FortiDB FAQ - Frequently Asked Questions

1

General

Where can I get the instructions for configuring Oracle audit options?

Documentation is available from the Documentation/Help button at the top bar of the product.

2

General

Does FortiDB VA collect any customer information and store it anywhere in any form from Oracle, Sybase, MSSQL or DB2 UDB?

No, FortiDB VA does not collect any customer information or store it anywhere in any form. It collects assessment results only.

3

General

How does OS-File Agent work on the target database machine?

The agent for Oracle audit is used only for OS-File audit and not for DB audit option. If the audit_trail is set to DB in a Oracle database, FortiDB connects to the target database and executes the query against the audit table. If the audit_trail is set to OS, FortiDB agent is required on the Oracle target database machine. All relevant information in osaudit file which is generated by Oracle is sent to the FortiDB server by the agent. It is then saved in the FortiDB internal repository.  Please ensure that the user who started the agent has permissions to access the operating system files and setup OS-File agent provided in UNIX platforms. Please refer to the Administration Guide for details.

4

General

What are the possible reasons for the user not be able to connect to a target database?

If a user cannot connect to a target database, the user needs to:
1. Check if the target database is behind a firewall.
2. Check if the target database is up and running.
3. Check if the target database user id and password is correct.
4. Check if the target database port number is correct.

5

General

Is data encrypted or compressed when it is stored?

No, it is not. When the data is moved from a target database to the FortiDB server, it is directly stored (inserted) in the internal repository and not stored in any files. So Encryption or compression of the data is not necessary.

6

General

What are the minimum requirements for a user password in FortiDB?

A password must be at least 8 characters long, and should have a number and a special character. It must not contain the user name or the user name reversed as its part. It also should not contain any white spaces. Please refer to the Administration Guide for details.

7

General

Why do I see the error message "Open database has reached the limit"?

If you are using a trial license, it means that you have reached the number of database connections allowed for target databases. By default, it is limited to three. Please contact your Accounts Manager for more details.

8

General

Why didn’t I get alerts from UBM Session policy for Suspicious Login Time for DB2 UDB?

Take the following sample steps to get alerts from UBM Session policy for Suspicious Login Time.

1. Make a connection to a DB2 database.
2. Open the connection using UBM
3. Make a Session Policy named user1 with Rule Setting time of 2 AM to 5 AM. So if user1 tries to connect to SAMPLE database outside of 2 AM to 5 AM Time, User should get an alert.
4. Now Connect to Sample database as user1 any time outside of 2 AM to 5 AM. You will get an alert as shown below:

Violated Rule: Suspicious Login Time
Timestamp: 2007-11-02 13:38:18.116
Database User Name: USER1
OS User Name: DB2INST2
Location: LOCALHOST
Client Application : DB2BP

9

General

Is there any way to improve the performance of auditing using UBM?

Performance depends on parameters settings, and applications running on the target database. It also depends on audit_trail settings. If audit_trail is set to DB, the performance is degraded compared to that audit_trail set to OS. We also recommend that auditing will be done for only important tables and not for all tables.

10

General

I can’t connect to the target database. What should I do?

Please try to connect to the target database using IP address instead of a host name. You may need to have a static IP address for the machine.

11

General

For audit mode monitoring for DB2 UDB, do I need to setup the DB2 agent? How do I setup the DB2 agent?

Yes, for audit mode monitoring, you need to setup the DB2 agent.
Please follow the instructions in “Monitoring DB2 UDB” chapter of the Administration Guide.

12

General

Does FortiDB support ALTER TABLEAPCE monitoring in Metadata Monitor?

FortiDB does not support ALTER DATABASE or ALTER TABLESPACE command in Metadata Monitor. Please read Metadata Monitor Users Guide for more details

13

General

Can I scan OS level files and folder with FortiDB VA?

Generally the VA module scans relational databases only but VA has Operating System level policies, which scan folders and files. The OS level policies are supported only when the target database is Oracle 8i/9i/10g on Solaris. For more details, please read OSVA polices in Administration Guide.

14

General

What permissions should a user have for scanning a Sybase server?

You should grant the following permissions to the Sybase user for scanning a Sybase target server:

SELECT on:
- SYS.COLUMNS
- SYS.OBJECTS
- SYS.PROTECTS
- SYS.USERS

15

General

Can I monitor MS SQL Server at Server Level or Database Level?

