Hourly radio button, you can then specify the hourly interval in the Every __ hours field.

If you choose the Daily radio button, you can then specify the daily interval in the Every __ days field.

If you choose the

Weekly radio button, you can then specify the day(s) of the week on which you want your weekly assessments to run.

If you choose the Monthly radio button, you can then specify which day(s) during which month(s) you want your assessment to run. The

Day radio button and adjacent dropdown list allows you to specify the numeric day for your assessment to run in each specified month. Alternatively, you may specify the day in each month, such as the 'first Monday', using the two provided dropdown lists.

a. In the

Starts at field group, specify a starting time or use the default.

b. In the Recurrence pattern field group, select the Hourly , Daily , Weekly , or Monthly radio button.

c. In the

Ends by field group, you can leave the default No end date radio button selected or select the

End by radio button and then specify a particular date at which you want your schedule to end by selecting on the calendar icon.

4. Select the Enable Schedule check box if you want to activate your schedule. (By default, your assessment schedule is disabled so that you can configure it without activating it.)

5. In the Administrative Domains section, you can select which users this scheduled task will be applicable for.

Remember that users may only manage specific targets, so this section provides a way to perform assessments on particular targets. If one or more of the selected users manages all targets, then assessments will be performed on all applicable targets for this VA scan.

6. Select the Save button to save your schedule.

See also

l l

Adding or modifying assessments

Viewing VA and sensitive data discovery event logs

Configuring assessment notifications

This topic describes the task of configuring how and to whom assessment notifications will be sent. You can choose email and/or SNMP-trap notifications of these issues.

1. In the Desired Notification format(s) section of the Notifications tab, select the Target Level (default) and/or the Rule Level check box(es).

l l

Target-level notifications contain a target-database-level summary of issues discovered during the assessment.

Rule-level notifications contain detail for every discovered issue.

2. Select the Enable Email and/or the Enable SNMP Trap check box(es) in order to enable email and/or

SNMP notifications, respectively, of assessment-discovered issues.

a. For email notifications, you must designate one or more email receivers. Select one or more of the entries in the

Available Receivers list box and add them to the Selected Receivers list on the right by selecting on the right-arrow button.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

183

Adding or modifying assessments Vulnerability assessment l

When the email receiver cannot be reached, it is your email server's responsibility to retry sending the email.

l

In order to remove receiver(s), select them in the

Selected Receivers list and select the left-arrow button.

l

In order to see the details associated with any receiver, select the name of a receiver in either the

Available Receivers or Selected Receivers lists and those details will appear in

Receiver Details list on the right.

b. For SNMP notifications, you should set the

Notification properties in the System Configuration component of the FortiDB application.

The non-appliance version of FortiDB ships with MIB files in the $FortiDB_

HOME/etc/snmp directory.

3. (Optional) If you want to attach reports to the e-mail notification, go to the Reports tab and select the Attach

reports to selected e-mail receivers check box, and make sure to select one or more report(s) and format

(s). Note that the Enable Report Generation to Disk option is not required to be selected to use this capability.

See also

l l l

Adding or modifying assessments

Notification OIDs for target-level assessments

Notification OIDs for Rule-Level Assessments

Notification OIDs for target-level assessments

FortiDB uses the following object identifiers (OIDs) for target-level assessment notifications:

OID Meaning

SNMPv2-SMI::enterprises.12356

Fortinet enterprise ID

SNMPv2-SMI::enterprises.12356.104

FortiDB product ID

SNMPv2-SMI::enterprises.12356.104.0.6

SNMPv2-SMI::enterprises.12356.104.0.105

SNMPv2-SMI::enterprises.12356.104.0.107

SNMPv2-SMI::enterprises.12356.104.0.123

SNMPv2-SMI::enterprises.12356.104.0.124

SNMPv2-SMI::enterprises.12356.104.0.125

VA Alert Trap/Notification assessment Time

Target Name

Assessment Name

FortiDB host name

Policy count

184 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment Adding or modifying assessments

OID

SNMPv2-SMI::enterprises.12356.104.0.126

SNMPv2-SMI::enterprises.12356.104.0.127

SNMPv2-SMI::enterprises.12356.104.0.128

SNMPv2-SMI::enterprises.12356.104.0.129

SNMPv2-SMI::enterprises.12356.104.0.130

SNMPv2-SMI::enterprises.12356.104.0.131

Meaning

Total Failed Count

Critical failure count

Major failure count

Minor failure count

Caution failure count

Informational count

An example of a trap for a target-database-level SNMP notification:

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3) 0:00:00.03 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.6 SNMPv2-SMI::enterprises.12356.104.0.105 = STRING: "Tue Dec 04 17:38:15 PST 2007" SNMPv2-

SMI::enterprises.12356.104.0.107 = STRING: "Test Target" SNMPv2-SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment" SNMPv2-SMI::enterprises.12356.104.0.124 = STRING: "jdoe.fdb.com" SNMPv2-

SMI::enterprises.12356.104.0.125 = STRING: "158" SNMPv2-SMI::enterprises.12356.104.0.126 = STRING: "36" SNMPv2-SMI::enterprises.12356.104.0.127 =

STRING: "10" SNMPv2-SMI::enterprises.12356.104.0.128 = STRING: "0" SNMPv2-SMI::enterprises.12356.104.0.129 = STRING: "2" SNMPv2-SMI::enterprises.12356.104.0.130 =

STRING: "4" SNMPv2-SMI::enterprises.12356.104.0.131 = STRING: "20"

See also

l l

Adding or modifying assessments

Notification OIDs for Rule-Level Assessments

Notification OIDs for Rule-Level Assessments

FortiDB uses the following object identifiers (OIDs) for rule-level assessment notifications:

OID Meaning

SNMPv2-SMI::enterprises.12356

Fortinet enterprise ID

SNMPv2-SMI::enterprises.12356.104

SNMPv2-SMI::enterprises.12356.104.0.6

FortiDB product ID

VA Alert Trap/Notification

SNMPv2-SMI::enterprises.12356.104.0.8

SNMPv2-SMI::enterprises.12356.104.0.102

SNMPv2-SMI::enterprises.12356.104.0.103

VA Target Level Alert Trap/Notification

Severity

Policy Name

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

185

Adding or modifying assessments Vulnerability assessment

OID

SNMPv2-SMI::enterprises.12356.104.0.105

SNMPv2-SMI::enterprises.12356.104.0.106

SNMPv2-SMI::enterprises.12356.104.0.107

SNMPv2-SMI::enterprises.12356.104.0.123

SNMPv2-SMI::enterprises.12356.104.0.107

SNMPv2-SMI::enterprises.12356.104.0.124

SNMPv2-SMI::enterprises.12356.104.0.125

SNMPv2-SMI::enterprises.12356.104.0.126

SNMPv2-SMI::enterprises.12356.104.0.127

SNMPv2-SMI::enterprises.12356.104.0.128

SNMPv2-SMI::enterprises.12356.104.0.129

SNMPv2-SMI::enterprises.12356.104.0.130

SNMPv2-SMI::enterprises.12356.104.0.131

SNMPv2-SMI::enterprises.12356.104.0.132

Meaning

Assessment Time

Application name@ server name

Target Name

Assessment Name

Target Name

FortiDB host name

Policy count

Total Failed Count

Critical failure count

Major failure count

Minor failure count

Caution failure count

Informational count

Policy ID

An example of formatted traps for a rule-level SNMP notification.

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (73) 0:00:00.73

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.8

SNMPv2-SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment"

SNMPv2-SMI::enterprises.12356.104.0.107 = STRING: "Test Target"

SNMPv2-SMI::enterprises.12356.104.0.124 = STRING: "jdoe.fdb.com"

SNMPv2-SMI::enterprises.12356.104.0.105 = STRING: "Thu Dec 06 16:26:26 PST 2007"

SNMPv2-SMI::enterprises.12356.104.0.125 = STRING: "158"

SNMPv2-SMI::enterprises.12356.104.0.126 = STRING: "36"

SNMPv2-SMI::enterprises.12356.104.0.127 = STRING: "10"

SNMPv2-SMI::enterprises.12356.104.0.128 = STRING: "0"

SNMPv2-SMI::enterprises.12356.104.0.129 = STRING: "2"

SNMPv2-SMI::enterprises.12356.104.0.130 = STRING: "4"

SNMPv2-SMI::enterprises.12356.104.0.131 = STRING: "20"

An example of the trap with the rule information:

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (84) 0:00:00.84

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.6

SNMPv2-SMI::enterprises.12356.104.0.132 = STRING: "6501"

SNMPv2-SMI::enterprises.12356.104.0.102 = STRING: "MINOR"

SNMPv2-SMI::enterprises.12356.104.0.103 = STRING: "DVA ORCL 01.01 Lock and Expire

186 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment Adding or modifying assessments

Unused Default Accounts"

SNMPv2-SMI::enterprises.12356.104.0.106 = STRING: "[email protected]"

SNMPv2-SMI::enterprises.12356.104.0.107 = STRING: "Test Target"

SNMPv2-SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment"

SNMPv2-SMI::enterprises.12356.104.0.105 = STRING: "Thu Dec 06 16:26:26 PST 2007"

See also

l

Notification OIDs for target-level assessments

Selecting the type of report an assessment generates

FortiDB allows you to select which reports your assessment generates. For example, it can generate a summary report, a detailed report, or both.

1. Go to Vulnerability Assessment > Assessment

2. Click the name of an assessment.

3. Click the Reports tab.

4. Specify which report you want for your assessment.

a. Select one or more report groups from the Available Reports: list on the left and add them to the

Selected Reports list box by clicking on the right-arrow button. (In order to remove a report from the

Selected Reports list, select the left-arrow button.)

To view a report description, select the report in the Selected Reports list box and then the description should show up in the Report Description list box on the right.

b. Check the Enable Report check box.

5. In the Report formats field group, enable one or more of the following checkboxes: l l l l

PDF (.pdf) (the default)

Excel (.xls)

Comma Delimited (.csv)

Tab Delimited (.txt).

6. Select the Save button

See also

l

Adding or modifying assessments

Reviewing, deleting, and aborting assessment results

The Results tab of the Assessment page allows you to view the status and other information about completed and incomplete assessments, view assessment results, and to abort assessments.

When you click a

Start Time value in the top table, target name and other information is displayed in the bottom table (under

Results for each target).

When you click a Target value in the bottom table, detailed results for the target are displayed.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

187

Adding or modifying assessments Vulnerability assessment

Column name

Status

DB Type

Failed (Cri,Maj,Min,Cau)

Passed

Informational

Errors

Total

Description

The current status of the assessment

The type of your target database

The number of failed policies by Severity type where: l

Cri is Critical l

Maj is Major l

Min is Minor l

Cau is Cautionary

The number of passed policies

The number of Informational policies

The number of policies for which errors were returned

The total number of policies incorporated by the assessment

The Status column can display the following values:

Status column icon Description

Running

Idle

Queued

Completed

Error

Aborted

To delete an assessment, select one or more items in the top table, and then click Delete.

To abort an assessment

Do one of the following: l

To abort an entire assessment, check the row of interest in the top table and then, below the top table, click

Abort.

188 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment View VA global summary information l

To abort the assessment of a particular target database within an assessment, click a Start Time value in the top table, select a row in the bottom table, and then, below the bottom table, click Abort.

See also

l l

Adding or modifying assessments

View VA global summary information

View VA global summary information

Click Vulnerability Assessment > Assessment Summary to view the summary information for all target databases.

The summary information includes statistics of assessments and vulnerabilities found by assessment.

If you assess the same target more than once, this global summary only summarizes the latest one assessment.

The

Vulnerability Assessment Global Summary page also displays statistics for checks that failed during the assessment, including severity, classification, and database type.

See also

l l

Reviewing, deleting, and aborting assessment results

Assessment history

Assessment history

The

Assessment History page displays the run assessments and scheduled reports in disk.

Assessments History tab

Display all run assessment in this list page.

Click the

Target link to view the Detailed Report of this assessment.

Select the assessment record(s), click the Delete button to delete.

Scheduled Reports tab

When you enable the option "Save Scheduled Assessment Report to Disk File" in Assessment > Report tab, the selected report files are saved in disk after running the scheduled assessment.

Go to Scheduled Reports tab page to download or delete report files.

Import or export assessment history

You can export or import the result of an assessment as an XML file.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

189

Viewing and exporting a privilege summary Vulnerability assessment

To export assessment results to an XML file

1. On the the Assessments History page, specify a date range.

Assessments run between this date range, from the 1st date 0:00 to 2nd date 0:00(not include result in 2nd date).

2. Optionally, for Prefix, specify a prefix for the XML file name.

3. Click Export, and than save the downloaded XML file.

To import assessment results from an XML file

1. On the the Assessments History page, click Import.

The

Import assessments history page is displayed.

2. Click Choose File to select an XML file.

3. Click Import.

4. Click the Back button to return to the Assessments History page.

If you import the XML from another FortiDB, it might contain information about its own target databases information, which is not managed by your current FortiDB. FortiDB imports these target databases as imported shadow targets, which it uses for assessment reporting. However, it doesn not add them to the target list and cannot manage by them.

See also

l l

Reviewing, deleting, and aborting assessment results

View VA global summary information

Viewing and exporting a privilege summary

To view the privilege summary, log in to FortiDB with an administrator account that has the Operations Manager or Report Manager role.

A privilege summary shows who has access to what in your target databases. As such, it can: l l l l l

Help you establish a baseline for your security system

Show you if any users have more privileges than they need in order to do their jobs

Show you if any roles (or, for DB2, groups) include more privileges than necessary

Provide a common place to review privilege assignments for all FortiDB-supported target DB types

Eliminate the need to execute the SQL statements to get privilege-assignment information

1. Click Vulnerability Assessment > Privilege Summary.

2. For Target Group, select the target group that contains the target database for which you want to see a privilege summary.

3. For Target, select the target database for which you want to see a privilege summary.

190 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment Viewing and exporting a privilege summary

You can access Microsoft SQL Server and Sybase targets individually via databaselevel connections or, as a group, via server-level connections.

4. For Database Name, select the name of the database for which you want to see a privilege summary.

5. Select the Users tab in order to see a list of users, or the Roles tab in order to see a list of roles, for the specified database.

l l

Because MySQL does not support roles or groups of privileges, no

Role tab is displayed for MySQL target databases.

In MySQL, a user is identified by a combination of a user name and host name, such as `root@localhost’ or ‘[email protected]’. Therefore, two users with the same name but at different hosts can have different privileges.

a. After you have selected a user or role, you can then use the Privilege Type or Classification dropdown lists in order to filter the displayed information.

The subsequently available privilege information depends on: l

FortiDB-user access having already been given to certain target-database system tables, catalogs, and/or views. (See the Target Privilege Matrix for a list of the appropriate tables.) l

The particular combination of Privilege Type and Classification choices you make. (For more information on these choices, see

DB-Type Distinctions on page 191 .)

b. Optionally, you may export most of the privilege summary information that is displayed in one of the following file formats: l l l

PDF ( Portrait (the default) or Landscape orientation)

Tab-delimited text (.txt)

Comma-separated-values (.csv)

See also

l l

DB-Type Distinctions

Privileges for VA assessments, privilege summaries, and penetration tests

DB-Type Distinctions

The privilege summary information varies slightly by the type of the target database.

General differences

There are differences by RDBMS type: l l

The Users tabs are used for all RDBMS types.

The

Roles tab are used for all RDBMS types, except for MySQL which does not support roles. For DB2 target database,

Roles means Groups.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

191

Viewing and exporting a privilege summary Vulnerability assessment

Filtering differences

After selecting a specific user name on the

Users tab, or a specific role on the Roles tab, you can filter the displayed privilege information.

For Oracle, DB2, Microsoft SQL Server, and Sybase, the Privilege Type dropdown offers these choices: l l

Direct which refers to privileges that have been directly assigned (i.e., not via roles) to the selected user name

Indirect which refers to privileges that have been assigned via roles to the selected user name

MySQL applies the

Direct type only.

For Oracle, the

Classification dropdown offers these choices: l l

Object Privileges which refers to privileges that pertain to a specific schema or object

System Privileges which refers to privileges that do not pertain to a specific schema or object

For DB2, the

Classification dropdown offers these choices: l l l l l l l

Column Auth which refers to privilege information on certain columns

DB Authwhich refers to privilege information on certain databases

Index Auth which refers to privilege information on certain indexes

Package Auth which refers to privilege information on certain packages

Schema Auth which refers to privilege information on certain schemas

Table Auth which refers to privilege information on certain tables

Tablespace Auth which refers to privilege information on certain tablespaces

For MySQL, the

Classification dropdown offers these choices: l l l l

Column Level which refers to privilege information on certain columns. Granting/Revoking grant option is applied for all privileges within the same table only.

Schema Level which refers to privilege information on certain databases. Granting/Revoking grant option is applied for all privileges.

Table Level which refers to privilege information on certain tables. Granting/Revoking grant option is applied for all privileges within the same table only.

User Level which refers to privilege information applied to all databases on the database server.

Granting/Revoking grant option is applied for all privileges.

Column and column value differences

The column names and values used by the privilege summary vary by the DB type of your target database. For more information, see the documentation provided by your database vendor for system tables, views, and/or catalogs.

See also

l

Viewing and exporting a privilege summary

192 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Vulnerability assessment Sensitive data discovery

Sensitive data discovery

The FortiDB sensitive data discovery feature searches a target database for sensitive information located in tables and columns. It works with Oracle and Microsoft SQL Server target databases only.

Before you configure and run a sensitive data discovery scan, complete the following configurations: l l

A FortiDB connection to the target database. See

Adding (or modifying) a target connection on page 107 .

One or more data discovery policies. See

Data discovery policies and policy groups on page 141 .

Manage sensitive data discovery

Go to

Vulnerability Assessment > Sensitive Data Discovery to manage data discovery.

In the list page: l l l

Status: indicates discovery is running (active) or not(inactive).

Data Discovery Policy Group: which policy groups are assigned to this discovery.

Last Discovery: Last discovery time and found result, click to view detail report.

Click 'Target Name' in list to add/modify data discovery: l l l

Target tab: select database metadata as discovery object(s).

Policy Group tab: select discovery policy group to assign to this discovery.

Result tab: after run discovery, check this tab for result summary.

And click

Save to save discovery definition.

Running sensitive data discovery

In discovery add/modify page, click Save & Start Scan to save and start discovery.

In discovery list page, select one or more discovery with check box(es), click 'Start Scan' button to start discovery, click 'Stop Scan' button to stop.

Viewing sensitive data discovery reports

There are two pre-defined data discovery reports: detailed and summary.

To view a detailed report, do one of the following: l l

On the discovery list page, click the link in the Last Discovery column.

