I am whitelistiing traffic , and using 7 tuple in a group. But for some reason some traffic is white listed and some of it still getting through the policy rules . What could be the reason ?

Hi Sara,

What do you have in group?
is it IPs, Tables, commands?

If tables/objects, which database engine is that? MS Sql Server? Oracle, DB2 or other?

I am whitelistiing traffic , and using 7 tuple in a group. But for some reason some traffic is white listed and some of it still getting through the policy rules . What could be the reason ?

Hi Rizwan,

So i am using 7 tuple group, ClientIP/SrcApp/DBuser/ServerIP/Svcname/OSuser/DBname and i am whitelisting on basis of DB user and CLient IP and serverIP and trying to make it as restrictive as possible. Its Oracle database. Using it in rule with Ignore STAP action. but i can see from sessions that whitelisting is not working and still getting lots of traffic. 
so i created a custom detailed session report with three extra fields, session ignored,ignored since and login successful. Session ignored for same kind of session is No and sometimes i can Session ignored (Yes STAP). So i am not sure what i am doing wrong. 
any suggestions how to whitelist the traffic, should i remove the CLient ip's and use % in all of them?

thanks 

Hi Sara,

What do you have in group?
is it IPs, Tables, commands?

If tables/objects, which database engine is that? MS Sql Server? Oracle, DB2 or other?

I am whitelistiing traffic , and using 7 tuple in a group. But for some reason some traffic is white listed and some of it still getting through the policy rules . What could be the reason ?

Hi Rizwan,

So i am using 7 tuple group, ClientIP/SrcApp/DBuser/ServerIP/Svcname/OSuser/DBname and i am whitelisting on basis of DB user and CLient IP and serverIP and trying to make it as restrictive as possible. Its Oracle database. Using it in rule with Ignore STAP action. but i can see from sessions that whitelisting is not working and still getting lots of traffic. 
so i created a custom detailed session report with three extra fields, session ignored,ignored since and login successful. Session ignored for same kind of session is No and sometimes i can Session ignored (Yes STAP). So i am not sure what i am doing wrong. 
any suggestions how to whitelist the traffic, should i remove the CLient ip's and use % in all of them?

thanks 

Hi Sara,

What do you have in group?
is it IPs, Tables, commands?

If tables/objects, which database engine is that? MS Sql Server? Oracle, DB2 or other?

I am whitelistiing traffic , and using 7 tuple in a group. But for some reason some traffic is white listed and some of it still getting through the policy rules . What could be the reason ?

Adding more to my last comment,

have you defined this rule in data level policy or a session level policy?

Guardium by default records session details, if you want to ignore session level details, you need to create a session level policy and create this rule in that policy and make sure this session level policy is installed at the top in all other policies.

Hi Rizwan,

So i am using 7 tuple group, ClientIP/SrcApp/DBuser/ServerIP/Svcname/OSuser/DBname and i am whitelisting on basis of DB user and CLient IP and serverIP and trying to make it as restrictive as possible. Its Oracle database. Using it in rule with Ignore STAP action. but i can see from sessions that whitelisting is not working and still getting lots of traffic. 
so i created a custom detailed session report with three extra fields, session ignored,ignored since and login successful. Session ignored for same kind of session is No and sometimes i can Session ignored (Yes STAP). So i am not sure what i am doing wrong. 
any suggestions how to whitelist the traffic, should i remove the CLient ip's and use % in all of them?

thanks 

Hi Sara,

What do you have in group?
is it IPs, Tables, commands?

If tables/objects, which database engine is that? MS Sql Server? Oracle, DB2 or other?

I am whitelistiing traffic , and using 7 tuple in a group. But for some reason some traffic is white listed and some of it still getting through the policy rules . What could be the reason ?

Hi rizwan,

yes it s a session level policy,and its the second rule in the policy because first rule is ignoring traffic from database and second one is ignore session rule which is whitelisting traffic. so we are creating a group with 7tuple fields and adding that group to ignore session rule and then excluding it from the first rule which ignores specific database traffic. 

When you say 

I highly recommend to use specific column name and create multiple rules for each entity. do you mean not use 7tuple instead use specific columns like dbuser and add it to ignore session rule?

There are limitations in groups with multiple or shared entities. we are creating separate groups for each database traffic but using it in the same rule, do you mean create separate rules for each database?

thanks 
sara

Adding more to my last comment,

have you defined this rule in data level policy or a session level policy?

Guardium by default records session details, if you want to ignore session level details, you need to create a session level policy and create this rule in that policy and make sure this session level policy is installed at the top in all other policies.

Hi Rizwan,

So i am using 7 tuple group, ClientIP/SrcApp/DBuser/ServerIP/Svcname/OSuser/DBname and i am whitelisting on basis of DB user and CLient IP and serverIP and trying to make it as restrictive as possible. Its Oracle database. Using it in rule with Ignore STAP action. but i can see from sessions that whitelisting is not working and still getting lots of traffic. 
so i created a custom detailed session report with three extra fields, session ignored,ignored since and login successful. Session ignored for same kind of session is No and sometimes i can Session ignored (Yes STAP). So i am not sure what i am doing wrong. 
any suggestions how to whitelist the traffic, should i remove the CLient ip's and use % in all of them?

thanks 

Hi Sara,

What do you have in group?
is it IPs, Tables, commands?