Yes, FortiDB DAM monitors users at Server Level or Database Level. It depends on how you create a connection, If the connection is Server Level, then it will monitor the user behavior for all databases in that MS SQL Server. If you create a connection at Database level, then the user behavior will be monitored only for the database and will not generate alerts if the user is doing any action (inserts, updates, deletes) of the other databases in the same SQL server.

16

General

Can I generate VA reports for only "Informational" rules?

Yes, you can generate a report only for "Informational" rules. You can do so by making rest of the rules inactive and keeping only "Informational" rules as Active. The report generated after the scan will only have "Informational" data.

17

General

Can I test Password Strength/Password Length/Complexity/Expiration using FortiDB?

Yes, FortiDB has Penetration Test for testing passwords. Penetration Test (Pen Test) provides the ability to do an aggressive password attack on selected databases to determine if user passwords are easy to detect thus allowing access into your database.
Please note that Penetration Test may be an invasive procedure. It has the ability to lock out users for failed logins. So, you will need to allow your database to accept multiple password attempts before using this feature and not let any other users access the database during its use.

18

General

Does FortiDB support Informix as a target database for VA or DAM?

No, FortiDB does not support Informix as a target database. It support Oracle, Sybase, DB2 and MS SQL and MySQL for VA and Oracle, Sybase, DB2 and MS SQL for DAM.

19

General

If the connection between FortiDB DAM and the Oracle target DB with audit is disconnected somehow, then is there a way to retrieve the data on the target DB after reconnecting to FortiDB? How can we retrieve them?

Once the connection is resumed, IPLocks/FortiDB MA checks the data and then retrieves all the data from the Oracle Audit logs. So you don’t need to do anything for this.

20

General

Where can I find the platforms that FortiDB support? How about  target Database matrix?

Please refer to the Release Notes for FortiDB to find the latest platforms supported and Target Database matrix.

21

General

Why can't I connect to Oracle RAC (Real Application Clusters) database?

FortiDB application do support Oracle RAC(Real Application Clusters). You need to use instance name from tnsnames.ora file instead of Service name in place of Oracle SID/Database name. This is a feature planned for FortiDB software version 5.0.x.

22

General

Does FortiDB support named instance of MS SQL server? Why do I get an error message when I try to connect to MS SQL Server named instance?

Yes, we support connection to SQL 2000 or SQL 2005 named instance from FortiDB 3.0. It doesn't matter if the instance is default or not. Our application do not care if it is named instance or not in a SQL server and will connect to it if the IP address/Hostname, port name, database name, user id and password is correct.
Since port number configured for SQL server is generally different for each named instance, please check the port number carefully, it may not be the default(1433) for the instance you are trying to connect and that may be the reason why the connection fails.

23

IPLocks 6.x

Is upgrade of IPLocks5.x or IPLocks 6.0.01 to IPLocks6.2 with Oracle repository supported?

Even though there is no clear upgrade path from IPLocks5.x or IPLocks6.0.01 to IPLocks6.2.00, we are confident that it can be arranged through our professional service. Please contact your Account Manager for further details.

24

IPLocks 6.x

Is there any default timing for scheduled assessments of VA?

Yes, the default value for VA schedules settings is 720 hours which is 30 days interval and is set at the module level. To check this, please go to VA -> Set defaults -> Module Schedule Settings -> hours.

25

IPLocks 6.x

Does IPLocks6.2 support Oracle 9.2.08 and 10gR2 on either Solaris 9 or 10 as the platform for IPlocks server?

Yes, IPLocks6.2 is certified on Solaris 9 and 10.

26

IPLocks 6.x

Can I restore the alerts which IPLocks 6.0.02 archived in IPLocks6.2?

Yes, alerts archived in IPLocks6.0.02 can be restored in IPLocks6.2.

27

IPLocks 6.x

Which file contains information about the IPLocks6.2 internal repository configuration?

In IPLocks6.2, the install.properties file in the \IplocksApp\conf directory contains internal repository configuration.

28

IPLocks 6.x

When I try to install IPLocks6.2, I get an error message, "The Windows Installer Service could not be accessed". What is the problem?

This error is not caused by IPLocks installation. This is a known issue published by Microsoft. Please refer to http://support.microsoft.com/kb/315353

29

IPLocks 6.x

Isn’t IPLocks6.2 VA software vulnerable to the Apache Tomcat JK Connector?

Since we do not use Apache Tomcat JK connector, IPLocks6.2 is not vulnerable to the JK Connector.