Go to

Report > Pre-Defined VA Reports, click Sensitive Data Discovery Detailed Report, and then select a target and discovery time.

For a summary report, go to

Report > Pre-Defined VA Reports, click Sensitive Data Discovery Summary

Report, and then select a target and discovery time.

See also

l l

Data discovery policies and policy groups

Viewing VA and sensitive data discovery event logs

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

193

Viewing VA and sensitive data discovery event logs Vulnerability assessment

Viewing VA and sensitive data discovery event logs

The

Assessment Log page lists the event logs that vulnerability assessments and sensitive data discovery scans generate. To view the log, click Vulnerability Assessment > Local Assessment Log.

The assessment log information includes Date, Module (VA or SDD), Assessment, Target, Severity, Action, and

Result or Description.

You can use the

Assessment Logs page for the following tasks: l l l l l l l l l l

Display logs filtered by module (VA or SDD) that you select from the

Module dropdown list.

Display logs filtered by Assessment name(for VA only) that you select from the Assessment dropdown list.

Display logs filtered by Target that you select from the

Target dropdown list.

Display logs filtered by Severity that you select from the Severity dropdown list.

Display logs filtered by Action that you select from the

Action dropdown list.

Display logs filtered by the date range you select from the From and To fields.

Display Date, Policy name, Target, Type, Severity, and description for each error.

Export the logs view you selected, by selecting

Export

Delete all logs by selecting

Delete All

Configure the History Prune - specify the number of days after which to delete the log entries. The default number is

30 (days).

See also

l l

Adding or modifying assessments

Sensitive data discovery

194 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM)

Database activity monitoring (DAM)

Managing target monitoring

Database activity monitoring (DAM) centralizes monitoring and auditing. DAM also displays alerts and allows you to generate reports. Alert filtering criteria ranges from general classifications such as target or database type to detailed classifications such as severity and rule violation. Your filter settings can create a new alert group or modify the pre-defined alert groups. Alert groups can be exported to files in various formats such as .pdf, .xls,

.csv, and .txt.

See also

l l l l l l

Managing target monitoring

Configuring target database monitoring

Viewing alerts

Viewing audit records (activity auditing results)

Activity profiling

SOX audit

Managing target monitoring

The Monitoring Management page provides centralized management for monitoring target databases. You can view monitoring status, policies you configured, and start and stop monitoring. You can also associate policy groups with target databases and view generated alerts.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

195

Managing target monitoring Database activity monitoring (DAM)

Monitoring Management page columns

Descriptions Columns

Status

indicates the target has not been initialized for monitoring. Go to monitoring configuration page to setup monitoring.

indicates the target is not monitored.

that monitoring is starting indicates that monitoring is stopping.

indicates the target is being monitored but some of the policies could not be applied.

indicates that monitoring is active.

indicates that monitoring is not running. An attempt to start the monitor failed.

indicates that the FortiDB is has disconnected from the target. The target database maybe not available, or disconnected from FortiDB agent (if using agent as collection method).

Name

DB Host Name/IP

DB Type

Collection Method

Alert Policy Groups

Target name. Click to configure monitoring.

Database host name or IP address of your target database computer

Database type of your target. ORACLE, MSSQL, DB2, SYBASE, or

MYSQL

Collection method used for monitoring

The group or groups of alert policies that specify the database activities that generate security alerts.

Action

configure monitoring, same as click Name.

show the Alerts of this target.

show the Local Monitoring Logs of this target

Monitoring Management page buttons and fields

Buttons and Fields

View dropdown

Descriptions

Filters a display of the target list

196 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Target monitoring configuration tabs and options

Buttons and Fields

Start Monitoring

Stop Monitoring

Restart

Descriptions

This button starts monitoring for the target database. You must select the target first.

This button stops monitoring. You must select the target first.

This button stops then starts monitoring.

See also

l

Configuring target database monitoring

Target monitoring configuration tabs and options

The monitoring configuration for a target database is displayed when you click the target’s name on the

Monitoring Management page.

Monitoring configuration page tabs and options

Tabs

General

Alert Policies

Alert Policy Groups

Purposes

Settings of audit configuration for each target database. You can start and stop monitoring and auditing in this page. It also shows monitoring and auditing status. See

Configuring target database monitoring on page 198

.

Shows the available alert policies with information, such as policy type, status, name, and severity. You can create Data policies from this page, and enable/disable policies for the target. See

Adding alert and audit policies to monitoring on page 205 .

Associate the alert policy group to your target database. See

Adding policy groups to target monitoring on page 206 .

Audit Policies

Audit Policy Groups

Shows the available audit policies with information. You can create

Data policies, or enable/disable policies from this page. See

Adding alert and audit policies to monitoring on page 205 .

Note: This tab is only available for collection method "TCP/IP Sniffer" for Oracle, Microsoft SQL Server, Sybase and DB2.

Associate the audit policy group to your target database. See

Adding policy groups to target monitoring on page 206 .

Note: This tab will be only available for collection method "TCP/IP

Sniffer" for Oracle, Microsoft SQL Server, Sybase and DB2.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

197

Configuring target database monitoring Database activity monitoring (DAM)

Tabs

Query Schedule

Alert Notification

Real Time Blocking

Audit Management

White List

Purposes

Specifies a schedule for any database query policies, which are alert policies that query the target database with SQL and save the result as an alert. See

Configuring a database query policy on page 164 .

Configure Alert Notification for monitoring. See

Sending alert notifications on page 207

.

Enables or disables real-time blocking for monitoring configurations that use the TCP/IP sniffer, and configures blocking settings. See

Blocking invalid access while monitoring on page 209

.

For Oracle, this page shows the issued audit command and all audit commands for each object. For Microsoft SQL Server, this page shows audited events and audited filters used by FortiDB. This page is not applicable for Sybase. See

Displaying the history of issued audit commands on page 212

.

Note: This tab is only available for the following collection methods: l

Oracle – "DB, EXTENDED" or "XML File Agent" l

Microsoft SQL Server – "SQL Trace" l

DB2 – "DB2 Agent”

In the White List tab, you can configure data policies, which will be automatically excluded from the Alert Policy settings for Oracle or

Microsoft SQL Server Server. See

Excluding policies from the Alert

Policy settings (whitelist) on page 210 .

Note: This tab will be only available for collection method "DB,

EXTENDED" for Oracle,"SQL Trace" for Microsoft SQL Server.After

Monitor started, the SQL action matching with the white list settings, fortidb will not generante alerts for it. The SQL action matching the white list settings should be known secure action.

See also

l

Configuring target database monitoring

Configuring target database monitoring

The

General tab shows audit configuration information and monitoring status for each target database.

The Audit Configuration settings specify how FortiDB collects audit information. The settings that are displayed depend on the database type and collection method. For more information, see the topic for the appropriate database type: l l

Configuring monitoring using the TCP/IP sniffer (all database types) on page 199

Configuring Microsoft SQL Server monitoring on page 201

198 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Configuring target database monitoring l l l l

Configuring DB2 monitoring on page 202

Configuring Sybase monitoring on page 202

Configuring MySQL monitoring on page 203

Configuring Oracle monitoring on page 204

The

Test button is available for some collection methods. Click it to verify the connection.

Click the

Save button to save your Audit Configuration settings.

The Monitoring settings allow you to start or stop monitoring.

Monitoring settings and messages

Setting

Start Monitoring/Stop

Monitoring

Description

Click to start or stop monitoring.

Start monitoring when

FortiDB starts

Monitoring Status

Specifies whether FortiDB starts monitoring the current target automatically when it starts.

Displays one of the following monitoring status values: l

Running l

Need Restart: A monitoring restart is required to apply a policy change l

Idle l

Terminating l

Terminated l

INIT (Initializing)

Status Message

Displays information related to the monitoring or auditing status

See also

l

Target monitoring configuration tabs and options

Configuring monitoring using the TCP/IP sniffer (all database types)

FortiDB can monitor database activity using its TCP/IP sniffer.

The activity auditing and profiling features require the TCP/IP sniffer.

1. To configure a target to support database activity monitoring, on the General tab for the target, for DB

Activity Monitoring, select Allow.

For more information on target configuration, see

Adding (or modifying) a target connection on page 107 .

2. Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target.

3. On the General tab, complete the following settings:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

199

Configuring target database monitoring Database activity monitoring (DAM)

Collection Method

Select TCP/IP Sniffer.

Version

Select the version of the target database.

FortiDB supports the following versions:

9i, 10g, 11g, 12c

Oracle

Microsoft SQL Server

2000, 2005, 2008, 2008_R2, 2012, 2014

DB2

Sybase

Postgre

UDB 9.1, 9.5, 9.7

ASE 12.5, 15.0, 15.5, 15.7

Postgre SQL 8.x

SSL Certificate Private Key

For Microsoft SQL Server databases only.

If SSL encryption is enabled, select the

SSL Certificate Private Key

file and enter the

Key Password (if you have it) that FortiDB uses.

The SSL Certificate for SSL encryption is configured on the server side.

SSL Certificate Private Key

(P12)

For Oracle databases only.

If SSL encryption is enabled and certificate information is stored in

PKCS #12 format, select the certificate file and enter the

Key

Password.

The SSL Certificate for SSL encryption is configured on the server side. For more information, see

Monitoring encrypted Oracle traffic on page 83

.

SSL Certificate Private Key

(SSO)

For Oracle databases only.

If SSL encryption is enabled, select the X.509 format certificate file and enter the Key Password.

For more information, see

Monitoring encrypted Oracle traffic on page

83

.

Sniffer on Port

Enable Activity Auditing

Log All

Enable Activity Profiling

Specify the FortiDB port that is connected to the switch's SPAN port.

Select to enable activity auditing.

Select to audit all activity. Otherwise, FortiDB audits only activity captured by the policies specified by the Audit Policies tab.

Select to enable activity profiling.

4. If you did not select Log All, to specify the activity that is audited, do one of the following: l l

On the

Audit Polices tab, create a list of one or more policies to use.

On the Audit Policy Groups tab, select one or more policy groups to use.

200 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Configuring target database monitoring

For information on adding audit policies and audit policy groups to the configuration, see

Adding alert and audit policies to monitoring on page 205

.

By default, no audit policies or policy groups are specified.

5. On the General tab, under Monitoring, click Start Monitoring.

For more information about monitoring, see

Monitoring settings and messages on page 199 .

See also

l l

Target monitoring configuration tabs and options

Network requirements for monitoring using the TCP/IP sniffer

Configuring Microsoft SQL Server monitoring

FortiDB uses either SQL Trace or the TCP/IP sniffer to collect audit information from Microsoft SQL Server databases.

The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see

Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .

To configure auditing for a Microsoft SQL Server database using SQL Trace

To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.

1. Ensure the required database pre-configuration is complete.See

Microsoft SQL Server target database preconfiguration on page 94 .

2. Verify that the SQL Server has an audit trace folder (for example, C:\SQLTrace).

Ensure that you enter the full path to the folder.

3. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.

4. On the General tab, complete the following settings:

Collection Method

Trace Folder

Polling Frequency (ms)

Select SQL Trace.

To change a collection method from one option to the other, first stop monitoring, change the collection method, then restart monitoring.

Specify the folder where your server writes the trace information.

Ensure that you enter the full path.

Enter the polling frequency for audit collection, in seconds

To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.

5. Click Test to confirm the connection with the method you selected.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

201

Configuring target database monitoring Database activity monitoring (DAM)

6. On the General tab, under Monitoring, click Start Monitoring.

For more information about monitoring, see

Monitoring settings and messages on page 199 .

See also

l l

Target monitoring configuration tabs and options

Microsoft SQL Server target database pre-configuration

Configuring DB2 monitoring

FortiDB uses either a DB2 agent or the TCP/IP sniffer to collect audit information from DB2 databases.

The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see

Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .

To configure auditing for a DB2 database using the DB2 agent

To change the collection method, first stop monitoring. You cannot change this setting while FortiDB is monitoring the target database.

1. Ensure the required database pre-configuration is complete.See

DB2 target database pre-configuration on page 91 .

2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.

3. On the General tab, for Collection Method, select DB2 Agent.

4. Click Test to confirm the connection with the method you selected.

5. On the General tab, under Monitoring, click Start Monitoring.

For more information about monitoring options, see

Monitoring settings and messages on page 199

.

See also

l l

Target monitoring configuration tabs and options

DB2 target database pre-configuration

Configuring Sybase monitoring

FortiDB uses either the Sybase audit system (Sybase Monitoring and Diagnostic (MDA) tables) or the TCP/IP sniffer to collect audit information from Sybase databases.

The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see

Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .

202 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Configuring target database monitoring

To configure auditing for a Sybase database using Monitoring and Diagnostic (MDA) tables

To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.

1. Ensure the required database pre-configuration is complete, which includes: l l l

Creating the sybsecurity database

Installing installsecurity

Configuring the MDA (Monitoring and Data Access) tables

See

Sybase target database pre-configuration on page 86

.

2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.

3. On the General tab, complete the following settings:

Collection Method

Polling Frequency (ms)

Select

MDA.

To change the collection method, first stop monitoring, change the collection method, then restart monitoring.

Enter the polling frequency for audit collection, in seconds

To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.

4. Click Test to confirm the connection with the method you selected.

5. Under Monitoring, click Start Monitoring.

For information about the Monitoring options, see

Monitoring settings and messages on page 199

.

See also

l l

Target monitoring configuration tabs and options

Sybase target database pre-configuration

Configuring MySQL monitoring

FortiDB uses the MySQL general log to collect audit information from DB2 databases.

To configure auditing for a MySQL database

To change the polling frequency for monitoring, first stop monitoring. You cannot change this setting while FortiDB is monitoring the target database.

1. Ensure the required database pre-configuration is complete.See

MySQL target database pre-configuration on page 84 .

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

203

Configuring target database monitoring Database activity monitoring (DAM)

2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.

3. On the General tab, complete the following settings:

Collection Method

Polling Frequency (ms)

Select

General Log.

To change the collection method, first stop monitoring, change the collection method, then restart monitoring.

Enter the polling frequency for audit collection, in seconds.

To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.

4. Click Test to confirm the connection with the method you selected.

5. Under Monitoring, click Start Monitoring.

For more information about monitoring, see

Monitoring settings and messages on page 199 .

See also

l l

Target monitoring configuration tabs and options

MySQL target database pre-configuration

Configuring Oracle monitoring

FortiDB can use several methods to collect audit information from Oracle databases.

The TCP/IP sniffer method is provided by the appliance version of FortiDB only. For detailed configuration instructions, see

Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .

To configure auditing for an Oracle database

To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.

1. Ensure the required database pre-configuration is complete.See

Oracle target database pre-configuration on page 80 .

2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor.

3. Obtain the value of your database’s audit_trail parameter.

4. On the General tab, for Collection Method, select one of the following options:

204 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Adding alert and audit policies to monitoring

Oracle audit_ trail parameter value

Collection method

db, extended DB,

EXTENDED db DB,

EXTENDED

Agent required?

No xml, extended

XML File

Agent

No

For Oracle 9i only. Monitoring Oracle 9i databases has the following limitations: l

Table and table column policy - Cannot retrieve the SQL statement text l

Table, user, and session policy - No effect with Suspicious Location rule l

Session policy - No effect with Extremely Long Session rule and High

Read Ratio rule

Yes

FortiDB's XML file agent provides high performance for auditing

Oracle target databases. To use the XML file agent option, run the

FortiDB XML file agent in your target database. For more information, see

Oracle XML file agent installation and configuration (UNIX,

Windows, AIX) on page 82

.

5. If you selected DB, EXTENDED, for Polling Frequency(secs), enter the polling frequency for audit collection, in seconds.

6. Click Test to confirm the connection with the method you selected.

7. Under Monitoring, click Start Monitoring.

For more information about monitoring, see

Monitoring settings and messages on page 199 .

See also

l l

Target monitoring configuration tabs and options

Oracle target database pre-configuration

Adding alert and audit policies to monitoring

The Alert Policies and Audit Policies tabs on the monitoring configuration page allow you to configure data policies. FortiDB can add these policies to a new policy group automatically and associate the group with the current target.

Audit policies are available only for target monitoring configurations that use the

TCP/IP Sniffer collection method.

The list of policies on the tab allows you to manage the policies that FortiDB uses to monitor the target:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

205

Adding policy groups to target monitoring Database activity monitoring (DAM) l l l

To enable or disable policies, select one or more items in the list (or the checkbox in the column header to select all items), and then click Enable or Disable.

To delete user-defined policies, select the appropriate item, and then click

Delete.

To create a data policy, in the Data Policies list, select a policy type, and then click Add.

For examples of creating data policies, see the database activity monitoring tutorials in

FortiDB tutorials on page 19

.

l l

To edit a policy name, click its name.

Click the Restart button to restart monitoring after policy change.

For detailed information on these policies, see

Database Activity Monitoring (DAM) policies on page 144 .

See also

l l

Target monitoring configuration tabs and options

Oracle target database pre-configuration

Adding policy groups to target monitoring

When you configure monitoring for a target database, FortiDB automatically adds the data, metadata, and privilege alert policy groups to the configuration. However, it does not automatically associate PCI, SOX, and

HIPAA alert policy groups.

FortiDB does not automatically associate any audit policies or audit policy groups with the target monitoring configuration. To allow FortiDB to perform policy-based activity auditing, you either select

Log All on the configuration’s

General tab or use the Audit Policies or Audit Policy Groups tabs to select policies.

Alternatively, instead of adding a policy group to a single target, you can add groups to multiple targets. For information, see

Adding policy groups to target database monitoring on page 180 .

To add a policy group to target database monitoring

1. Verify that you have a target connection that allows monitoring.

2. Go to DB Activity Monitoring > Monitoring Management.

3. Click the target name. The Target Monitor:<target name> page is displayed.

4. Select the Alert Policy Groups or Audit Policy Groups tab.

5. Select the policy groups you want to associate to the target from the Available Policy Groups box.

6. Click the right arrow to move the selection to the Selected Policy Groups box.

When you select a group, its policies are displayed in the

Selected Policy Group contents box.

7. Select Save.

See also

l

Alert and audit policy groups

206 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Sending alert notifications

Sending alert notifications

Use the

Alert Notification tab to configure FortiDB to send a notification when it receives a monitoring alert. It can send alerts via email, SNMP, and other methods.

You can also generate notifications as reports, which allows you to specify what alert information to include and schedule a time for FortiDB to generate and send the report. For more information, see

Reports on page 233 .

To access the

Alert Notification tab, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.

To send notifications via email

1. Go to Administration > Global Configuration > Notification, and then ensure that the host name and port of an email server are specified.

For more information, see

Notification properties on page 72

.

2. Go to Administration > Administrators, and then ensure that an email address is specified for the administrators that you want to send email notifications to.