If tables/objects, which database engine is that? MS Sql Server? Oracle, DB2 or other?

I am whitelistiing traffic , and using 7 tuple in a group. But for some reason some traffic is white listed and some of it still getting through the policy rules . What could be the reason ?

Hi Sara,

Yesterday i created a session level policy and in the rule criteria i didn't found ClientIP/SrcApp/DBuser/ServerIP/Svcname/OSuser/DBname although it exists in data level policy only.

Please revisit the policy type.

So you need to create separate rules in session level policy to take care each of them to ignore logging those sessions.

Hi rizwan,

yes it s a session level policy,and its the second rule in the policy because first rule is ignoring traffic from database and second one is ignore session rule which is whitelisting traffic. so we are creating a group with 7tuple fields and adding that group to ignore session rule and then excluding it from the first rule which ignores specific database traffic. 

When you say 

I highly recommend to use specific column name and create multiple rules for each entity. do you mean not use 7tuple instead use specific columns like dbuser and add it to ignore session rule?

There are limitations in groups with multiple or shared entities. we are creating separate groups for each database traffic but using it in the same rule, do you mean create separate rules for each database?

thanks 
sara

Adding more to my last comment,

have you defined this rule in data level policy or a session level policy?

Guardium by default records session details, if you want to ignore session level details, you need to create a session level policy and create this rule in that policy and make sure this session level policy is installed at the top in all other policies.

Hi Rizwan,

So i am using 7 tuple group, ClientIP/SrcApp/DBuser/ServerIP/Svcname/OSuser/DBname and i am whitelisting on basis of DB user and CLient IP and serverIP and trying to make it as restrictive as possible. Its Oracle database. Using it in rule with Ignore STAP action. but i can see from sessions that whitelisting is not working and still getting lots of traffic. 
so i created a custom detailed session report with three extra fields, session ignored,ignored since and login successful. Session ignored for same kind of session is No and sometimes i can Session ignored (Yes STAP). So i am not sure what i am doing wrong. 
any suggestions how to whitelist the traffic, should i remove the CLient ip's and use % in all of them?

thanks 

Hi Sara,

What do you have in group?
is it IPs, Tables, commands?

If tables/objects, which database engine is that? MS Sql Server? Oracle, DB2 or other?

I am whitelistiing traffic , and using 7 tuple in a group. But for some reason some traffic is white listed and some of it still getting through the policy rules . What could be the reason ?

Yes you will not find it in the rule , we have created a group called ignore group through group builder and added 7 tuple there . Added that ignore group in policy rule to ignore the traffic. 

Hi Sara,

Yesterday i created a session level policy and in the rule criteria i didn't found ClientIP/SrcApp/DBuser/ServerIP/Svcname/OSuser/DBname although it exists in data level policy only.

Please revisit the policy type.

So you need to create separate rules in session level policy to take care each of them to ignore logging those sessions.

Hi rizwan,

yes it s a session level policy,and its the second rule in the policy because first rule is ignoring traffic from database and second one is ignore session rule which is whitelisting traffic. so we are creating a group with 7tuple fields and adding that group to ignore session rule and then excluding it from the first rule which ignores specific database traffic. 

When you say 

I highly recommend to use specific column name and create multiple rules for each entity. do you mean not use 7tuple instead use specific columns like dbuser and add it to ignore session rule?

There are limitations in groups with multiple or shared entities. we are creating separate groups for each database traffic but using it in the same rule, do you mean create separate rules for each database?

thanks 
sara

Adding more to my last comment,

have you defined this rule in data level policy or a session level policy?

Guardium by default records session details, if you want to ignore session level details, you need to create a session level policy and create this rule in that policy and make sure this session level policy is installed at the top in all other policies.

Hi Rizwan,

So i am using 7 tuple group, ClientIP/SrcApp/DBuser/ServerIP/Svcname/OSuser/DBname and i am whitelisting on basis of DB user and CLient IP and serverIP and trying to make it as restrictive as possible. Its Oracle database. Using it in rule with Ignore STAP action. but i can see from sessions that whitelisting is not working and still getting lots of traffic. 
so i created a custom detailed session report with three extra fields, session ignored,ignored since and login successful. Session ignored for same kind of session is No and sometimes i can Session ignored (Yes STAP). So i am not sure what i am doing wrong. 
any suggestions how to whitelist the traffic, should i remove the CLient ip's and use % in all of them?

thanks 

Hi Sara,

What do you have in group?
is it IPs, Tables, commands?

If tables/objects, which database engine is that? MS Sql Server? Oracle, DB2 or other?

I am whitelistiing traffic , and using 7 tuple in a group. But for some reason some traffic is white listed and some of it still getting through the policy rules . What could be the reason ?