30

IPLocks 6.x

What is the best way to schedule VA assessments

For scheduling VA assessments, you can use database-level scheduling for each database. The database-level scheduling can be done by VA module -> Set Defaults -> Database schedule settings and then adding your own schedule.

31

IPLocks 6.x

What if my dssConfig.properties file gets corrupted? Can I recreate it?

Yes, you can recreate dssConfig.properties file. Please take the following steps:
1. Stop IPLocks using $IPLOCKS_HOME/bin stop-iplocks
2. Ensure that the install.properties file is not corrupted.
3. Delete or rename your dssConfig.properties file in $IPLOCKS_HOME/conf directory
4. cd $IPLOCKS_HOME/bin and run ./ RegenEnv. this will generate a new dssConfig.properties file.
5. Start IPLocks using $IPLOCKS_HOME/bin start-iplocks

32

IPLocks 6.x

If IPLocks Administrator forgets the password, is there any way to recover or reset the admin password ?

Yes, it can be reset by running the SQL statement if the internal repository is Oracle. It will reset the password back to the default. Please contact technical support for more details.

33

IPLocks 6.x

What is the purpose of Data Retrieval Method (Audit/No Audit) and Trace File folder?

Data Retrieval Method is how data is retrieved by IPLocks from target databases. In MM/PM module, Audit and No Audit options are used, while in UBM only Audit option is used in SQL server. In Audit option, the trace file is used to collect data from target databases, by default, the default trace saves event data to the LOG folder at the location of the SQL Server installation but in IPLocks it defaults to C:\\. In Non Audit option, only snapshot of the target database is taken and that is used for diagnosing auditing security information.

34

IPLocks 6.x

Why can’t I load IPLocks6.2 policies properly from newer XML files?

IPLocks Administrator needs to follow the steps below(after the installation of the product):
1. Install IPLocks6.2
2. Delete the default policies from the IPLocks repository
3. Upload the policies from a new XML file
4. Start creating DB connections for different DB types
5. Scan the database using the new policies

35

IPLocks 6.x

Can I customize IPLocks6.2 screen in order to show Double Byte Characters such as Chinese and Japanese?

IPLocks6.2 works on platforms using the double byte character code, so IPLocks6.2 should work without any problems on the operating system supporting the double byte character Code. However, IPLocks6.2 GUI only appear in English.

36

IPLocks 6.x

How can I download IPLocks/FortiDB free trial version.

You can download free trail version from our website:

http://www.fortinet.com/products/fortidb/software.html
<!--[if !supportLineBreakNewLine]-->
<!--[endif]-->

37

IPLocks 6.x

What are the default ports in   IPLocks6.2 for connecting to IPLocks application?

For non secure connection using http, the default port is 9100.
For secure connection using https, the default port is 8433.
For shutting down IPLocks6.2, the default port 8005.
All these ports are configurable at the times of IPLocks6.2 installation.

38

IPLocks 6.x

Can I use the latest available Polices as part of  quarterly up2date for IPLocks6.2 or IPLocks6.x versions? While updating IPLocks policies , do I need to update IPLocks product/ binaries ?

Yes, you can use the same policies and there are no restrictions.
You don’t need to update any binaries. Just upload the new policies/rules using the XML files.

39

IPLocks 6.x

Why am I not getting emails from iplocks SMTP server for reports or alerts from IPLocks application

For emails, you need to setup your own SMTP server. The mail server name given in IPLocks application is just an example and is not to be used for getting emails from IPLocks application. Please set up your SMTP server to get emails for alerts or reports generated by IPLocks application.

40

IPLocks 6.x

How can I delete the predefined rules when internal repository is PostgreSQL?

Take the following steps and commands to delete old rules when the internal repository is PostgreSQL in IPLocks 6.2.

1. Delete old policies from the IPLocks6.2 installation as defined below.
2. Upload the new policies from XML files(I assume you know how to upload the policies/Rules using XML files).
3.  Make a connection to the target database
4.  Scan the target database.