For more information on configuring administrators, see

Administrators on page 60 .

3. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target to configure.

4. On the Alert Notification tab, select Enable Email.

5. In the Available Receivers list, select an item, and then click >> (right arrows) to add it to the Selected

Receivers list.

6. Click Save.

To send notifications via SNMP

1. Go to Administration > Global Configuration > Notification, and then ensure that the SNMP receiver host and port are specified.

For more information, see

Notification properties on page 72

.

2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.

3. On the Alert Notification tab, select Enable SNMP Trap.

4. Click Save.

To send notifications to a Syslog server

1. Go to Administration > Global Configuration > Notification, and then ensure that the Syslog receiver host and port are specified.

For more information, see

Notification properties on page 72

.

2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

207

Sending alert notifications Database activity monitoring (DAM)

3. On the Alert Notification tab, select Enable Syslog.

4. Click Save.

To send notifications to an ArcSight Syslog server

For FortiDB event to ArcSight data field mapping information, see

FortiDB event to ArcSight data field mapping on page 208

.

1. Go to Administration > Global Configuration > Notification, and then ensure that the ArcSight Syslog receiver host and port are specified.

For more information, see

Notification properties on page 72

.

2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.

3. On the Alert Notification tab, select Enable ArcSight Syslog.

4. Click Save.

See also

l

FortiDB event to ArcSight data field mapping

FortiDB event to ArcSight data field mapping

The following table displays the corresponding ArcSight remote logging format field for each FortiDB event:

FortiDB event ArcSight Event Data Field

Hostname dhost

Source Hostname shost

Alert Timestamp

FortDB Hostname

Severity

Action

Return Code

Display ID

DB Type

System User

DB User rt dvchost cat act cn1 externalId cs1 suser duser

208 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Blocking invalid access while monitoring

FortiDB event

Login Name

DB Object

Description

Target Database Name

Policy Name

Source Application

SQL Statement

See also

l

Sending alert notifications

ArcSight Event Data Field

cs3 fname cs4 cs5 cs6 requestClientApplication msg

Blocking invalid access while monitoring

Because the real-time blocking feature uses the TCP/IP Sniffer, the

Real Time Blocking tab is only available when

Collection Method is TCP/IP Sniffer.

You can configure FortiDB to use a TCP/IP Reset (RST) mechanism to prevent invalid access to the server by database clients. FortiDB allows you to select which alert policies FortiDB uses to validate the connection data.

Whenever it blocks access, FortiDB generates a critical security alert.

Because real-time blocking interrupts the TCP connection, it can destabilize your database client application or application server. Ensure that you understand this feature and its implications before you enable it.

You can configure FortiDB to block a client for a specified period of time after it violates access policies. During this period, instead of scanning the connection for policy violations, which uses system resources, FortiDB automatically resets connections from the client. After the blocking period expires, FortiDB resumes the scanning process. Specifying a blocking period can improve performance if FortiDB is under attack by malicious clients.

The default blocking period is 5 minutes.

To enable real-time blocking

1. Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target.

2. If FortiDB is currently monitoring the target, click Stop Monitoring.

3. On the Real Time Blocking tab, select Enable Real Time Blocking.

4. To configure FortiDB to continue to deny access to clients that it blocks for a specified period of time, select

Block Client for [x] minutes, and then enter a value in minutes.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

209

Excluding policies from the Alert Policy settings (whitelist) Database activity monitoring (DAM)

The default value is 5 minutes.

5. For TCP RST Blocking Port, select the network port FortiDB uses to send the TCP RST packet to the client's connection.

Ensure that FortiDB can reach the connection between database client and server through the port you specify. If the client is behind firewall or router with NAT, the TCP reset signal appears to be sent to the client from the firewall or router.

6. To assign alert policies for real-time blocking, select one or more policies from the Available Policies list, and then click >> (right arrows) to move them to the Selected Policies list.

The items in the

Available Policies list are from groups selected on the Alert Policy Groups tab.

To remove items, select them and then click << (left arrows).

7. Click Save.

8. On the General tab, to re-start monitoring with the real-time blocking feature, click Start Monitoring.

See also

l

Database Activity Monitoring (DAM) policies

Excluding policies from the Alert Policy settings (whitelist)

Use the

White List tab to specify Oracle or Microsoft SQL Server Server database activities that do not generate alerts.

The White List tab is available only when the collection method is DB, EXTENDED

(for Oracle databases) or SQL Trace (for Microsoft SQL Server databases). Because

FortiDB does not generate alerts for SQL actions that match the whitelist criteria, ensure that the SQL actions in the whitelist are known, secure actions.

To enable the whitelist

1. Go to DB Monitoring Activity > Monitoring Management and click the name of the target to configure.

2. On the White List tab, select Enable White List.

3. Use the following settings to specify the whitelist criteria:

210 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM)

Setting

Object Settings

Login Name Settings

DB User Settings

Excluding policies from the Alert Policy settings (whitelist)

Description

Excludes from alerts any successful access to the specified objects from alerts.

Select one of the following selection methods: l

Manually Select Object

l

Browse Object by Target (default)

Use the following options to specify one or more objects:

1. Select an item from the Target list.

2. Select an item from the Schema list.

3. In the Tables list, select one or more items and then click >

(right arrow) to move your selections to the .

To remove objects, select them in the

Selected Objects list and then click < (left arrow).

Excludes from alerts any successful access to the specified object by the specified login names.

To specify one or more login names:

1. Select one or more login names from the login names list.

2. Click the right arrow to move the selections to the Selected login names list.

Note: If you want to remove the login names from the selected login names list, select the login names you want to remove and click the left arrow.

Excludes from alerts any successful access to selected object by certain database users.

You can specify one or more database users as follows:

1. Select one or more database users from the login names list.

2. Click the right arrow to move the selections to the Selected database users list.

Note:If you want to remove the database users from the selected database users list, select the database users you want to remove and click the left arrow.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

211

Displaying the history of issued audit commands Database activity monitoring (DAM)

Setting

OS User Settings

Source Location Settings

Application Settings

Description

Exclude to alert any successful access to selected object by certain

OS users.

You can specify one or more OS user names by typing the specific name or using a regular expression.

1. Input one OS user into the textbox.

2. Click the right arrow to move the selections to the Selected users List.

Note: If you want to remove the OS users from the selected OS users list, select the OS users you want to remove and click the left arrow.

Exclude to alert any successful access to selected object from certain locations.

You can specify one or more locations by typing the specific location or using a regular expression.

1. Input one Hostname or ip address into the textbox.

2. Click the right arrow to move the selections to the Selected source locations list.

Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.

Exclude to alert any successful access to selected object by certain client applications.

You can specify one or more client applications by typing the specific client application or using a regular expression.

1. Input one application name or client ID into the textbox.

2. Click the right arrow to move the selections to the Selected applications list.

Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.

See also

l

Database Activity Monitoring (DAM) policies

Displaying the history of issued audit commands

The

Target’s Audit Management tab displays the history of issued audit commands. Each type of target database has a different style of audit management.

212 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Displaying the history of issued audit commands

The Target’s Audit Management tab is not available for Sybase or MySQL databases. For the remaining database types, it only available when Collection Method is one of the following values: l l l

DB, EXTENDED or XML File Agent (for Oracle)

SQL Trace (for Microsoft SQL Server)

DB2 Agent (for DB2)

See also

l l l

Oracle audit management

Microsoft SQL Server audit management

DB2 audit management

Oracle audit management

The Target’s Audit Management page for Oracle target databases displays the history of issued audit commands.

Statement options

The Statement options section displays: l l l l

Database User

Audit Option

Success

Failure

Object options

The Object options section displays all the audit commands, including success or failure, for each object with: l l l l

Object owner

Object name

Object type

Access or Session on SELECT/INSERT/UPDATE/DELETE/EXECUTE/ALTER

To update the list, click the Refresh button.

Clearing audit settings

FortiDB modifies the Oracle auditing system to monitor the policies that you define. These audit settings affect what is audited and affect how fast the SYS.AUD$ table will fill. Under normal operating conditions, FortiDB removes its settings when monitoring is stopped.

However, sometimes the SYS.AUD$ table can become cluttered with other peoples' settings that were not properly removed. To correct this, use FortiDB's clear audit setting feature to remove all audit settings.

If FortiDB is the only client of the audit system, then you can use this feature to clear all audit settings. But if other people need the audit settings, do not clear audit settings. To clear audit settings, you must stop monitoring.

After clearing the settings, the audit statement and audit options tables will be empty. If you then start FortiDB monitoring ,you will see only FortiDB's audit settings that are necessary for enabled policies.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

213

Displaying the history of issued audit commands Database activity monitoring (DAM)

Audit management

When using the audit-based collection methods for Oracle, you may want to clear the audit settings from previous operations if FortiDB is used as the exclusive auditing mechanism for that target database. Also, for the

DB,EXTENDED collection method, you may want to delete all previous log entries in the Oracle target database.

You can do both in the Audit Settings Management section of the Audit Management tab. These options are selected by default, so be sure to deselect these options if FortiDB is not the only service that is using Oracle's auditing mechanism.

For the DB,EXTENDED collection mechanism, the audit log table may periodically grow larger than the file system's capacity for that table. To periodically delete audit log entries, go tothe

Scheduled Maintenance

section.

Warning: Using FortiDB to manage the contents of the SYS.AUD$ should be compliant with the best practices of your organization.

Microsoft SQL Server audit management

The Target’s Audit Management page for Microsoft SQL Server target databases displays a list of SQL Server events and filters used by FortiDB to audit.

If you select Monitoring or Auditing from the Trace Type dropdown list then click the Refresh button, FortiDB will display the general information.

Audited events

The Microsoft SQL Server Audited Events section displays a list of SQL Server events used by FortiDB for auditing purposes with the following information: l l

Column

Event

Audited filters

The Microsoft SQL Server Audited Filters section displays a list of Microsoft SQL Server filters used by FortiDB for auditing purposes with the following information: l l l l

Column

Comparison Operator

Logical Operator

Value

To update the list, click

Refresh.

DB2 audit management

The

Target’s Audit Management page for DB2 target databases displays the history of audit commands issued by the database.

DB2 audit settings with syscat.auditpolicies

The DB2 Audit Settings section displays DB2 syscat.auditpolicies view contents with the following information:

214 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Viewing alerts l l l l l l l l l l l l l l

Policy Name

Policy ID

Create Time

Alter Time

Audit Status

Context Status

Validate Status

Checking Status

SecMaint Status

ObjMaint Status

SysAdmin Status

Execute Status

Execute with Data

Error Type

DB2 audit settings with syscat.audituse

The DB2 Audit Settings section also displays DB2 syscat.audituse view contents with the following information: l l l l l l

Policy Name

Policy ID

Schema

Object Name

Object Type

Sub Object Type

To update the list, click the Refresh button.

Viewing alerts

The Security Alerts page displays a list of all alerts generated from all databases and their details. You can filter the list using a pre-defined alert group, an alert group that you defined, or by date.

You can also export the list in a number of formats.

You can also export the alert list in several different formats.

Security Alerts page columns

Column

ID

Description

FortiDB assigns alert identifiers sequentially.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

215

Viewing alerts Database activity monitoring (DAM)

Column

Type

Status

Severity

Received Time

Target

Source Location

Policy Violation & Action

Description

indicates that a table policy generated the alert indicates that a table and column policy generated the alert indicates that a session policy generated the alert indicates that a user policy generated the alert indicates that a database query policy generated the alert indicates that a privilege policy policy generated the alert indicates that a metadata policy generated the alert

One of the following types of alert status: You can change the alert status from the Alert Summary page.

l l l l

(Unacknowledged)

(Acknowledged)

(Error Corrected)

(Alert has an annotation created by a FortiDB administrator)

For information on changing the status value, see

Changing the status of and annotating alerts on page 217 .

Severity of the policy that generated the alert: Informational, Cautionary,

Minor, Major, or Critical

The date and time when FortiDB received the alert

Name of the target database

Hostname of source client

The name of the policy that generated the alert the action that violated the rule

Security Alerts page filtering options

Option

View

Description

Filter alerts based on the alert group, per-defined or user-defined, by select group from View drop-down list.

216 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Viewing alerts

Option

Search

Description

Click Search / New Group to define search criteria, or click the Edit button to modify search criteria of user-defined group. When you finish search criteria configuration, click the Search button to search alerts. You can also click the Save Group button to save the search criteria to an alert group quickly.

For more information on groups, see

Alert group on page 220 .

For information on search criteria configuration, see

Filtering and searching alerts on page 218 .

Date Range and Entry Limit

Filters alerts based on the specified date range, and input number for

Limit To, then click the Refresh button to refresh alerts.

Click an alert to view its detail below the list. For more information, see

Alert details on page 218

.

See also

l l l l l

Changing the status of and annotating alerts

Exporting the alert list as a report

Filtering and searching alerts

Alert details

Alert group

Changing the status of and annotating alerts

Select one or more alerts with checkboxes, click one of three Status Icon button, to change status to

Unacknowledged, Acknowledged, or Error Corrected.

Select one or more alerts with check boxes then click the Annotate icon button to add or edit exist alert's annotation. Click the

Save button to save the annotation.

See also

l

Viewing alerts

Exporting the alert list as a report

The alert list displayed on this page can be exported as a report in several different formats.

l l l l

PDF (.pdf)

Excel (.xls)

Tab (.txt)

CSV (.csv)

To export alerts, select the file format from the Export as dropdown, then click the Export button.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

217

Viewing alerts Database activity monitoring (DAM)

If you want to generate alerts report with more detail information, use the predefined or user-defined DAM alert feature.

For detail, go to the Reports.

See also

l

Viewing alerts

Filtering and searching alerts

For alerts search or group filters setting, to filter alerts by columns condition, you can define filtering criteria with one or more data filtering entries.

Exclude option

Check Exclude following filters option, if you want alerts in opposite (don't match the criteria).

Configure criteria row

One filtering criteria entry is defined in a row. Select the

Operator ("And" or "Or", not available for first row),

Column, Operator from dropdown list, and input Value or select from available value list to add.

Multiple criteria rows

Add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.

If there are multiple filtering entries, combined both with "And" and "Or" operations, use the brackets "

(" and ")" for the operations priority.

Filters sample for group "Table change by non-system user":

Action and ( DB User or Login Name

See also

l

Viewing alerts

Equals

Not Equal

Not Equal

Delete Insert Truncate Update

SYSTEM

SYSTEM )

Alert details

The

Alert Details section shows following details information about the alerts:

Field Name Description

ID

Alert ID. This number is set sequentially

Timestamp

The date and time when the alert was received by FortiDB

218 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM)

Field Name

Target Name

Policy Name

Action

Rule Violations

Severity

OS User or Auth Id

DB User

Login Name

Object

SQL Statement

Return Code

Source Location

Application

Annotation

Viewing alerts

Description

Target database name.

Policy name that generated the alert. For example, Tables, Column

Privileges, tablePolicy1, etc.

Action that was taken and caused the alert

Alert rules that generated the alert. For example, Suspicious location,

Suspicious Login Name, etc.

Short name of Severity level to which the policy is configured: l

INF - Information l

CAU - Cautionary l

MAJ - Major l

MIN - Minor l

CRI - Critical

OS user (for Oracle, Microsoft SQL Server), Auth Id (for DB2) that accessed to the target database

DB user who took an action

Login name that logged into the target database

Object that was accessed and caused the alert

SQL Statements that were executed and caused the alert

Return code from the target database

Hostname of source location that originated the action

Source application that originated the actions and caused alerts

Annotation text added by administrator for this alert

For Sybase target databases, the OS User field shows as "not available". For Microsoft

SQL Server, the OS User is available only when you use the Windows authentication.

For Sybase, and Microsoft SQL Server, the Object field may not be available for

Privilege Policies: Roles and System Privileges.

See also

l

Viewing alerts

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

219

Alert group Database activity monitoring (DAM)

Alert group

The

Alerts Group page allows you to organize the security alerts that FortiDB’s monitoring activity generates.

You use the alert groups to filter the list of alerts displayed on the Security Alerts page and to filter the information in a DAM report.

Add, edit, or delete an alert group

Use the Alerts Group page to perform the following tasks: l l l

To create new group, click Add.

To modify group settings, click the name of the group or the

Edit icon in the Action column.

To delete a group, select the check box for one or more user-defined audit groups, and then click Delete.

Alternatively, you can create a new group when you search the list of alerts on the Security Alert page. (See

Filtering and searching alerts on page 218 .)

Pre-defined alert groups

FortiDB provides pre-defined alert groups that you can use to add and modify filtering criteria.

Pre-defined alert groups

Major and Critical Alerts

Descriptions

Alerts that have major and critical severities.

Metadata Changes

Privilege Changes

Security Violations

Table changes

Alerts generated by triggering metadata policies.

Alerts generated by triggering privilege policies.

Alerts that are triggered by security violations.

Alerts that are triggered by inserts, updates, or deletes on tables.

Unacknowledged Alerts

Alerts that have a status of 'Unacknowledged'.

Data filter for an alert group

The

Filters tab allows you to define data filtering criteria for the group when you add or edit a group.

You can define one or more data filtering entries that specify the criteria to match. When an alert matches the specified criteria, it is included in the group.

Exclude following filters

Operator

Column

Select to select alerts that do not match the criteria.

Values

And and Or are not available for the first row.

Specify a column value.

220 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Alerts summary

Operator

Value

- (minus) and + (plus)

Specify an operator.

Enter a value or select one from the list of available values.

Click to add or remove rows that define criteria.

If there are multiple filtering entries, combined both with "And" and "Or" operations, use the brackets "

(" and ")" for the operations priority.

For example, to create a filter for the group "Table change by non-system user", use the following settings:

Row Operator Column Operator Value

1 Action Type Equals Delete, Insert, Truncate, Update

2

3 and and

Database

User

Not Equal

Login Name Not Equal

SYSTEM

SYSTEM

To create a filter for a group that selects alerts generated when a specific user (scott) creates a table:

Row Operator Column Operator Value

1 Policy Type Equals Metadata Policies

2

3 and and

Action Type

Database

User

Equals

Equals

Create Table scott

See also

l l

Viewing alerts

Filtering report data

Alerts summary

The

Alerts Summary page summarizes the alerts statistics and recent trends.

The DB Activity Monitoring table shows the alerts statistics for today, recent years, and all ("total"). It also displays the number of databases FortiDB is monitoring and the current count of alert groups.

The alert trend charts show alerts that changed by time, include alerts trends for last 7 days, last 30 days, last 90 days, and last 12 months.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

221

Alerts analysis

See also

l l

Viewing alerts

Alerts analysis

Database activity monitoring (DAM)

Alerts analysis

The Alerts Analysis page allows you to analyze the alerts received within a date range that you specify.

Columns Descriptions

Status l l l l indicates that the alert analysis is new created or edit indicates that the alert analysis is in queue to run indicates that the alert analysis is running indicates that the alert analysis is complete

Target

Alert Received From

Alert Received To

Analyze Time

Target to analyze, either a specific target or

ALL

Start date of alerts

End date of alerts

Analyze time

Action

Edit icon button. Click to edit analysis

View icon button. Click to view analysis result

To analyze results

1. Click the Add button. Click the analysis name, or click the Edit icon in the Action column to edit the analysis.

2. In the analysis add/edit page, input the name, select the target - All or one of target, specify alerts receive date range, and Save.

Include alerts received in "Received To" day, e.g. From "March 1" to "March 31" for alerts received in March.

3. Mark the check box corresponding to an analysis.

4. Click the Run button.

5. To view the results, either click the View icon button in Action column, or click the time when an analysis finished.

222 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Viewing audit records (activity auditing results)

To view the results of an analysis

Do one of the following: l l

In the

Action column, click

Click an Analyze Time value.

(

View).

The analysis result page displays the following information: l l l

Analysis Summary: Target, Alerts date range, and Total alerts count in this range.

Statistics Chart: Alerts statistics date-series chart.

More alerts statistics by different category: l

By Target(for 'All' target analysis) l l l l

By Severity

By Policy

By Action

By DB Login l l l

By DB User

By Client Location (Top 10)

By Client Application (Top 10)

See also

l l

Viewing alerts

Alerts summary

Viewing audit records (activity auditing results)

The

Activity Auditing page displays a list of audit records with their details. The audit records FortiDB generates when it is monitoring the database is determined by the activity auditing option you specify:

Log All, or the policies selected on the Audit Policy Groups tab.

To enable activity auditing, you configure FortiDB to monitor the target database using the TCP/IP sniffer. For more information, see

Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 .

Audit record list columns

Columns

ID

Descriptions

Audit ID. This number is set sequentially.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

223

Viewing audit records (activity auditing results) Database activity monitoring (DAM)

Columns

Type

Timestamp

Target

Source Hostname/IP

Action

DB User

SQL Text

See also

l l

Filtering and searching the audit record list

Viewing audit record details

Descriptions

l indicates that the audit is generated by Log All option enabled for target monitoring l indicates that the audit is generated by

Table Policy

l l l l indicates that the audit is generated by

Table and Column Policy

indicates that the audit is generated by

Session Policy

indicates that the audit is generated by

User Policy

indicates that the audit is generated by

Database Policy

l l indicates that the audit is generated by

Privilege Policy

indicates that the audit is generated by

Metadata Policy

Audit timestamp

Target database name.

Hostname and IP address of source client.

Action of database activity

Database user of action.

SQL Text.

Filtering and searching the audit record list

To filter the audits by audit group, select an option from the View list. For more information on audit groups, see

Audit group on page 225 .

To search the audits, click

Search/New Group, specify the search criteria, then click Search. You can save the search criteria as an audit group. For more information on the search and group creation options, see

Searching or filtering the target list on page 106

.

To edit your saved group, select the group from View dropdown list, click Edit, modify the search criteria, and then click Save Group.

To display audit records for a specific time range, specify the Received from and To time, enter the Limit to value, and then click

Refresh.

See also

l l

Viewing audit records (activity auditing results)

Viewing audit record details

224 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Audit group

Viewing audit record details

Click an audit record to display its details at the bottom of the audit record list.

Field Name Description

ID

Audit ID. FortiDB sets this number sequentially.

Timestamp

The date and time activity audited.

Target/IP

Target Service Port

Policy Type

Policy Name

Action

Source Hostname/IP

Source MAC

DB User

SQL Text

Target database name and database server's IP address.

Target database server's service port.

Type of audit policy that generate the audit. Shows "All" if enable Log All option.

Name of audit policy that generated the alert. For example, Tables,

Column Privileges, tablePolicy1, etc.

Activity action.

Hostname and IP address of source client.

MAC address of source client.

DB user who took an action.

SQL Statements text of activity.

See also

l l

Viewing audit records (activity auditing results)

Filtering and searching the audit record list

Audit group

The

Audit Group page allows you to organize audit records.

You use the audit groups to filter the list of alerts displayed on the Activity Auditing page and to filter the information in a DAM report.

Add, edit, or delete an audit group

Use the Audit Group page to perform the following tasks: l l

To create new group, click Add.

To modify group settings, click the name of the group or the

Edit icon in the Action column.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

225

Activity profiling Database activity monitoring (DAM) l

To delete a group, select the check box of one or more user-defined audit groups, and then click Delete.

Alternatively, you can create a new group when you search the list of audit records on the

Activity Auditing

page. (See

Filtering and searching the audit record list on page 224

.)

Pre-defined audit groups

FortiDB has pre-defined audit groups that you can use to add and modify filtering criteria.

Pre-defined audit groups

All

Descriptions

All available policies

All DB2 Policies

All MySQL Policies

All Oracle Policies

All SQL Server Policies

All Sybase Policies

Data Policies

All policies that are supported for DB2 databases

All policies that are supported for MySQL databases

All policies that are supported for Oracle databases

All policies that are supported for Microsoft SQL Server databases

All policies that are supported for Sybase databases

All policies that trigger on table, table-column, user, or session changes to the target database

Metadata Policies

Privilege Policies

SYS Operations

All policies that trigger on metadata changes to the target database

All policies that trigger on privilege changes to the target database

Policies that monitor SYS operations

Data filter for an audit group

Use the

Filters tab to define filtering criteria for a group.

For information on the filtering options, see

Data filter for an alert group on page 220

.

See also

l

Viewing audit records (activity auditing results)

Activity profiling

FortiDB’s activity profiling feature generates statistics about database activity by user and table. You can use these statistics as a baseline when you configure policies that identify suspicious access patterns.

Activity profiling requires the appliance version of FortiDB and the TCP/IP sniffer collection method. For information on using the sniffer, see

Configuring monitoring using the TCP/IP sniffer (all database types) on page

199

.

226 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) Activity profiling

See also

l l

Viewing status and summary information for activity profiling

Viewing and exporting activity profiling results

Viewing status and summary information for activity profiling

The

Activity Profiling page displays target profiling status and a summary of profiling results.

Activity Profiling page columns

Descriptions Columns

Status

l l l indicates the target is not monitored.

indicates that monitoring and profiling are active.

indicates that monitoring is active and profiling is not enabled.

Name

DB Host Name/IP

DB Type

Profiling Statistics

Profiling Start Time

Target name. Click to view detailed profiling results.

Database host name or IP address of your target database computer

The type of database

Total number of activities since profiling started

Either the time when FortiDB started to monitor the database start time or the time when you cleared the existing profiling results

Action

l

Click (View Profiling Detail) to view detailed profiling information for the target.

l

Click (Reset Profiling Statistics) to clear the existing profiling results for the target.

If monitoring with profiling is enabled, FortiDB sets

Profiling Start

Time to the current time. Otherwise, it sets Profiling Start Time when monitoring starts.

To display profiling status and summary information for a specific target group, in the View list, select a target group.

See also

l

Viewing status and summary information for activity profiling

Viewing and exporting activity profiling results

The

Target DB Activity Profiling page displays detailed profiling results.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

227

Activity profiling Database activity monitoring (DAM)

FortiDB organizes profiling results for specific targets by database login and user, source clients, and database table access.

To view statistics for a login or user, in the

DB Login/User list, select the appropriate name.

Source clients access list

Source clients access list columns

Columns

Source IP

Descriptions

IP address of database source client

OS Hostname

Source Application

OS User

Session Count

Hostname of source client

Application name of source client

Operating system (OS) user name

Database access session count from this source client

Database tables access list

The list of database tables access displays all database tables accessed by the selected login or user and information about related access actions.

The

Table Name column displays the name of the database that the login or user accessed. (For Oracle databases, this can also be the name of a synonym.)

The other columns display the count number for actions, which include the following actions: l l l l l l l l l l

Select

Update

Insert

Delete

Create

Alter

Drop

Trunc

Grant

Revoke

Exporting profiling results

For information on generating and exporting an activity profiling report that you can run at a scheduled time and send automatically to receipients using email, see

Activity Profiling Reports on page 251 .

To export the detailed profiling results as report

1. For Export as, select one of the following file formats:

228 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Database activity monitoring (DAM) l l l l

PDF (.pdf)

Excel (.xls)

Tab (.txt)

CSV (.csv)

2. Click Export.

See also

l

Viewing status and summary information for activity profiling

SOX audit

SOX audit

When you use one or policies from the

Sox Policies DAM alert policy group to monitor the target database,

FortiDB saves SOX compliance audit logs.

The Sox Audit page displays the compliance audit logs.

To filter the audit logs, in the

Target list, select the appropriate target database, enter from and to dates, and then click

Refresh.

See also

l l

PCI, SOX, and HIPAA alert policies

PCI, SOX, and HIPAA reports

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

229

Logs

Logs

Local monitoring log

Local monitoring log

The

Local Monitoring Log page lists monitoring events logs.

The log information includes Date, Target, Policy name, Severity, and Description.

In the Local Monitoring Logs page, you can: l l l l l l

Display logs filtered by the severity level that you select from the

Severity dropdown list.

Display logs filtered by the target database that you select from the Target dropdown list.

Display logs filtered by the date range you select from the

From and To fields.

Export the current list by selecting

Export

Delete all logs by selecting

Delete All

Schedule error checks using one of the following options: l

Run Once: FortiDB checks for errors at the time specified by Starts at.

l

Recurring: FortiDB checks for errors during the interval specified by Starts at and End by.

Local audit trail

The local audit trail feature allows you to capture the following information as audit trail records: l l

All administrator activities: Add/delete/update admininstrators, add/delete/update policies or policy groups, add/delete/update targets or target groups, add/delete/run assessments, archive, restore, log on, and system configuration.

System activities: Start and stop.

You can filter the list of audit trail records by date. You can also export the list as a tab-delimited text file, which you can open in spreadsheet applications such as Microsoft Excel.

To display the audit trail, an administrator requires the

System Administrator role.

To enable the local audit trail

1. In the navigation menu, go to Administration > Global Configuration.

2. On the User Profile/Security tab, for Enable Local Audit Trail, select true.

3. Click Save.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

230

Local audit trail

See also

l l

Viewing and managing the audit trail records

Examples of audit trail records

Viewing and managing the audit trail records

To view the local audit trail, in the navigation menu, click

Administration > Local audit trail.

Column Description

Timestamp

The date and time of the action.

Action

By

Location

Object Name

The action that occured.

The name of the account that performed the action. For example, the admin account.

Note: When FortiDB invokes actions such as scheduled scan, scheduled archive, start FortiDB, and stop FortiDB, “internal” is displayed in this column.

The location where the action occurred. For example, local or the remote location where the account logged in, which is displayed as an

IP address or host name.

Note: When FortiDB invokes actions such as scheduled scan, scheduled archive, start FortiDB, and stop FortiDB, “internal” is displayed in this column.

The object that the action affected.

To filter the list of local audit records by date, either enter start and end dates or click the calendar icon to select dates, and then click

Apply.

To sort the list, click a column heading to sort using values in that column.

Click

Delete to delete the audit trail records in the selected date range.

If the Local Audit Trail global setting is enabled and you delete audit trail records,

FortiDB generates an audit trail record for the delete action.

Select the

Export button to export the audit trail records in the selected date range as a comma-delimited text file.

See also

l

Examples of audit trail records

Logs

231 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Logs Local audit trail

Examples of audit trail records

Timestamp:2009-02-26 16:06:47

Action: Update

By: admin

Location: 172.30.63.50

Object Name: VA Policy: DVA IBM DB2 UDB 02.11 Latest Fixpak not installed

---------------

Timestamp:2009-02-26 15:36:31

Action: Scan

By: jsmith

Location: 172.30.63.40

Object Name: VA Scan: Latest Patch Policies

----------------

Timestamp:2009-09-09 15:02:25

Action: Add

By: admin

Location: 172.30.63.50

Object Name: DAM Policy Group: tablePolicy1_2 Group

--------------

See also

l

Viewing and managing the audit trail records

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

232

Reports

Reports

FortiDB can generate various reports, including pre-defined and user-defined vulnerability assessment (VA) reports and database activity monitoring (DAM) reports.

For VA and DAM reports, select an item in

Report menu, to manage and generate reports. For other exportable reports, go to the corresponding context page, use

Export function to export the report file.

Reports can be exported as a PDF file. Some reports can be exported as an Excel, tabbed text, or CSV file.

To generate VA and DAM reports, your administrator account requires the

Report

Manager role.

Vulnerability assessment (VA) reports

Vulnerability assessment (VA) reports include: l l l pre-defined or user-defined assessment reports pre-defined VA policy reports pre-defined sensitive data discovery reports

You can view and export VA reports manually. Go to a pre-defined or user-defined VA report, select the report to preview content, then click

Export to export the report in PDF or other file format.

You can also generate assessment report files automatically by scheduling FortiDB to generate them.

DAM reports

DAM reports include: l l l pre-defined and user-defined security alert reports activity audit reports

PCI, SOX, and HIPAA compliance reports

The information in activity audit reports comes from DAM activity auditing, a feature that requires the appliance version of FortiDB and the

TCP/IP Sniffer collection method.

You can configure the report criteria such as data filtering, schedule, and notification of security alert reports and activity audit reports. For user-defined reports, you can also customize the display of the data table view and analysis chart view.

FortiDB generates and saves security alert reports and activity audit reports in all file formats, whether you generate them manually or using a schedule.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

233

Pre-defined VA reports Reports

Report files that FortiDB saves to disk

FortiDB saves generated report files (such as PDF or Excel (.xls)) to disk when: l l

FortiDB generates all file types for all DAM reports.

You enable the

Schedule and Save Scheduled Assessment Report to Disk File option for vulnerability assessment.

To free disk space, delete report files after you download them.

Other reports you can export

You can export PDF report files for: l l l l l l l l

Administrators Entitlement Report:

Administration > Administrators

Target Database Report: Target Database Server > Targets

Database Discovery Report:

Target Database Server > Auto Discovery

VA Privilege Summary Report: Vulnerability Assessment > Privilege Summary

VA Local Log Report:

Vulnerability Assessment > Local Assessment Log

DAM Security Alerts Summary Report for search result: DB Activity Monitoring > Security Alerts

Activity Profiling Report:

DB Activity Monitoring > Activity Profiling > Profiling Detail

DAM Local Log Report: DB Activity Monitoring > Local Monitoring Log

See also

l l l l l l

Pre-defined VA reports

User-defined VA reports

Pre-defined DAM reports

User-defined DAM reports

PCI, SOX, and HIPAA reports

Activity Profiling Reports

Pre-defined VA reports

Go to Report > Pre-Defined VA Reports to view a list of available reports and select a report template to use to view and export report information.

See also

l l l

Assessment reports

Policy reports

Sensitive data discovery reports

234 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports Pre-defined VA reports

Assessment reports

Assessment reports provide the results of target database assessments, including assessment statistics, vulnerabilities detail, and run result of policies.

To view and export assessment reports, select report parameters include Assessment, run time and target database. Go to Preview Report tab to view the report content, and Export as file with format you selected.

Pre-defined Assessment Reports: l l l l l l l

Global Detailed Report: this report gives the number and types of passed and failed policies and their details for all targets in the assessment

Target Detailed Report: this report gives the number and types of passed and failed policies and their details

Target Detailed Failed Report: this report gives the number and types of failed policies and their details

Target Summary Report: this report summarizes the number and types of passed and failed policies

Target Summary Failed Report: this report summarizes the number and types of failed policies

Target Score Report: this report displays the scan results in graphical form

Target Trend Report: this report displays the database policy progress over time

Statistics tables

With the exception of the target trend report, all report templates contain the following two statistics tables: l l

Severity: Summarizes numbers of each state by policy-severity type

Classification: Summarizes numbers of each state by policy-classification type

Vulnerabilities

With the exception of target score and trend reports, all report templates contain summary or detailed vulnerabilities information, which is sorted using the following categories: l l l l l

Critical Vulnerabilities

Major Vulnerabilities

Minor Vulnerabilities

Cautionary Vulnerabilities

Informational Vulnerabilities

Score report and trend report

The pre-defined Score Report template provides you a way to see vulnerability results in graphical form for all target databases used in an assessment. It also shows results by the RDBMS type of the assessed targets.

The pre-defined Trend Report template provides you a way to see assessment results over time to assist your vulnerability planning and remediation efforts.

See also

l

Adding or modifying assessments

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

235

User-defined VA reports Reports

Policy reports

Policy reports provide information about pre-defined and user-defined VA policies. You can choose to generate reports for all VA policies or filter by database type, classification, severity, or policy type.

FortiDB provides the following two types of policy reports: l l

Policy Summary Report: Provides detailed information about the current vulnerability assessment policies in the system

Policy Detailed Report: Summarizes the most current vulnerability assessment policies in the system

See also

l

Vulnerability assessment (VA) policies

Sensitive data discovery reports

Sensitive data discovery reports allow you to view and export the results of sensitive data discovery. Select target database and discovery time to view and export discovery report.

FortiDB provides the following two types of sensitive data discovery reports: l l

Sensitive Data Discovery Detailed Report: Provides detailed information about the sensitive data discovery.

Sensitive Data Discovery Summary Report: this report gives the summary information about the sensitive data discovery.

See also

l l

Data discovery policies and policy groups

Sensitive data discovery

User-defined VA reports

You can customize your report template with selected columns and data from the

User-Defined VA Reports

and

User-Defined DAM Reports pages.

The User-Defined VA Reports page lists the report(s) you created, and allows you add, modify, and delete reports.

Column or button

Name

Description

User defined name for report. Click name link to modify and export report.

Description

Last Modified

Created By

User defined description

Date and time of the report you modified last

User who created the report

236 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports User-defined VA reports

Column or button

Add

Delete

Description

This button adds a report

This button deletes the report you checked in the check box

See also

l

Managing user-defined reports

Managing user-defined reports

Click the

Add button, or click the name of exist report, to go to report edit page

General tab

Naming and describing your reports.

Columns tab

Specifying which columns you want to include in your reports.

Select columns from Available Columns list, add into Columns in Report list.

Your report must contain at least one display column.

Grouping tab

Specifying grouping criteria:

In the Group Data By dropdown list, select the column name(s) by which you want to group data results.

Optionally, specify a sort order in the Order dropdown(Ascending or Descending). And specify a Day, Week,

Month, Quarter, or Year value by which to group date-related report results in the

Group date values by

dropdown.

For VA reports, you cannot group by

Policy Description. You can specify two additional grouping levels, in the same way, by using the and then by and the and lastly by drop down lists.