For deleting the old policies/Rules
On an command window,
cd $IPLOCKS_HOME\pgsql\bin
C:\IPLocks62\pgsql\bin>psql -p 6432 iplocksdb -U iplocks

Where 6432 is the default port number
Iplocksdb is the iplocks internal repository name
U is the iplocks internal repository admin name
All the above values will be same if you have installed IPLocks6.2 using default installation.

iplocksdb=# SELECT COUNT(*) FROM PREDEFINEDRULES WHERE DBSERVERTYPE='db2';
iplocksdb=# SELECT COUNT(*) FROM PREDEFINEDRULES WHERE DBSERVERTYPE='ora';
iplocksdb=# SELECT COUNT(*) FROM PREDEFINEDRULES WHERE DBSERVERTYPE='msql';
iplocksdb=# SELECT COUNT(*) FROM PREDEFINEDRULES WHERE DBSERVERTYPE='sybase';

To delete these policies or Rules, give the following command;
DELETE FROM PREDEFINEDRULES WHERE DBSERVERTYPE='db2';
DELETE FROM PREDEFINEDRULES WHERE DBSERVERTYPE='ora';
LETE FROM PREDEFINEDRULES WHERE DBSERVERTYPE='msql';
DE42TE FROM PREDEFINEDRULES WHERE DBSERVERTYPE='sybase';

41

IPLocks 6.x

What are the minimum privileges to be granted to a user to run a VA Scan for DB2?

The minimum privileges that needs to be granted to a user for a VA Scan are as described below.

CREATE TABLE
SELECT on the following SYSTEM tables:
SYSCOLAUTH
SYSDBAUTH
SYSINDEXAUTH
SYSPLANAUTH
SYSSCHEMAAUTH
SYSTABAUTH
SYSTBSPACEAUTH

You can grant these privileges to a user named USER1 of target Database SAMPLE as per below:
CONNECT TO SAMPLE;
GRANT CREATETAB ON DATABASE TO USER USER1;
GRANT SELECT ON TABLE SYSIBM.SYSCOLAUTH TO USER USER1;
GRANT SELECT ON TABLE SYSIBM.SYSDBAUTH TO USER USER1;
GRANT SELECT ON TABLE SYSIBM.SYSINDEXAUTH TO USER USER1;
GRANT SELECT ON TABLE SYSIBM.SYSPLANAUTH TO USER USER1;
GRANT SELECT ON TABLE SYSIBM.SYSSCHEMAAUTH TO USER USER1;
GRANT SELECT ON TABLE SYSIBM.SYSTABAUTH TO USER USER1;
GRANT SELECT ON TABLE SYSIBM.SYSTBSPACEAUTH TO USER USER1;
CONNECT RESET;

42

IPLocks 6.x

How do I configure email receivers for groups in VA?

The better way of associating emails groups with database or database groups is using the Report Manager module. For doing this, go to Alert Report Manager - > New reports, then give the Report Name(as per your choice), give the values for Status, Severity, Module, Database(s), Policy, Guarded Item, Alarm Generated Time, and click on Save. You can select multiple values for these settings using shift and mouse click.
After you save the New Report Settings, go to Current Reports and associate the Email groups by clicking on Email Receiver.

43

IPLocks 6.x

How can I disable the JP locale?

Take the following steps to disable the JP locale:
1. Start -> All Programs -> IPLocks-6.2 -> IPLocks Tomcat Configuration
2. Select "Java" tab, and enter the following strings in "Java Options".
- Duser.language=en
- Duser.country=US

3.Change the language of the OS.

44

IPLocks 6.x

How do I connect to Oracle 10g target database?

In order to manually enter database-connection information, the steps are:
1. Selecting Database -> New from the menu.
2. Fill in at least the required information, marked with an asterisk (*); namely:
- Database Connection Name (any name that you care to call it)
- Database Server Name or IP address followed, if applicable, by a colon(:) and the port number (E.g., 192.168.2.63:1521)
- Database Name (name of database as of its creation time), this can be found by using command echo $ORACLE_SID on target database machine.
- Database Server Type (Oracle, SQL Server, etc.)
- Username (name user will use in order to connect to the database). You can use system for oracle.
- Password (password user will use in order to connect to the database)
It might also be useful to fill in the other, non-required fields.

45

IPLocks 6.x

Why are my results of scanning databases with IPLocks 6.2  different from IPLocks 6.0?

If you didn't clean up the old rules from the internal repository and load a new XML file, there is inconsistency in the results between IPLocks6.0.01 and IPLocks6.2. You need to clean up the old rules from the internal repository for both IPLocks using the following command:
select count(*) from IPLOCKS.PREDEFINEDRULES where DBSERVERTYPE='sybase';
delete from IPLOCKS.PREDEFINEDRULES where DBSERVERTYPE='sybase';

Try uploading the XML file again and if there is some version error, delete the entry from DPDRLOG using;
delete from IPLOCKS.PDRLOG where version='3';

46

IPLocks 6.x

Why is Archive/Restore so slow? Do I need some more indexes?