Filtering tab

Specifying filtering criteria: l l

Define a column filtering entry in a row, by selecting

Column, Operator and inputing the Value.

Add or subtract filtering criteria rows respectively by selecting the + (plus) or - (minus) buttons.

In order to limit the number of rows to display, check the Enter number radio button and then specify, as your row limit, any positive number less than 1000.

Export options

Export/Save report or Cancel editing.

Exporting your report in a certain output format, PDF or tab-delimited text file.

Click the

Save button to save report, click the Cancel button to cancel.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

237

Viewing scheduled VA reports

See also

l

Vulnerability assessment (VA) policies

Reports

Viewing scheduled VA reports

The

Scheduled VA Reports page allows you manage report files generated by scheduled vulnerability assessments.

The following VA configurations generate a scheduled VA report file and save it to disk: l l

Enable schedule for Vulnerability Assessment

Enable the report option

Save Scheduled Assessment Report to Disk File

For information on configuring assessments, see

Adding or modifying assessments on page 181

.

Target database name and report filename will be list in Scheduled VA Reports page.

Click the report filename to download/open the report file.

Select the checkbox for one or more reports, click

Download to download the ZIP archive file, and then click

Delete to delete the selected report files.

See also

l

Running an assessment at a specified date and time

Pre-defined DAM reports

Pre-defined DAM reports display security alerts data or activity audit events, which you can filter to exclude from the report data.

Go to

Report > Pre-Defined DAM Reports, select Security Alert Reports or Activity Audit Reports tab, to configure/run reports with pre-defined template, and browse generated report content and download report file

(s).

Activity Audit Report is available only for FortiDB appliance, and monitoring target database with collection method of TCP/IP sniffer

For details, see

Viewing audit records (activity auditing results) on page 223

.

The following pre-defined report templates are available for Pre-defined DAM reports.

Pre-defined Security Alert Reports:

l l l

Security Alert Detailed report: this report shows the details for all alerts generated within the report filter criteria.

Security Alert Summary report: this report summarizes the alerts generated within the report filter criteria.

Security Alert Statistical report: this report summarizes statistical information about alerts generated based on rules-violations, policies, and severities.

Pre-defined Audit Reports:

238 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports User-defined DAM reports l l

Activity Audit Detailed report: this report shows the details for all activity audit events generated within the report filter criteria.

Activity Audit Summary report: this report summarizes the activity audit events generated within the report filter criteria.

See also

l l l

Report management

Filtering report data

Schedule and notification

User-defined DAM reports

The User-Defined DAM Reports page allows you filter report data, configure scheduling and notification, and customize the report layout.

Go to

Report > User-Defined DAM Reports, click User-Defined Alert Reports or User-Defined Audit

Reports tab for your report type, and then define the report.

See also

l l l

Report management

Filtering report data

Schedule and notification

Report management

The Pre-Defined DAM Reports, User-Defined DAM Reports, and Activity Profiling Reports pages display a table with following columns:

Description Column

[+] [-]

Click to expand or collapse the 10 most recent results for a report.

When the item is expanded, you can do the following: l

Click the name of a report instance (which contains the time FortiDB generated it) to view the report contents in HTML format.

l

Click the one of file format icons on the right (PDF/TXT/XLS/CSV) to download the report.

Status

Name

Description

l l l indicates a report is idle indicates a report is running indicates a report is scheduled to run

Click to configure report

Report description specified in the report configuration

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

239

User-defined DAM reports Reports

Column

Last Modified

Created By

Results

Action

Description

Date and time when an administrator last modified the report

FortiDB administrator who created the report

The number of times FortiDB has run the report l l click to edit the report configuration click to view all instances of FortiDB running this report

To run a report

Do one of the following: l l l

On the Pre-Defined DAM Report page, use the check boxes to select one or more reports to run, and then click Run.

On the

User-Defined DAM Report page, if the report you want to run is not in the list, click Add and configure the report. Then use the check boxes to select one or more reports to run, and then click

Run.

On the Activity Profiling Reports page, click Run. For information on configuring an activity profiling report, see

Activity Profiling Reports on page 251 .

See also

l l

Pre-defined DAM reports

Activity Profiling Reports

Filtering report data

To add or edit a DAM report, go to the

Data Filter tab.

Data time range

You can choose dynamic time period, or specific time range, for report's data filtering.

Select the

Last Period option for dynamic time period. Input period value, and select period unit from Day,

Week or Month.

The dynamic time range will be calculated every time when you run the report (manually or scheduled run). For example, when you select "last 2 days" for period, FortiDB will filter the alerts (or audits) received from 48 hours early to the report running moment.

To use specific time range, select

Date Range option, input from date/time and to date/time.

Records limit

Input the number for records entry limit, in Limit to.

This limit number is the maximum records available to display in report data table.

Custom data filters

Custom Data Filters allows you configure filtering criteria by columns conditions.

240 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports User-defined DAM reports

The Filters configuration is same as configuring filtering criteria for Alert/Audit Search Group.

For details, see

Filtering and searching alerts on page 218

.

For DAM Alerts Report, you can select

Alert Group option, select one group from dropdown list, to use the group's filtering setting for reporting.

For DAM Audits Report, you can select Audit Group option, select one group from dropdown list, to use the group's filtering setting for reporting.

Configuring data displays

The Table View tab allows you to configure data table display and the Analysis tab allows you to configure analysis charts.

Data table view

To configure which data columns displayed in report, select columns from

Available Columns list, add into

Columns in Report list.

You can also configure the data groups in report's data table (optional).

In the Group Data By dropdown list, select the column name(s) by which you want to group data results.

Optionally, specify a sort order in the

Order dropdown (Ascending or Descending). And specify a Day, Week,

Month, Quarter, or Year value by which to group date-related report results in the

Group date values by

dropdown.

Adding analysis charts and statistics tables to reports

You can add multiple analyses, each with a statistics chart and table, to a report. You define each analysis in a row in the

Analysis tab. Click + (plus) or - (minus) to add or remove rows.

To configure anlysis:

1. Select the Chart type: Pie or Bar.

2. Select which data column you want to count for statistics, from Column type dropdown list.

3. For DAM Alert report, you can select Severity or Status as second Column type for Bar chart. The enumeration of Severity or Status will be list as Y-axis in statistics table.

4. If the data come from multiple target databases, enable Group by target check box, to generate analysis chart and statistics table respectively for each target.

5. Input the Max item number for data column.

6. Enable Count others, will add Others into analysis chart/table as last column.

Schedule and notification

Both Pre-Defined and User-Defined DAM Report, allows you configure the schedule and Email notification.

FortiDB only sends email notifications for reports that run on a schedule.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

241

PCI, SOX, and HIPAA reports Reports

Go to Schedule tab to configure schedule, and go to Notification tab to configure email notification.

Scheduling reports

The report scheduler allows you to set up when to start report generation, how often to generate reports, and when to stop.

Select the Enable Schedule check box to enable scheduler.

For schedule, there are two ways that you can set up the scheduler:

Scheduled Type Description

Run Once

Report generation will occur once at the specific time you set in the Start at field.

When to Run

The date range used to run the report when the time is in the Date Range field.

Recurring

Report generation will occur starting from the time set in the Start at field, and continue until the End by.

The

Recurrence pattern can be

Minutely, Hourly, Daily, Weekly, or

Monthly. Enter the value for recurring time interval.

Email notification for scheduled reports

Email Notification allows FortiDB send report file(s) via email at the scheduled time.

Select

Enable Email to enable email notification.

For email notifications, you must designate one or more email receivers. Select one or more of the entries in the

Available Receivers list box and add them to the Selected Receivers list.

You must set the Email server and user properties in the

Global Configuration for

Email notification.

Select the

Report formats of report file(s) you want to be included in email.

See also

l

Notification properties

PCI, SOX, and HIPAA reports

FortiDB provides the following types of compliance reports to help you achieve compliance with both internal and external requirements: l l l

Sarbanes-Oxley (SOX)

Payment Card Industry Data Security Standard (PCI DSS)

Health Insurance Portability & Accountability Act (HIPAA)

Some compliance reports must be generated weekly, monthly, or quarterly.

242 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports PCI, SOX, and HIPAA reports

PCI compliance report templates

Name

PCI - Invalid Operation

PCI - Privileged User

Action

Description

Required option settings

Object Audit Options Identifies failed access attempts. This should be reviewed on a periodic basis by IT.

Tracks all access/changes by the administrative accounts. The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management.

User Audit Options

PCI - System Object

Operations

PCI - Access to Credit

Card tables

Tracks all access/changes by the administrative accounts . The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management.

Not required

Tracks all access/changes by the administrative accounts . The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management.

Object Audit Options

PCI -

Successful/Unsuccessful

Database Logins

Tracks all successful and failed logins.

Not required

Name

Abnormal or

Unauthorized

Changes to Data

Abnormal

Termination of

Database Activity

Abnormal Use of

Service Accounts

End of Period

Adjustments

Description

This report shows all changes made to data by any account other than the application user account.

This report shows failed database processes (i.e.

financial transactions or failed login attempts) originating from an application server.

Required option settings

Object Audit Options or User Audit Options

Object Audit Options or User Audit Options

This report shows service accounts and the associated or related transaction origins. For example, the use of service account from an origin other than the application server would be shown.

Object Audit Options or User Audit Options

This report shows changes to the general ledger at month-, quarter-, year-end.

Object Audit Options

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

243

PCI, SOX, and HIPAA reports

Name Description

History Of Privilege

Changes

Verification of Audit

Settings

This report shows changes to user access rights that were elevated or lessened in the database over time.

This report shows changes to configurable audit parameters.

Required option settings

Not required

Not required

HIPAA compliance report templates

Name

Privilege Changes

Description

This report shows all user account additions, deletions, and changes.

Required option settings

Object Audit Options

Logins

Security Incident

Procedures

Access to the

Assessment Logs

Access to EPHI Data

User Privileges on

EPHI Data

Privilege Summary

Audit Controls

This report shows all successful and failed login attempts.

This report shows what methods are used to communicate with external systems in case of security incidents.

This report shows all activities related to the assessment logs.

This report shows all access and and changes to the

EPHI data made by any account.

This report shows all users with access privileges for

EPHI data.

This report shows all users with privileges.

This report shows all audit settings.

Not required

Not required

Not required

Object Audit Options

Object Audit Options

Not required

Not required

Reports

You cannot use regulatory compliance reports to monitor activity at the column level.

244

See also

l l l l l

General steps for generating PCI, SOX, and HIPAA reports

Report: Abnormal Termination of Database Activity

Report: Abnormal or Unauthorized Changes to Data

Report: Abnormal Use of Service Accounts

Report: End of Period Adjustments

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports PCI, SOX, and HIPAA reports l l

Report: History of Privilege Changes

Report: Verification of Audit Settings

General steps for generating PCI, SOX, and HIPAA reports

1. Configure your target databases. See

Pre-configuration for monitoring target databases on page 79

.

2. Configure the FortiDB connection to your target databases. See

Adding (or modifying) a target connection on page 107 .

3. Configure FortiDB compliance policies. See

Configuring PCI, SOX and HIPAA policies on page 176 .

4. Configure and start monitoring for the target database. For details, see

Configuring target database monitoring on page 198 .

5. Assuming that several violations occurred in your target database, under Reports, go to PCI Reports, Sox

Reports, or HIPAA Reports.

6. Select one of the reports and export reports: l l l

In the Export as field, select the format type you want to generate a report from the dropdown list: PDF, Excel, or CSV.

(Optional) Enter W/P reference and/or Customer name in each field.

Enter the Date Range for data retrieval.

The date entered in these fields means 00:00 (midnight) of the day. For example,

9/23/09 means 00:00AM of 9/23/09.

l l l

Select one or more target databases, or enable All Targets check box for all databases.

(Optional) You can set filters to display the specific data in the report.

Select the Export to generate and export report file.

See also

l l l l l l l

PCI, SOX, and HIPAA reports

Report: Abnormal Termination of Database Activity

Report: Abnormal or Unauthorized Changes to Data

Report: Abnormal Use of Service Accounts

Report: End of Period Adjustments

Report: History of Privilege Changes

Report: Verification of Audit Settings

Report: Abnormal Termination of Database Activity

This report identifies failed database processes (that is, financial transactions) originating from the application server. This report should be reviewed on a daily basis by IT Management.

COBIT objectives

This report is designed to meet the following COBIT objectives:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

245

PCI, SOX, and HIPAA reports Reports

Objective Number

DS10.1

Description

Routine transactions and processes between the application and the database are reviewed on a daily basis for successful completion by IT

Management.

Setup requirements

Sox Abnormal Termination of Database Activity policy: Object Audit Options and/or User Audit Options

Report columns

The following columns are displayed in the report body.

Columns

User ID

Description

The ID of the database user that conducted the flagged activity

Object

Timestamp

Terminal

Origin Application

Action Type

Error Code

The name and owner of the database object that was directly manipulated by the flagged activity

The exact time the flagged activity was conducted

The terminal IP address or name

The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server

The type of action successfully enacted by the User ID.

The proprietary error code generated by the originating application.

See also

l

General steps for generating PCI, SOX, and HIPAA reports

Report: Abnormal or Unauthorized Changes to Data

This report tracks all changes made to data by any account other than the application user account. The report should be reviewed and commented on by appropriate management on a quarterly basis.

COBIT objectives

This report is designed to meet the following COBIT objectives:

Objective Number

AI2.3

Description

Unauthorized changes to data by non-application[13] accounts are tracked and reviewed by IT Management on a quarterly basis.

246 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports PCI, SOX, and HIPAA reports

Setup requirements

Sox Abnormal or Unauthorized Changes to Data policy: Object Audit Options

Report columns

The following columns are displayed in the report body:

Columns

User ID

Description

The ID of the database user that conducted the flagged activity

Object

Timestamp

Terminal

Origin Application

The name and owner of the database object that was directly manipulated by the flagged activity

The exact time the flagged activity was conducted

The terminal IP address or name

The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server

Action Type

The type of action successfully enacted by the User ID.

By default, all actions are considered unauthorized. If you want, for example, to only mark UPDATEs as unauthorized actions, use Filters section in order to filter out the other action types.

See also

l

General steps for generating PCI, SOX, and HIPAA reports

Report: Abnormal Use of Service Accounts

This report identifies the use of service accounts and the associated transaction origins. For example: The use of a service account from an origin other than the application server would be identified. The report should be reviewed and commented on by IT Management on a weekly basis.

COBIT objectives

This report is designed to meet the following COBIT objectives:

Objective Number

DS5.3

Description

Database transactions from unauthorized sources are tracked and reviewed by IT Management on a weekly basis

Setup requirements

Sox Abnormal Use of Service Accounts policy: Object Audit Options and/or User Audit Options

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

247

PCI, SOX, and HIPAA reports Reports

Report columns

The following columns are displayed in the report body.

Columns Description

User ID

The ID of the database user that conducted the flagged activity

Terminal

The terminal IP address or name

Originating Application

Number of Actions

Timestamp

The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server

The number of actions attempted by the account associated with the User

ID

The exact time the flagged activity was conducted

See also

l

General steps for generating PCI, SOX, and HIPAA reports

Report: End of Period Adjustments

This report tracks changes to the general ledger at month/quarter/year end. The report should be reviewed and commented on by appropriate management on a monthly basis.

COBIT objectives

This report is designed to meet the following COBIT objectives:

Objective Number Description

AI2.3

End of period adjustments to the general ledger are tracked and reviewed by Business Management on a monthly basis.

Setup requirements

Sox End of Period Adjustments policy: Object Audit Options

Report columns

The following columns are displayed in the report body.

Columns Description

User ID The ID of the database user that conducted the flagged activity

Object

The name and owner of the database object that was directly manipulated by the flagged activity

248 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports PCI, SOX, and HIPAA reports

Columns

Timestamp

Terminal

Origin Application

Action

Description

The exact time the flagged activity was conducted

The terminal IP address or name

The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server

The type of action successfully completed by the User ID.

See also

l

General steps for generating PCI, SOX, and HIPAA reports

Report: History of Privilege Changes

This report tracks privileged changes to database user access rights (that is, granting of privileged or escalated access rights). The report identifies the database account that was changed, the type of privilege that was granted, the date of the change, and the account that initiated the change. The report should be reviewed by both

IT and Business Management on a quarterly basis.

COBIT objectives

This report is designed to meet the following COBIT objectives:

Objective Number Description

AI2.4, DS3.5, DS5.3, DS5.4

Changes to escalate database user access privileges are tracked for review on a quarterly basis by the IT manager and the application business manager

Setup requirements

Sox History of Privilege Changes policy: Just enable the policy. No settings of Object Audit or User Audit

Options required.

Report columns

The following columns are displayed in the report body.

Columns

User ID

Description

The ID of the database user that conducted the flagged activity

Grantee

Action

The name of the user for whom privileges were changed

The type of action successfully enacted by a non-application user account.

Actions include UPDATE, INSERT, and GRANT

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

249

PCI, SOX, and HIPAA reports

Columns

Target

Privilege Details

Timestamp

Description

The object on which the privileges were changed

The type of object privilege granted to, or revoked from, the grantee.

The exact time the flagged activity was conducted.

See also

l

General steps for generating PCI, SOX, and HIPAA reports

Report: Verification of Audit Settings

This report identifies any changes that have been made to the audit reporting and tracking capability of the database.

COBIT objectives

This report is designed to meet the following COBIT objectives:

Objective Number

DS3.5, DS5.5, DS13.3

Description

Audit tracking is configured on all financial databases, changes to audit functionality is reviewed by IT Management on a quarterly basis.

Setup requirements

There are two requirements:

1. At least one of the following types of audit policies must be run in order to collect audit data: l l l

Data Policies

Privilege Policies: using the audit data retrieval method

Metadata Policies: using the audit data retrieval method

2. For tracking audit activity with the Data policies, run the following commands audit system audit; audit audit system; audit audit any; and then Close and Open your database connection in Data policies.

Report columns

The following columns are displayed in the report body.

Columns

User ID

Description

The ID of the database user that conducted the flagged activity

OS User

The OS User that conducted the flagged activity

Reports

250 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Reports Activity Profiling Reports

Columns

Object

Timestamp

Terminal

Origin Application

Action

Description

The name and owner of the database object that was directly manipulated by the flagged activity

The exact time the flagged activity was conducted

The terminal IP address or name

The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server

The type of action successfully enacted by the User ID.

See also

l

General steps for generating PCI, SOX, and HIPAA reports

Activity Profiling Reports

FortiDB allows you to export activity profiling information in report form. You filter the information that FortiDB includes in the report by target database and, optionally, by database user and table.

For information on managing reports using the

Activity Profiling Reports page, see

Report management on page 239

.

Alternatively, you can export the profiling results displayed on the Target DB Activity Profiling page. You cannot add a schedule or configure notification for this type of report. See

Viewing and exporting activity profiling results on page 227

.

To configure and run an activity profiling report

1. On the navigation menu, click Report > Activity Profiling Reports.

2. On the Activity Profiling Reports page, under Name, click Activity Profiling Report.

3. On the General tab, for Name, enter a name for the report and an optional description.

Alternatively, you can use the default name ( Activity Profiling Report). FortiDB adds the date to the name of each report it generates to distinguish it from any other reports with the default name.

4. Click the Data Filter tab.

5. For Target, select the target database whose activity profiling results you want to include in the report.

6. For DB Login/User, select either All Users or a specific user.

7. In the All Table Name list, select an item and click > (right arrow) to add it to the Selected Table Names list.

Repeat this step as required until all the tables to include in the report are in the list.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

251

Activity Profiling Reports Reports

To select multiple items, click and item and then Shift-click a second item. Both items and any items between them are selected. Click Control-A to select all items.

8. Optionally, use the Schedule and Notification tabs to configure FortiDB to run the report at a scheduled time and send the report to one or more FortiDB administrators using email.

For detailed instructions, see

Schedule and notification on page 241

.

9. Click Save.

10. Do one of the following: l l

If you configured the report to run at a scheduled time, wait for it to run.

Click Run to run the report immediately.

11. When the Status value shows that the report no longer running, click [+] (plus sign) to access the instance of the report that you generated.

See also

l l

Configuring monitoring using the TCP/IP sniffer (all database types)

Activity profiling

252 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Archiving audit data

Archiving audit data

Archiving example

DAM activity auditing and compliance audits that run with with alert PCI, SOX, and HIPAA policies generate data that is stored in the FortiDB repository. To conserve repository space and improve performance, you can move this data to archive files that you can return to the repository later.

FortiDB allows you to archive and retrieve the following types of data: l l l

Assessment

Alert

Auditing (includes sniffer activity auditing data and SOX audit data generated by alert SOX policy)

Archiving data exports it to an excrypted file. When you retrieve data, FortiDB imports it back into its repository.

Depending on how often you assess or monitor databases and the number and type of policies and target databases involved, the archive files can consume a large amount of space. To make space available on your appliance, you can move the exported files to remote storage and retrieve them later, if necessary. FortiDB requires an FTP server for remote storage. You cannot use another type of server.

To generate reports using archived data, you first retrieve the data.

You cannot retrieve archived data if the target associated with the data is deleted. For example, if you archive assessment data for a target database and then delete the target configuration for that database, you cannot restore the archived assessment data.

The day and time that FortiDB created the archive is displayed in the Timestamp column on Retrieve tab.

You cannot retrieve any data that you have already retrieved. This limitation prevents duplicate records in the

FortiDB repository.

Archiving example

In the following illustration, FortiDB archives assessments with a date between January 8, 2008 and January 10,

2008. (Because the archive interval starts at 0:00 a.m. on the start date and ends at 0:00 a.m. on the end date,

FortiDB does not archive data for January 11.) The assessments for all other dates remain in the repository.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

253

Archiving strategy Archiving audit data

Archiving strategy

Plan an archiving configuration that is appropriate for your environment. For example, determine how often you archive data based on your volume of data, and when to start archiving based on that frequency.

For example, if you plan to keep up to 4 months worth of data in your FortiDB repository, wait 4 months after installing FortiDB before archiving for the first time. After 4 months, in the Archive Period field of the Archive tab, select

3 Month(s) and older. This value archives all results except those that FortiDB ran during the previous three months. Schedule the archive to run immediately by specifying the current date and time. After archiving, three months' worth of data remains in your repository.

To maintain this frequency, you can either repeat the process of creating a 3 Month(s) and older archive every month or schedule it to occur automatically at an interval or on a specified day of the week or month.

Archiving data

The manual archiving process allows you to archive all assessment and monitoring data using a start and stop date. The scheduled archiving process allows you to archive data based on the age of the data relative to the date on which FortiDB does the archiving.

To immediately archive data based on its age, use the scheduled archiving process (

Enable Auto Archive) and specify the current time and date.

To configure remote archiving

1. On the navigation menu, go to Administration > Archive/Retrieve.

2. On the Remote Archive Configuration tab, enter the IP Address, port, username, password and remote path for remote FTP server.

The remote archiving feature works with an FTP server only.

3. Click the Save button to save the remote server configuration.

To archive data manually

1. If you want to send the archive to a remote server, complete the settings on the Remote Archive

Configuration tab.

For more information, see

To retrieve archived data on page 255

.

2. In the navigation menu, go to Administration > Archive/Retrieve.

3. On the Archive tab, specify a start and end date for your archive.

Because the selected dates specify 0:00 a.m. on the start date and 0:00 a.m. of the end date, the archive does not include data generated on the end date.

254

4. Click Archive Now.

The message “Archiving Completed” is displayed in the Status area in the top-right corner of the page.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Archiving audit data Archiving data

5. To send the archive to a remote server, on the Retrive tab, select the archive you just created, and then click

Send to remote server.

To archive data according to a schedule

1. If you want to send the archive to a remote server, complete the settings on the Remote Archive

Configuration tab.

For more information, see

To retrieve archived data on page 255

.

2. In the navigation menu, go to Administration > Archive/Retrieve.

3. On the Archive tab, select enable Enable Auto Archive.

4. Under Archive period, specify the end date for data in the archive by selecting the number of days, weeks, or months prior to the current date.

For example,

3 Month(s) and older creates an archive that contains all results except those that FortiDB ran in the last 3 months.

5. Under Run time, do one of the following: l l

Enter a time and date for Start at.

Under

Recurrence pattern, select Hourly, Daily, Weekly, or Monthly.

Hourly

Specify the hourly interval in the Every __ hours field.

Specify the daily interval in the Every __ days field.

Daily

Weekly

Specify the weekly interval in the Every __ week(s) on field, and then specify one or more days of the week that FortiDB runs the archive on.

Monthly

Specify one or months to run your archive in, and then do one of the following: l

Select

Day and specify the day during the selected months FortiDB runs the archive on, using a number.

l

Select The <ordinal number> <day of week> of every, and then select a day of the week in each selected month to run the archive on. (For example,

first

Monday.)

6. To send the archive file to a remote server, select Enable remote archive.

7. To delete the archived file from FortiDB, select Delete archive file after sending to remove server.

8. Click Save Schedule.

To retrieve archived data

1. In the navigation menu, go to Administration > Archive/Retrieve.

2. On the Retrieve tab, do one of the following: l l

To retrieve an archive file that is stored on the appliance, in the list of files, select the file you want to retrieve, and then click

Retrieve.

To retrieve an archive file that is stored on the remote server, for Archive file path on remote server, enter the archive file path on the remote server, and then click

Get from remote server.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

255

Archiving data Archiving audit data

When the retrieval process is complete, the message "Restoring Completed" is displayed in the Status area in the top-right area of the page.

See also

l l

Configuring monitoring using the TCP/IP sniffer (all database types)

Activity profiling

256 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Using the command line interface (CLI)

Using the command line interface (CLI)

You can use CLI commands to view system information and to change system level settings.

See also

l l l l

Connecting to the CLI

Command syntax

Tips & tricks

Overview of commands

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

257

Connecting to the CLI

Connecting to the CLI

1. Logon to the FortiDB appliance as the admin user or as a user with the FortiDB System Administrator role via the following methods: l l

Terminal to connect appliance's console port

Remote login with SSH or Telnet (determined by FortiDB's network interface settings)

2. Enter the CLI command of interest.

For more information on the configuration to use, see

Connecting to the web UI and CLI on page 49 .

See also

l l l

Command syntax

Tips & tricks

Overview of commands

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

258

Command syntax

Command syntax

Specifying file names and locations in commands

Use only letters, numbers, hyphens, and underscores in filenames and locations. Do not use spaces or special characters. For example, my_file is an acceptable name; my&file is not.

Entering spaces in a command strings

Spaces are not allowed in strings that represent filenames or file locations.

When a string value, for other than a filename or locations, contains a space, do one of the following: l l l

Enclose the string in quotation marks; "Security Administrator" , for example.

Enclose the string in single quotes;

'Security Administrator'

, for example.

Use a backslash (“ \ ”) preceding the space; Security\ Administrator , for example.

Entering quotation marks in strings

If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.

Entering a question mark (?) in a string

If you want to include a question mark (?) in a string, you must precede the question mark with

CTRL-V. Entering a question mark without first entering

CTRL-V causes the CLI to display possible command completions, terminating the string.

Special characters that are not permitted in commands

The characters <, >, (, ), #, ’, and ” are not permitted in most FortiDB CLI fields nor are they permitted in the passwords used to protect configuration-file backups.

Specifying IP address formats in commands

You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either: set ip 192.168.1.1 255 or set ip 192.168.1.1/24

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

259

Command syntax

The IP address is displayed in the configuration file in dotted decimal format.

Notation

This guide uses the following conventions to describe command syntax: l

Angle brackets < > indicate variables.

For example: execute restore config <filename_str>

You enter: execute restore config myfile.bak

l

Vertical bar and curly brackets

{|} separate alternative, mutually exclusive required keywords.

For example: set protocol {ftp | sftp}

You can enter: set protocol ftp or set protocol sftp l

Square brackets [ ] indicate that a keyword or variable is optional.

For example: show system interface [<name_str>]username

To show the settings for all interfaces, you can enter show system interface . To show the settings for the

Port1 interface, you can enter show system interface port1

.

l

A space separates options that can be entered in any order and in any combination and that must be separated by spaces.

For example: set allowaccess {https ping ssh}

You can enter any of the following:

- set allowaccess ping

- set allowaccess https ping

- set allowaccess ssh

- set allowaccess https ssh

- set allowaccess https ping ssh

In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

l

Special characters: l

The \ is supported to escape spaces or as a line continuation character l l

The single quotation mark ' and the double quotation mark “ are supported, but must be used in pairs.

If there are spaces in a string, you must precede the spaces with the a pair of quotation marks.

\ escape character or put the string in

260 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

See also

l l

Tips & tricks

Overview of commands

Command syntax

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

261

Tips & tricks

Tips & tricks

Help

You can press the question mark (?) key to display command help.

l l l

Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.

Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.

Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command-option combination and a description of each option.

Completing commands automatically

You can use the tab key or the question mark (?) key to complete commands.

l l l

Press Tab at any prompt to scroll through the options available for that prompt.

You can type the first characters of any command and press Tab or ? (question mark) to complete the command or to scroll through the options that are available at the current cursor position.

After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.

Recalling commands

You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.

Editing commands

Use the

Left and Right arrow keys to move the cursor back and forth in a recalled command. You can also use the

Backspace and Delete keys and the control keys listed in the following table in order to edit the command.

Function Key combination

Beginning of line

CTRL+A

End of line

Back one character

Forward one character

Delete current character

CTRL+E

CTRL+B

CTRL+F

CTRL+D

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

262

Tips & tricks

Function

Previous command

Next command

Abort the command

If used at the root prompt, exit the CLI

Key combination

CTRL+P

CTRL+N

CTRL+C

CTRL+C

Breaking a long command

To break a long command over multiple lines, use a \ at the end of each line.

Abbreviating commands

You can abbreviate commands and command options to the smallest number of non-ambiguous characters. For example, the command get system status can be abbreviated to g sy st .

See also

l l

Command syntax

Overview of commands

263 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Overview of commands

Overview of commands

Command branch

config

Supported commands

l l l l l l l l l system admin setting system backup all-settings system debug filter system dns system global system interface system ntp system raid system route

execute

l l l l l l l l l l l l l l l l l l l l l backup all-settings backup configurations backup fd-tcpdump backup-remove fd-archive backup-remove fd-report backup-remove fd-tcpdump date format disk generate certificate ping raid rebuild reboot reset restart restore all-settings restore configurations restore fd-archive shutdown time top traceroute

Description

Use config to configure objects of FortiDB functionality. Top-level objects are not configurable; they are containers for more specific lower-level objects. For example, the system object contains DNS addresses, interfaces, routes and so on. When these objects are multiple, such as routes, they are organized in the form of a table. You can add, delete or edit the entries in the table. Table entries each consist of keywords that you can set to particular values. Simpler objects, such as system DNS, are a single set of keywords.

Use execute to run static commands, to reset the FortiDB unit to factory defaults, or to back up or restore the FortiDB configuration.

The execute commands are available only from the root prompt.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

264

Overview of commands

Command branch

show

Supported commands

l l l l l l l system admin setting system backup all-settings system dns system global system interface system ntp system route

Description

Use show to display the FortiDB unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.

265 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Overview of commands

Command branch

Supported commands

diagnose

l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l counter memory counter misc counter packet counter parser counter session debug application control basic debug application housekeep basic debug application parser basic debug application parser packet debug application sniffer abnormal debug application sniffer basic debug application sniffer block-ip debug application sniffer blocksession debug application sniffer ipreassemble debug application sniffer malformed-packet debug application sniffer packet debug application sniffer tcpreassemble log show|tail|remove mapping debug mapping reset mapping status network interface list network interface detail network interface list network interface detail system coredump check system coredump export system export fd_log system raid list tcpdump start|stop tcpdump status

Description

Use diagnose commands to set debug parameters, view detailed information about

Ethernet interfaces or to send diagnostic information to an FTP server.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

266

Overview of commands

See also

l l

get

set

267 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

config

FortiDB provides the following config commands:

config system admin setting

config system backup all-setting

config system debug-filter

config system dns config system global

config system interface

config system ntp config system raid

config system route

config system admin setting

The config system admin setting command allows you to configure web administration settings.

Syntax

config system admin setting set http_port <integer> end set https_port <integer> set idle_timeout <integer> where:

Variables

http_port

Description

The HTTP port number for web administration.

Default

80 https_port idle_timeout

The HTTPS port number for web administration.

The idle-timeout value which ranges from 1 to 480 minutes

443

5

Example

To sets an idle-timeout value of 2 minutes and port 444 for HTTPS web administration: config system admin setting set idle_timeout 2 set https_port 444 end config

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

268

config

See also

l

show system admin setting

config system backup all-setting

The config system backup all-settings command allows you to set or check the settings for scheduled backups.

Syntax

config system backup all-settings set crptpasswd <passwd> set directory <dir_name> set passwd <pwd> set protocol {ftp | sftp} set server <string> set status {enable | disable} set time <hh:mm:ss> set user <user_name> set week_days {monday tuesday wednesday thursday friday} end where:

Keywords and variables

crptpasswd <passwd>

Description

Optional password to protect backup content

Default

None directory <dir_name> server <string>

The directory on the backup server in which to save the backup file.

passwd <pwd>

The password for the backup server.

protocol {ftp | sftp}

The backup protocol.

The IP address or DNS-resolvable host name for the backup server.

None

None sftp

None status {enable | disable}

Enable or disable scheduled backups.

disable time <hh:mm:ss> user <user_name> week_days {monday tuesday wednesday thursday friday}

The time of day to perform the backup. Time is required in the form

<hh:mm:ss>

.

The user account name for the backup server.

The day(s) of the week on which to perform backups. You may select multiple days.

None

None

None

269 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Example

The backup server is at 172.20.120.11 using the admin account with no password and saving the backup in the

/usr/local/backups directory. Backups will be done on Mondays at 1:00pm using ftp.

config system backup all-settings set status enable set server 172.20.120.11

set user admin set directory /usr/local/backups set week_days monday set time 13:00:00 set protocol ftp end

config system debug-filter

The config system debug-filter command allows you to filter logging of packet and SQL processes.

Enabling debug filters has an impact on system performance.

For information on other debugging commands, see

diagnose on page 296 .

Syntax

config system debug-filter edit <seq_num> set dst-ip <dst-ip_ip> set dst-port <dst-port_int> set ingress-intf {port1 | port2 | port3 | port4 | port5 | port6} set protocol {tcp | udp} set src-ip <src-ip_ip> set src-port <src-port_int> end where:

Keywords and variables Description

<seq_num>

Default

None

Enter an unused filter number to create a new route.

Enter an existing filter number to edit that route.

<dst-port_int>

<dst-port_int>

Enter the packet destination IP address to match.

Enter the packet destination port to match.

None

None

{port1 | port2 | port3 | port4 | port5 | port6}

Specify the interface on which FortiDB receives traffic that it applies this filter to.

None

{tcp | udp}

Specify the packet layer 4 protocol to match.

None config

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

270

config

Keywords and variables

<src-port_int>

<src-port_int>

Description

Enter the packet source IP address to match.

Enter the packet source port to match.

Default

None

None

config system dns

The config system dns command allows you to set the DNS server addresses.

Syntax

config system dns set primary <dns_ip> end set secondary <dns_ip> where:

Keywords and variables

primary <dns_ip>

Description

Enter the primary DNS server IP address.

secondary <dns_ip>

Enter the secondary DNS IP server address.

Example

config system dns set primary 65.39.139.53

set secondary 65.39.139.63

end

See also

l

show system dns

Default

65.39.139.53

65.39.139.63

config system global

The config system global command allows you to configure global settings that affect miscellaneous

FortiDB features.

Syntax

config system global set console-output {more | standard} set daylightsavetime {enable | disable} set hostname <unithostname> set ssl-low-encryption {enable disable} set swapmem {enable | disable} set timezone <timezone_number> end where:

271 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

config

Keywords and variables

console-output {more

| standard}

Description

Select how the output is displayed on the console. Select more to pause the output at each full screen until keypress.

Select standard for continuous output without pauses.

daylightsavetime

{enable | disable} hostname

<unithostname>

Default

standard

Enable or disable daylight saving time. If you enable daylight saving time, the FortiDB system automatically adjusts the system time when the time zone changes to or from daylight saving time.

Enter a name for this FortiDB system.

enable

FD-XXX.

The default hostname varies depending on the appliances.

ssl-low-encryption

{enable disable}

Enable or disable low-grade (40-bit) encryption.

disable swapmem {enable | disable}

Enable or disable virtual memory.

enable timezone <timezone_ number>

The number corresponding to your time zone. Press ? to list time zones and their numbers. Choose the time zone for the

FortiDB system from the list and enter the correct number.

00

Example

The following command turns on daylight saving time, sets the FortiDB system name to FDB1K, and chooses the

Eastern timezone for US & Canada.

config system global set daylightsavetime enable set hostname FDB1k set timezone 12 end

See also

l

show system global

config system interface

The config system interface command allows you to edit the configuration of a FortiDB network interface.

Syntax

config system interface edit <port> set allowaccess {http https ping ssh telnet}

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

272

config end set ip <ipmask> set status {up | down} where:

Variable

<port> allowaccess {http https ping ssh telnet} ip <ipmask> status {up | down}

Description

<port> can be one of port1, port2, port3, port4.