If you create indexes on IPLocks tables in IPLocks internal repository, you can improve the performance.

CREATE INDEX CVARUN_RUNTIME ON CVARUN (RUNTIME);
CREATE INDEX CVARUNDETAIL_RUNID ON CVARUNDETAIL (RUNID);
CREATE INDEX ALARMS_ALARMTIME ON ALARMS (ALARMTIME);

47

IPLocks 6.x

How do I change dssConfig.properties?

For Standalone, IPlocks dssConfig.propeties file is located under $IPLOCKS_HOME/config.

From IPLocks6.2 and above, if parameters have default values, dssConfig.properties does not show the parameters.
You can add parameters in the dssConfig.properties file, and the restart IPLocks.
For Appliance, please see “Properties List” chapter of the Administration Guide.

48

IPLocks 6.x

Why don’t I see the OS level Policies checkbox?

IPLocks6.2 supports OS Level policies only when the target database is Oracle on Solaris. Updating a license key doesn’t affect visibility of the OS Level Policies checkbox.

49

IPLocks 6.x

I can’t connect to a MS SQL target database when I am using Names Instance. What should I do?

Please check the port number before making a connection. The named instance in MS SQL Server does not have any effect on the connection. Mostly the port number is different than the default in case of Named Instance.

50

IPLocks 6.x

Adobe Reader could not open the report.

JasperReports cannot handle the logo names which have a space in it. Remove the space and it should work fine.

51

IPLocks 6.x

If ntp (network time protocol) failed and the time is out of sync, do I need to restart IPLocks?

Yes, you need to stop and restart IPLocks application.

52

IPLocks 6.x

What should I do if I do not want to grant create table privilege to a user?

You can revoke the 'create table privilege' from the user after connection has been opened (open and Run button).
Once the connection is running, the user doesn’t need to have 'create table privilege' anymore.

53

IPLocks 6.x

What should I do if my target databases are behind a firewall?

You need to open the port numbers for the IPLocks to scan the target databases correctly. The default port number for target databases are:

Oracle 1521
SQL Server 1433
DB2 50000
Sybase 5000

IPlocks uses jdbc connection and behaves like any other database client, so there is no specific requirement from IPLocks. However, please check the recommendations given by firewall vendors.
Another way is to move the IPLocks server behind the firewall in which the target databases are.

54

IPLocks 6.x

How do I avoid default email server error message in the iplocks.log or catalina.out file

The reasons why IPLocks generates error message in the iplocks.log or catalina.out file are:
1. You have setup a default email receiver in the email settings with a wrong or invalid SMTP Host IP.
2. You have checked the check box for Default Receiver(s).
You can solve this problem by deleting the default emails receivers or by setting up the SMTP Host, so that you can receive the email Alerts.

55

IPLocks 6.x

Where can I find IPLocks Administration Guide and other Documentation?

If you want to have the Administration Guide or Users Guide, login to the application as a user and click on the Documentation link of top right hand. You will see documentation in html and pdf formats.

56

IPLocks 6.x

Is there a way to auto enable UDR?

There is no parameter in dssConfig.properties for automatic enabling the UDR. The user has to manually stop and start the connection for monitoring to start again.
However, there is the parameter, dss.isrecovery in dssConfig.properties. This enables automatic recovery for non-UDR take place if the IPLocks server is shutdown. If this parameter is set to true and the IPLocks server goes down, when the server is restarted, all databases which were open will be restored to their prior state.

57

IPLocks 6.x

How do I view and store VA Reports in html format for IPLocks instead of sending them as email?

There are two ways to view and store VA Reports:
1. Set up a custom report using Alarm Report Manager and saving the report to any folder on your hard drive in Tab Delimited or Comma Delimited format. This can be done using File Format and Saving to a File. These formats can be viewed in excel. Using this method, you don’t need to have any user accounts setups for IPLocks application.

2. The second way of doing is to setup the Alarm Report Manager and checking the checkbox for Description Field in the Report Format. Then exporting the summary report to pdf/excel/ Tab Delimited or Comma Delimited format and saving it to the folder on your hard drive. Exporting the report to html format is not supported for summary report. Using this method also, you don’t need to have any user accounts setups.

58

IPLocks 6.x

I forgot IPLocks admin password. and my internal repsoitory is PostGreSQL. How can I reset the admin password?