Default

No default.

Enter the types of management access permitted on this interface. Valid types are: http https ping ssh telnet. Separate multiple selected types with spaces. If you want to add or remove an option from the list, retype the list as required.

Enter the interface IP address and netmask. The IP address cannot be on the same subnet as any other interface.

Varies for each interface.

No default

Start or stop the interface. If the interface is stopped it does not accept or send packets. If you stop a physical interface, VLAN interfaces associated with it also stop.

up

Example

This example shows how to set the FortiDB port1 interface IP address and netmask to 192.168.100.159

255.255.255.0, and the management access to ping, https, and ssh.

config system interface edit port1 set allowaccess ping https ssh set ip 192.168.100.159 255.255.255.0

end set status up

See also

l

show system interface

config system mapping

The config system mapping command allows you to configure FortiDB to collect audit and alert data for FortiMonitor and transmit it via SSH File Transfer Protocol (SFTP).

FortiMonitor integration with FortiDB requires a FortiDB administrator with the name fortisiem. For more information, see

FortiMonitor administrator on page 66 .

Syntax

config system mapping set status {enable | disable} set limit-file <limit-file_int> set scan-cycle <scan-cycle_int> set range-start <date_str> set range-end <date_str>

273 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

end where:

Variable

status {enable | disable}

Description

limit-file <limitfile_int> scan-cycle <scancycle_int> set range-start

<date_str> set range-end <date_ str>

Enter the maximum number of SFTP files the feature generates.

Generating too many SFTP files can fill the appliance hard disk.

Enter a value that specifes how long FortiDB pauses between collection cycles for FortiMonitor, in seconds.

Adding pauses in data collection allows system resources to be available for target monitoring and other tasks.

When you use smaller values, FortiDB collects data more quickly.

Enter the date and time to start collecting data for

FortiMonitor using the format mm/dd/yyyy-hh:mm:ss, where: l mm is the month. Valid months are 01 to 12.

l dd is the day of the month. Valid days are 01 to 31.

l yyyy is the year. Valid years are 2001 to 2037.

l hh is the hour. Valid hours are 00 to 23.

l mm is the minute. Valid minutes are 0 to 59.

l ss is the second. Valid seconds are 0 to 59.

Optionally, enter the date and time to stop collecting data for FortiMonitor.

If you do not specify this options, FortiDB collects data continuously after the specified start time.

Default

Enable or disable data collection and transmission for FortiDB.

disable

1000

20

No default.

No default.

Examples

The following example starts data collection for FortiMonitor at a specific date and time with no specified stop time.

config system mapping set status enable end set range-start 6/10/2014-16:26:23

The following example specifies data collection for FortiMonitor with both a start and stop time.

set status enable config

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

274

config end set range-start 6/10/2014-00:00:00 set range-start 7/10/2014-23:59:59

config system ntp

The config system ntp command allows you to configure automatic time setting using a network time protocol (NTP) server.

Syntax

config system ntp set server <server_ip> end set status {enable | disable} set sync_interval <minutes> where:

Variable

server <server_ip>

Description

Enter the IP address or fully qualified domain name of the NTP server.

Default

No default.

status {enable | disable}

Enable or disable NTP time setting.

disable sync_interval

<minutes>

Enter how often, in minutes, the FortiDB system synchronizes its time with the NTP server.

60

config system raid

The config system raid command allows you to view or configure the hard disk RAID scheme.

Syntax

config system raid set level <raid_level_name> end where:

Variable

<raid_level_name>

Description

Specifies the RAID level.

Valid values are determined by the FortiDB model and hard disk hardware.

Default

raid1

275 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

l

Implementing RAID removes all existing data from the hard disks.

l

FortiDB 2000B supports raid1 and raid5 only. To determine which RAID scheme your appliance supports, see your hardware specification.

l

The appliance requires a minimum of 2 hard disks to implement RAID.

l

After you implement RAID, you cannot return the hard disk to its original partitions.

config l

Use CLI get system raid to get the RAID level information.

l

Use CLI diagnose system raid list information.

to get current RAID status l

If the RAID schema is corrupted, use CLI rebuild it.

execute raid rebuild to

Implementing RAID 5 on FortiDB 2000B

l l

The RAID 5 array requires at least 3 hard disks. You cannot implement RAID 5 on FortiDB 2000B if fewer than 3 hard disks are available.

To ensure the hard disks have the same parameters, ensure they all have the same capacity, model, and vendor.

To remove the RAID 5 array

The unset operation removes the RAID 5 array and all data is lost. Perform this operation only if it is necessary.

1. Using the CLI, log in to the FortiDB 2000B as the user admin.

2. To enter RAID configuration, enter config system raid.

3. Enter unset level.

FortiDB prompts you to confirm the action and warns you that all the data on all hard disks will be lost.

4. To continue, enter y.

FortiDB starts the RAID 5 unset operation.

5. To format the hard disk, enter execute format disk.

FortiDB reboots automatically. After the reboot, FortiDB is available on the first hard disk.

Implementing RAID on FortiDB 3000B

FortiDB 3000D has an integrated RAID controller that supports RAID 0, 1, 5, 10, and other standard levels.

However, you cannot use the CLI commands to implement RAID on FortiDB 3000D. Instead, you set the RAID level in BIOS.

To access the FortiDB 3000D BIOS, a keyboard and a display device are required.

To enter the BIOS Configuration Utility, when the BIOS screen is displayed during startup, press CTRL-R.

After you change RAID level, you must format the hard disk. To obtain the required format image, contact

Fortinet Technical Support.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

276

config

See also

l

diagnose system raid list

config system route

The config system route command allows you to view or configure static routing table entries.

Syntax

config system route edit <seq_num> set device <port> set dst <dst_ip_mask> end set gateway <gw_ip> where:

Variable

<seq_num>

Description

Enter an unused routing sequence number to create a new route. Enter an existing route number to edit that route.

Default

No default.

device <port> dst <dst_ip_mask> gateway <gw_ip>

Enter the port used for this route.

Enter the IP address and mask for the destination network.

Enter the default gateway IP address for this network.

No default.

0.0.0.0

0.0.0.0

0.0.0.0

See also

l

show system route

277 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

execute

FortiDB provides the following execute commands:

execute backup all-settings

execute backup configurations

execute backup fd-tcpdump

execute backup-remove fd-archive

execute backup-remove fd-report execute backup-remove fd-tcpdump

execute date

execute format disk execute generate certificate

execute ping execute raid rebuild execute reboot execute reset

execute restart execute restore all-settings

execute restore configurations

execute restore fd-archive execute shutdown execute time

execute top

execute traceroute

execute backup all-settings

The FortiDB CLI allows you to back up your local database to a FTP server.

After the backup is complete and the message “Transfer Finished” is displayed, press

<enter> to return to the original prompt.

execute

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

278

execute

Syntax

execute backup all-settings <ftp server> <filepath> <username> <password> [cryptpasswd] where:

Keywords and variables

<ftp server>

Description

IP address or hostname of FTP server.

<filepath>

<username>

<password>

[crptpasswd]

Location on FTP server where you want the settings file to be placed.

If you do not specify a name, the file name is fdb_ allbackup.dat

.

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

Optional password for protecting the settings file on the FTP server.

Example

execute backup all-settings <your_ftp_server> . <your_ftp_username> <your_ftp_password> myCrptpasswd

See also

l l l l

config system backup all-setting

execute restore all-settings

show system backup all-settings

execute backup configurations

execute backup configurations

The FortiDB CLI allows you to back up your FortiDB configuration without backing up log data.

After the backup is complete and the message “Transfer Finished” is displayed, press

<enter> to return to the original prompt.

Syntax

execute backup configurations <ftp server> <filepath> <username> <password> [cryptpasswd] where:

Keywords and variables

<ftp server>

Description

IP address or hostname of FTP server.

279 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Keywords and variables

<filepath>

<username>

<password>

[crptpasswd]

Description

Location on FTP server where you want to save the configuration file.

If you do not specify a name, the file name is fdbconfigurations.data

.

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

Optional password that protects the configuration file on the FTP server.

Example

This example saves the configuration file to the FTP server at 172.30.144.210 using the default file name and protects it with the password myCrptpasswd.

execute backup configurations 172.30.144.210 . dzhang 123456 myCrptpasswd

See also

l l

execute restore configurations

execute backup all-settings

execute backup fd-tcpdump

The execute backup fd-tcpdump command allows you to export log files generated by tcpdump to a

FTP site. FortiDB compresses the files before it sends them to the specified FTP site.

For information on generating tcpdump log files, see

diagnose tcpdump start|stop on page 306

.

Syntax

execute backup fd-tcpdump <ftp server> <username> <password> [directory] [filename] where:

Keywords and variables

<ftp server>

Description

IP address or hostname of the FTP server.

<username>

<password>

Username of FTP server account.

FTP server account password.

[directory]

[filename]

Location on FTP server where you want to save the tcpdump file.

If you do not specify a directory, FortiDB uses the default directory.

Username of FTP server account.

If you do not specify a name, the file name is fdb-tcpdump.tgz.

execute

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

280

execute

Example

execute backup fd-tcpdump <your_ftp_server> <your_ftp_username> <your_ftp_password>

See also

l l l

execute backup-remove fd-tcpdump

diagnose tcpdump start|stop

diagnose tcpdump status

execute backup-remove fd-archive

Allows you to backup and then remove archives to a FTP server.

To return to the original prompt after the backup is complete, when the message

“Transfer Finished” is displayed, press Enter.

Syntax

execute backup-remove fd-archive <before-date> <ftp server> <username> <password>

[directory][filename] where:

Keywords and variables

<before-date>

Description

Date of the last archive you want included in your backup. For example, if you specify 2008-12-31, the backup will include archives for up to this date.

The format is YYYY-MM-DD (MM(1-12), DD(1-31)). YYYY is a 4-digit number representing the year. MM is a 2-digit number from 1 to 12 representing the month. DD is a 2-digit number from 1 to 31 representing the day of the month.

<ftp server>

<username>

<password>

[directory]

[filename]

IP address or hostname of FTP server.

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

Location on FTP server where you want the tar file to be placed.

Name for the tar file on the FTP server where you want the archives to be placed. The default file name is FD-ARCHIVE-<before-date>.tar.

Example

execute backup-remove fd-archive 2008-07-30 <your_ftp_server> <your_ftp_username> <your_ ftp_password> . myArchives.tar

281 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

execute

See also

l

execute restore fd-archive

execute backup-remove fd-report

This FortiDB CLI allows you to backup and then remove reports to a FTP server.

Please press <enter> to get back to the original prompt after the backup has completed with the message saying “Transfer Finished”.

Syntax

execute backup-remove fd-report <before-date> <ftp server> <username> <password>

[directory][filename] where:

Keywords and variables

<before-date>

Description

Date of the last archive you want included in your backup. For example, if you specify 2008-12-31, the backup will include reports for up to this date.

The format is YYYY-MM-DD (MM(1-12), DD(1-31)). YYYY is a 4-digit number representing the year. MM is a 2-digit number from 1 to 12 representing the month. DD is a 2-digit number from 1 to 31 representing the day of the month.

<ftp server>

<username>

<password>

[directory]

IP address or hostname of FTP server.

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

Location on FTP server where you want the tar file to be placed.

[filename]

Name for the tar file on the FTP server where you want the reports to be placed. The default file name is FD-REPORT-<before-date>.tar.

Example

execute backup-remove fd-report 2008-07-30 <your_ftp_server> <your_ftp_username> <your_ ftp_password> . myReports.tar

See also

l

Reports

execute backup-remove fd-tcpdump

The execute backup-remove fd-tcpdump command allows you to export log files generated by tcpdump to a FTP site and then remove the files from the local disk. FortiDB compresses the files before it sends

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

282

execute them to the specified FTP site.

For information on generating tcpdump files, see

diagnose tcpdump start|stop on page 306 .

Syntax

execute backup-remove fd-tcpdump <ftp server> <username> <password> [directory] [filename] where:

Keywords and variables

<ftp server>

Description

IP address or hostname of the FTP server.

<username>

<password>

Username of FTP server account.

FTP server account password.

[directory]

Location on FTP server where you want to save the tcpdump file.

If you do not specify a directory, FortiDB uses the default directory.

[filename] Username of FTP server account.

If you do not specify a name, the file name is fdb-tcpdump.tgz.

Example

execute backup fd-tcpdump <your_ftp_server> <your_ftp_username> <your_ftp_password>

See also

l l l

execute backup fd-tcpdump

diagnose tcpdump start|stop

diagnose tcpdump status

execute date

The execute date command allows you to get or set the system date. If you do not specify a date, the command returns the current system date.

Syntax

execute date [<date_str>] where:

283 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

execute

Variable

<date_str>

Example

To set the date to 17 September 2013: execute date 09/17/2013

See also

l

Setting the system time

Description

This variable has the form mm/dd/yyyy.

l mm is the month and can be 01 to 12 l dd is the day of the month and can be 01 to 31 l yyyy is the year and can be 2001 to 2100

Dates entered will be validated - mm and dd require 2 digits, and yyyy requires 4 digits.

execute format disk

The execute format disk command allows you to format the hard disk on the FortiDB system.

Executing this command will erase all device settings/images, VPN & Update Manager databases, and log data on the FortiDB system's hard drive. FortiDB's IP address and routing information are preserved.

Syntax

execute format disk

When you run this command, FortiDB prompts you to confirm the request.

Warning: If you use this command without executing backup all settings command, you may not be able to view assessments or reports after you archive and restore your data. When you want to archive and format disk, make sure that you execute config system backup all-settings command before archiving.

execute generate certificate

The execute generate certificate command allows you to regenerate the certificate for FortiDB web administration.

Syntax

execute generate certificate keysize {keysize}

The variable {keysize} is the subject's public key size for certificate. Valid values are 1024 or 2048 .

The FortiDB system needs to be reboot after generating new certificate.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

284

execute

execute ping

The execute ping command allows you to send an ICMP echo request (ping) to test the network connection between the FortiDB system and another network device.

Syntax

execute ping {<ip> | <hostname>} where:

Variable

<ip>

Description

IP address of network device to contact

<hostname>

DNS resolvable hostname of network device to contact

Example

To ping a host with the IP address 192.168.1.23: execute ping 192.168.1.23

execute raid rebuild

The execute raid rebuild command allows you to rebuild the hard disk raid when the raid is corrupted.

Syntax

execute raid rebuild l

Rebuild raid will clean all existing data in the second hard disk.

l

If you just replace the second disk from exist raid, the new inserted disk will get raid synchronizing automatically and does not need rebuild raid. But if the second disks was part of raid volume before, usually need rebuild it.

execute reboot

The execute reboot command allows you to restart the FortiDB system. It disconnects all sessions on the

FortiDB system.

Syntax

execute reboot

execute reset

The execute reset command allows you to reset the FortiDB system to factory defaults. It disconnects all sessions and restarts FortiDB.

285 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

execute

Syntax

execute reset {admin-password | all-settings | data} where:

Variable

admin-password

Description

Reset admin's password to default password.

all-settings data

Reset the all settings.

Reset the database.

Example

execute reset all-settings

execute restart

This FortiDB CLI allows you to restart the application server under which both FortiDB-VA (Vulnerability

Assessment) and FortiDB-DAM (DB Activity Monitoring) are running.

Syntax

execute restart appserver

execute restore all-settings

This FortiDB CLI allows you to restore previously backed up your local database, FortiDB system-configuration settings, archives and reports.

Syntax

execute restore all-settings <ftp server> <filepath> <username> <password> [crptpasswd] where:

Variable

<ftp server>

Description

IP address or hostname of FTP server.

<filepath>

<username>

<password>

[crptpasswd]

Location of, and filename for, the settings file on the FTP server.

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

Optional password for protecting the settings file on the FTP server.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

286

execute

This operation will replace your current settings and necessitate a reboot.

Example

execute restore all-settings <your_ftp_server> ./fdb_allbackup.dat <your_ftp_username>

<your_ftp_password> myCrptpasswd

See also

l l l l

config system backup all-setting

execute backup all-settings

show system backup all-settings

execute backup all-settings

execute restore configurations

Use this command to restore FortiDB system configuration settings that you backed up to an FTP server.

This command replaces the existing configuration with the restored configuration, deletes all alert and audit data, and restarts FortiDB.

Syntax

execute restore configurations <ftp server> <filepath> <username> <password> [crptpasswd] where:

Variable

<ftp server>

Description

IP address or hostname of FTP server.

<filepath>

Location of, and filename for, the configuration file on the FTP server.

<username>

<password>

[crptpasswd]

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

Optional password for protecting the configuration file on the FTP server.

This operation replaces your current configuration and requires you to reboot FortiDB

287

Example

execute restore configurations 172.30.144.210 ./fdb-configurations.dat dzhang 123456 myCrptpasswd

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

execute

See also

l l

execute backup configurations

execute restore all-settings

execute restore fd-archive

This FortiDB CLI allows you to restore previously backed up your archives.

Syntax

execute restore fd-archive <ftp server> <filepath> <username> <password> where:

Variable

<ftp server>

Description

IP address or hostname of FTP server.

<filepath>

<username>

<password>

Location of, and filename for, the settings file on the FTP server.

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

This operation will replace your current settings and necessitate a reboot.

Example

execute restore fd-archive <your_ftp_server> ./fdb_allbackup.dat <your_ftp_username>

<your_ftp_password>

See also

l

execute backup-remove fd-archive

execute shutdown

The execute shutdown command allows you to shut down the FortiDB system. This command will disconnect all sessions.

Syntax

l execute shutdown

execute time

The execute time command allows you to get or set the system time.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

288

execute

Syntax

execute time [<time_str>] where:

Variable

<time _str>

Description

This variable has the form hh:mm:ss.

l hh is the hour and can be 00 to 23 l mm is the minutes and can be 00 to 59 l ss is the seconds and can be 00 to 59

All parts of the time are required. Single digits are allowed for each of hh, mm, and ss.

If you do not specify a time, the command returns the current system time.

Example

To set the system time to 15:31:03: execute time 15:31:03

See also

l l

execute date

Setting the system time

execute top

The execute top command allows you to view the processes running on the FortiDB system.

Syntax

execute top

To exit the display, type q. Other interactive commands are available while running top. For help on them, type h.

The execute top command displays the following information:

3

4

5

6

7

15:28:03 up 2 days, 0 users, load average: 0.06, 0.04, 0.01

Tasks: 82 total, 2 running, 80 sleeping, 0 stopped, 0 zombie

CPU(s): 0.0% us, 0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si

Mem: 2069772K total, 485764K used, 1584008K free, 40124K buffers

Swap: 2069764K total,

PID USER PR NI VIRT

0K used,

RES SHR

2069764K free,

S %CPU %MEM

7275k cached

TIME+ COMMAND

1

2 root root

18

RT

0

0

3232

0

1012 720

0 0

S

S

0

0

0.0

0.0

0:07.12 init

0:00.00 migration/0 root root root root root

34

RT

39

RT

33

19

0

19

0

19

0

0

0

0

0

0

0

0

0

0

0 S

0 S

0 S

0 S

0 S

0 0.0

0:00.00 ksoftirqd/0

0 0.0

0:00.00 migration/1

0 0.0

0:00.00 ksoftirqd/1

0 0.0

0:00.00 migration/2

0 0.0

0:00.00 ksoftirqd/2

289 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

execute

12

13

14

15

21

8

9

10

11 root root root root root root root root root

10

10

10

10

10

RT

34

10

10

-5

-5

-5

-5

-5

0

19

-5

-5

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0 S

0 S

0 S

0 S

0 S

0 S

0 S

0 S

0 S

0 0.0

0:00.00 migration/3

0 0.0

0:00.00 ksoftirqd/3

0 0.0

0:00.00 events/0

0 0.0

0:00.00 events/1

0 0.0

0:00.00 events/2

0 0.0

0:00.00 events/3

0 0.0

0:00.00 khelper

0 0.0

0:00.00 kthread

0 0.0

0:00.00 kblockd/0

execute traceroute

The execute traceroute command allows you to test the connection between the FortiDB system and another network device, and display information about the network hops between the device and the FortiDB system.

Syntax

execute traceroute {<address_ipv4> | <host-name>} where:

Variable

<address_ipv4>

Description

IP address of network device.

<host-name>

FQDN hostname of network device.

Example

execute traceroute <your_IPaddress>

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

290

show

show

This topic contains the information about the show system commands that are available to the FortiDB user.

Only changes to the default configuration are displayed.

You can use the show command within a config shell to display the configuration of that shell, or you can use the show command with a full path to display the configuration of the specified shell. To display the configuration of all config shells, you can use the show command from the root prompt.

FortiDB provides the following show commands:

show system admin setting show system backup all-settings

show system dns show system global show system interface

show system ntp show system route

show system admin setting

The show system admin setting command allows you to display the change of systemadministration settings.

Syntax

show system admin setting

See also

l

config system admin setting

show system backup all-settings

The show system backup all-settings backup settings.

command allows you to display the change of system

Syntax

show system backup all-settings

See also

l l

config system backup all-setting

execute backup all-settings

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

291

show l l

execute restore all-settings

execute backup all-settings

show system dns

The show system dns command allows you to display the change of the DNS server addresses.

Syntax

show system dns

Example

The following is an example of the result of the show system dns command;

FD-XXX # show system dns config system dns set primary 65.39.139.53

set secondary 65.39.139.63

end

See also

l

config system dns

show system global

The show system global command allows you to display the change of global settings.

Syntax

show system global

See also

l

config system global

show system interface

The show system interface command allows you to display the change of a FortiDB network interface.

Syntax

show system interface

Example

FD-XXX # show system interface config system interface edit "port1" set ip 172.30.62.80 255.255.255.0

set allowaccess ping https ssh telnet http end

292 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

See also

l

config system interface

show system ntp

The show system ntp command allows you to display the change of the automatic time setting using a network time protocol (NTP) server.

Syntax

show system ntp

Example

The following is an example result of show system ntp:

FD-XXX # show system ntp config system ntp set server "132.246.168.147" set status enable set sync_interval 120 end

See also

l

config system ntp

show system route

The show system route command allows you to display the change of the static routing table entries.

Syntax

show system route

Example

The following is an example result of show system route

FD-XXX # show system route config system route edit 1 set device "port1" set gateway 172.30.62.254

end

:

See also

l

config system route

show

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

293

get

get

The get commands allow you to retrieve system setting and activity information. They include the following commands: l l l l l l get system target-database

— Displays information about all monitored database targets and the associated audit policies.

get system session

— Displays all active session information.

get system block-ip

— Displays all blocked IP addresses. When traffic matches these IP addresses, FortiDB generates a TCP reset packet.

get system block-session

— Displays all blocked sessions. If traffic matches the blocked session characteristics, FortiDB generates a TCP reset packet.

get system counter

— Displays current system counter information.

get system debug-filter <seq_num>

— Displays debug-filter settings. <seq_num> is the number of the filter to display. See

config system debug-filter on page 270 .

Example

To retrieve the current system-administration settings: get system admin setting <Enter> http_port : 80 https_port : 443 idle_timeout : 2

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

294

set

The set command allows you to set specific properties within a settings category.

Example

To change a default value for a property within the system-administration settings category: show system admin setting <Enter> config system admin setting <Enter> setting)# set idle_timeout 2 end show system admin setting <Enter> config system admin setting end set idle_timeout 2 set

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

295

diagnose

diagnose

The diagnose command displays diagnostic information that helps you to troubleshoot problems.

FortiDB provides the following diagnose commands:

diagnose counter memory diagnose counter misc diagnose counter packet

diagnose counter parser diagnose counter session diagnose debug application control basic

diagnose debug application housekeep basic diagnose debug application parser basic diagnose debug application parser packet

diagnose debug application sniffer abnormal diagnose debug application sniffer basic diagnose debug application sniffer block-ip

diagnose debug application sniffer block-session diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet

diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble

diagnose mapping debug diagnose mapping reset

diagnose mapping status

diagnose log show|tail|remove

diagnose system export fd_log diagnose system export fd_log

diagnose system raid list diagnose tcpdump start|stop

diagnose tcpdump status diagnose network interface list

diagnose network interface detail

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

296

diagnose

diagnose counter memory

Allows you to show all memory-related counters.

Syntax

diagnose counter memory all

See also

l l l l

diagnose counter misc diagnose counter packet

diagnose counter parser diagnose counter session

diagnose counter misc

Allows you to show miscellaneous counters.

Syntax

diagnose counter misc all

See also

l l l l

diagnose counter memory diagnose counter packet

diagnose counter parser diagnose counter session

diagnose counter packet

Allows you to show all packet-related counters.

Syntax

diagnose counter packet {all | error | ethernet | ip | ip-reassemble | summary | tcp} where:

Keywords Description

{all | error | ethernet | ip | ip-reassemble | summary | tcp}

Specifies the type of packet counter to display.

See also

l l

diagnose counter memory diagnose counter misc

297 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

l l

diagnose counter parser diagnose counter session

diagnose counter parser

Allows you to show all SQL statement parser counters.

Syntax

diagnose counter parser all

See also

l l l l

diagnose counter memory diagnose counter misc diagnose counter packet

diagnose counter session

diagnose counter session

Allows you to show session and hash-table-related counters.

Syntax

diagnose counter session {all | error | summary | table-operate |tcp-reassemble} where:

Keywords Description

{all | error | summary | tableoperate |tcpreassemble}

Specifies the type of session or harsh-table counter to display.

See also

l l l l

diagnose counter memory diagnose counter misc diagnose counter packet

diagnose counter parser

diagnose debug application control basic

Allows you to enable basic debugging for the control thread.

Syntax

diagnose debug application control basic {enable | disable} diagnose

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

298

diagnose

See also

l l l

diagnose debug application housekeep basic diagnose debug application parser basic

diagnose debug application sniffer basic

diagnose debug application housekeep basic

Allows you to enable basic debugging for the housekeep thread.

Syntax

diagnose debug application housekeep basic {enable | disable}

See also

l l l

diagnose debug application control basic

diagnose debug application parser basic

diagnose debug application sniffer basic

diagnose debug application parser basic

Allows you to enable basic debugging for the parser thread.

Syntax

diagnose debug application parser basic {enable | disable}

See also

l l l l

diagnose debug application control basic

diagnose debug application housekeep basic diagnose debug application parser packet

diagnose debug application sniffer basic

diagnose debug application parser packet

Allows you to enable packet debugging for the parser thread.

Syntax

diagnose debug application parser packet {enable | disable}

See also

l l l

diagnose debug application parser basic

diagnose debug application sniffer malformed-packet

diagnose debug application sniffer packet

299 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

diagnose

diagnose debug application sniffer abnormal

Allows you to enable abnormal debugging for the sniffer thread.

Syntax

diagnose debug application sniffer abnormal {enable | disable}

See also

l l l l l l l

diagnose debug application sniffer basic diagnose debug application sniffer block-ip

diagnose debug application sniffer block-session diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet

diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble

diagnose debug application sniffer basic

Allows you to enable basic debugging for the sniffer thread.

Syntax

diagnose debug application sniffer basic {enable | disable}

See also

l l l l l l l

diagnose debug application sniffer abnormal diagnose debug application sniffer block-ip

diagnose debug application sniffer block-session diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet

diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble

diagnose debug application sniffer block-ip

Allows you to enable debugging for IP blocking activity in the sniffer thread.

Syntax

diagnose debug application sniffer block-ip {enable | disable}

See also

l l l

diagnose debug application sniffer abnormal diagnose debug application sniffer basic

diagnose debug application sniffer block-session

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

300

diagnose l l l l

diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet

diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble

diagnose debug application sniffer block-session

Allows you to enable debugging for session blocking activity in the sniffer thread.

Syntax

diagnose debug application sniffer block-session {enable | disable}

See also

l l l l l l l

diagnose debug application sniffer abnormal diagnose debug application sniffer basic diagnose debug application sniffer block-ip

diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet

diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble

diagnose debug application sniffer ip-reassemble

Allows you to enable debugging for IP reassembling activity in the sniffer thread.

Syntax

diagnose debug application sniffer ip-reassemble {enable | disable}

See also

l l l l l l l

diagnose debug application sniffer abnormal diagnose debug application sniffer basic diagnose debug application sniffer block-ip

diagnose debug application sniffer block-session diagnose debug application sniffer malformed-packet

diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble

diagnose debug application sniffer malformed-packet

Allows you to enable debugging for malformed packets in the sniffer thread.

Syntax

diagnose debug application sniffer malformed-packet {enable | disable}

301 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

diagnose

See also

l l l l l l l

diagnose debug application sniffer abnormal diagnose debug application sniffer basic diagnose debug application sniffer block-ip

diagnose debug application sniffer block-session diagnose debug application sniffer ip-reassemble

diagnose debug application sniffer packet diagnose debug application sniffer tcp-reassemble

diagnose debug application sniffer packet

Allows you to enable packet debugging for the sniffer thread.

Syntax

diagnose debug application sniffer packet {enable | disable}

See also

l l l l l l l

diagnose debug application sniffer abnormal diagnose debug application sniffer basic diagnose debug application sniffer block-ip

diagnose debug application sniffer block-session diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet

diagnose debug application sniffer tcp-reassemble

diagnose debug application sniffer tcp-reassemble

Allows you to enable debugging for TCP reassembling activity in the sniffer thread.

Syntax

diagnose debug application sniffer tcp-reassemble {enable | disable}

See also

l l l l l l l

diagnose debug application sniffer abnormal diagnose debug application sniffer basic diagnose debug application sniffer block-ip

diagnose debug application sniffer block-session diagnose debug application sniffer ip-reassemble diagnose debug application sniffer malformed-packet

diagnose debug application sniffer packet

diagnose log show|tail|remove

Allows you to show or remove debug logs.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

302

diagnose

Syntax

diagnose log show|tail|remove fortidb-log|tomcat-log|localhost-log where:

Keywords

show

Description

Show the specified log.

tail remove fortidb-log tomcat-log

Print the tail of specified log, and continue to output appended data as the file grows.

Remove the specified log.

Log of FortiDB Application Server.

Initialization Log from Tomcat.

localhost-log Localhost log from Tomcat.

Example

diagnose log tail fortidb-log

See also

l

diagnose system export fd_log

diagnose mapping debug

Syntax

diagnose mapping debug {enable | disable}

See also

l l

diagnose mapping reset

diagnose mapping status

diagnose mapping reset

Syntax

diagnose mapping reset enable

See also

l l

diagnose mapping debug

diagnose mapping status

303 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

diagnose

diagnose mapping status

Syntax

diagnose mapping status {alert | all | audit | control}

See also

l l

diagnose mapping debug diagnose mapping reset

diagnose system coredump check

Use this command to view the results of the coredump task. FortiDB generates coredump files when the system fails.

Syntax

diagnose system coredump check

Example

diagnose system coredump check

This example illustrates the command output after a system failure, which provides a count of the available coredump files.

Coredump check result:

Flowd happened 4 times!

Monitord happened 0 times!

Cliproxyd happened 0 times!

See also

l

diagnose system coredump export

diagnose system coredump export

Use this command to export FortiDB coredump files to a location on an FTP server.

After a system failure, FortiDB generates coredump files that contain the system’s RAM at the time of the crash.

This file is useful for troubleshooting problems with the TCP/IP sniffer.

Syntax

diagnose system coredump export <ftp server> <username> <password> [filepath] where:

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

304

diagnose

Keywords and variables

<ftp server>

<filepath>

<username>

<password>

[filepath]

Description

IP address or hostname of FTP server.

Location on FTP server where you want to save the configuration file.

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

Location on FTP server that FortiDB exports the coredump file to.

Example

This example exports the coredump files to the FTP server at 172.30.144.210.

diagnose system coredump export 172.30.144.210 dzhang 123456

The command generates output similar to the following message:

Packaging the coredump files...

Transferring the files...

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 142M 0 0 100 142M 0 11.0M 0:00:12 0:00:12 --:--:-- 11.1M

Succeeded in uploading coredump files!

See also

l

diagnose system coredump check

diagnose system export fd_log

Allows you to export debug log files to an FTP server

Syntax

diagnose system export fd_log <ftp server> <user> <password> [directory] [filename] where:

Variables

<ftp server>

Description

IP address or hostname of FTP server.

<username>

<password>

User name of account that logs on to the FTP server.

Password of account that logs on to the FTP server.

[ directory] Location on FTP server where you want the diagnostic file to be placed.

305 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

diagnose

Variables

[filename]

Description

Name of the zip file that contains several log files that will be put on the FTP server.

If you don't specify a filename, you will get a default file called fortidb.zip.

Example

diagnose system export fd_log <your_ftp_server> <your_ftp_username> <your_ftp_password> .

myDiagnose.zip

See also

l

diagnose log show|tail|remove

diagnose system raid list

Allows you to check hard disk RAID status.

Syntax

diagnose system raid list

See also

l

diagnose log show|tail|remove

diagnose tcpdump start|stop

Allows you to use tcpdump to log packet traffic information for a target database and save it to the local disk.

Like the TCP/IP sniffer, tcpdump requires a connection to a mirror port on the switch that handles TCP/IP traffic for the target database. For more information, see

Network requirements for monitoring using the TCP/IP sniffer on page 79 .

You can export the tcpdump log files to an FTP server and remove them from the local disk. For more information, see

execute backup fd-tcpdump on page 280

and

execute backup-remove fd-tcpdump on page 282

.

Syntax

diagnose tcpdump start|stop <port> <client IP> <server IP> [minutes] where:

Variables

start|stop

Description

Specifies whether to start a new tcpdump log file or stop a current monitoring session.

<port>

The FortiDB Ethernet port on which tcpdump intercepts and logs packet traffic. This port is connected to the mirror port on the switch that handles TCP/IP traffic for the database.

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

306

diagnose

Variables

<client IP>

<server IP>

[minutes]

Description

The IP address of the database client.

Enter * to specify any IP address.

The IP address where the target database is located.

Enter * to specify any IP address.

Specifies the length of time tcpdump monitors packet traffic between the specfied database and client, in minutes. Maximum value is 720.

If you do not specify a duration, tcpdump monitors the specified packet traffic for 60 minutes or until you enter a corresponding diagnose tcpdump start|stop command.

Example

To monitor database traffic seen on port2 for 10 minutes: diagnose tcpdump start port2 <your_client_IPaddress> <your_database_server_IPaddress> 10

See also

l l l

execute backup fd-tcpdump

execute backup-remove fd-tcpdump

diagnose tcpdump status

diagnose tcpdump status

Allows you to view the current status of the tcpdump packet analyzer.

Syntax

diagnose tcpdump status

Example

FD-1KC # diagnose tcpdump status

Tcpdump is not running.

See also

l l l

execute backup fd-tcpdump

execute backup-remove fd-tcpdump

diagnose tcpdump start|stop

diagnose network interface list

Allows you to view the status of Ethernet interfaces.

307 FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

Syntax

diagnose network interface list

See also

l l l

config system interface

show system interface

diagnose network interface detail

diagnose network interface detail

Allows you to view detailed information about Ethernet interfaces.

Syntax

diagnose network interface detail <port name> where:

Variable

<port name>

Description

Ethernet interface name (for example, port1).

Example

diagnose network interface detail port1

See also

l l l

config system interface

show system interface

diagnose network interface list

diagnose

FortiDB 5.1.11 Upgrade Guide

Fortinet Technologies Inc.

308

Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,

Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.

Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

advertisement

Key Features

  • Vulnerability assessment (VA)
  • Database activity monitoring (DAM)
  • Compliance reporting
  • Database security and compliance
  • Provides a platform to protect databases and applications
  • Flexible policy framework
  • Helps with regulatory compliance
  • Integrates with other Fortinet products
  • Comprehensive documentation

Frequently Answers and Questions

What is FortiDB?
FortiDB is a comprehensive database security and compliance platform that helps large enterprises and cloud-based service providers protect their databases and applications from internal and external threats. Its flexible policy framework allows you to quickly and easily implement internal IT control frameworks for database activity monitoring, IT audit and regulatory compliance.
What are the key features of FortiDB?
Key features of FortiDB include vulnerability assessment (VA), database activity monitoring (DAM), and compliance reporting. VA helps identify and mitigate vulnerabilities in databases, DAM provides real-time visibility into database activity, and compliance reporting helps ensure compliance with industry regulations.
How do I set up FortiDB?
The handbook provides detailed instructions on how to set up and configure FortiDB. The setup process involves installing the software, configuring the network settings, and connecting to the target databases. You can find the setup instructions in the Installation (software-only) on page 36 and How to set up your FortiDB on page 48 sections of the handbook.
How do I monitor database activity using FortiDB?
FortiDB provides a number of different ways to monitor database activity, including the TCP/IP sniffer and native auditing. The handbook provides detailed instructions on how to configure and use these monitoring methods. You can find the monitoring instructions in the Database Activity Monitoring (DAM) section of the handbook.
How do I generate compliance reports using FortiDB?
FortiDB provides pre-defined reports for PCI, SOX, and HIPAA compliance. The handbook provides detailed instructions on how to generate these reports. You can find the compliance reporting instructions in the PCI, SOX, and HIPAA reports section of the handbook.

Related manuals

Download PDF

advertisement

Table of contents