IPLocks admin password needs to be reset. Please contact IPLocks Support for steps to reset IPLocks admin password.

59

IPLocks 6.x

Is there any difference, if I am connecting to a named instance on a MSSQL server? Does Auto Discovery work for named instances?

The process for connecting to the named instance is similar to the default instance. Generally the port number for named instance is different from the default port number of 1433. Please correct the port number that might be causing the problem. On SQL 2000, you can find the port number by doing the following steps:

1. Go to SQL Server Enterprise Manager -> Tools -> SQL Server Configuration Properties
2. Click on General Tab -> Network configuration - > TCP/IP -> properties –> You can see the port Number
Auto Discovery may not work for named instances as it searched only at default port numbers.

60

IPLocks 6.2

Does IPLocks support Oracle Advanced Security Options Configuration?

As of today, IPLocks6.2 does not support Oracle Advanced Security configuration. Please contact your account Manager if you need any more information about this feature.

61

IPLocks 6.x

Where can I get a version, time of update information for XML update?

The easiest way of tracking PDR update is from PDRLOG table of the internal repository.

62

IPLocks 6.x

How do I install a new license key which I have received from IPLocks?

You will need to replace your existing license.properties file in <IPLocks_Home>\conf directory with the license file you have received from IPLocks and restart IPLocks server. In order to restart IPLocks, you go to <IPLocks_Home>\bin, stop and start IPLocks using stop-iplocks or start-iplocks command from the command line.

63

IPLocks 6.x

Is there a way to store multiple versions of the policies for a single database?

You cannot store multiple versions of the policy for a single database. However, you can make two connections to the same database with different database connection names and in one connection, you can enable policies for DBA, disable policies which are not required for DBA and in the second connection you can enable policies for Auditors and disable the policies which are not needed for Auditors.

64

IPLocks 6.x

Can I upload multiple database connections from text or excel file?

Yes, you can use upload utility and use text file to upload all the database connections.
The format of the details in the text file should be:

Connection_name!hostname_or_IPAddress:port_no!database_name_or_SID!database_type!userid!password

For Example, for Oracle it should look like
Oracle_test!192.168.x.xxx:1521!ora92T!ora!system!password

Database type for different databases should be:
Oracle= ora
Db2 V8 = db28
Sybase = sybase
MSSQL= msql
Note: If you want to keep any field empty, please use separators !! for that field.

65

IPLocks 6.x

How can I view my old VA Scan reports?

Previous VA Scan Reports can be viewed by clicking on Report Manager -> VA Trend Report -> then selecting the
Database type -> selecting Database Name. At the bottom of the page you can see the reports identified with Timestamp of the scan time. You can export these reports to PDF, EXCEL, Tab Delimited,
Comma Delimited or Printable version.

66

IPLocks 6.x

Does IPLocks support Oracle RAC and do I need to VA Scan on all nodes?

Yes, IPLocks supports Oracle RAC (Real Application Cluster). You need to scan the main node and not all nodes.

67

IPLocks 6.x

Can I do IPLocks scan using Windows authentication?

Yes, you can use Windows Authentication for VA Scanning instead of SQL Authentication. You need to use this format on Create New Database Connection:
Username : DOMAIN\accountName

68

IPLocks 6.x

Does IPLocks 6.2 support databases running on zLinux as Target database?

IPLocks6.2 does not support a databases running on zLinux as a target database. It is not in our roadmap right now and will be considered in the future.

69

IPLocks 6.x

Can I upload MS SQL Server Level Connection using a text file?

Yes, you can upload Server level connection for MSSQL or Sybase from a text file.

The format for Server level connection should be:
dbalias!serverip:portNo!!dbtype!username!Password!!!!!!!!!!!!!!!!!!!!!!!!!!Y

Please note that the third field(dbname) should be empty and 32nd field should be Y for Server Level Connection.

70

IPLocks 6.x

Do I need to grant CONNECT, IMPLICIT_SCHEMA and USE OF TABLESCPACE USERSPACE1 privileges to USER to do VA Scan against the DB2 target database?

By default, the connect privilege is available to PUBLIC. So until and unless CONNECT, IMPLICIT-SCHEMA and USER OF TABLESPACE USERSPACE1 have been revoked from PUBLIC, the USER needs only the following  privileges to VA Scan a target database.

- CREATE TABLE
- SELECT on the following SYSIBM tables:

- SYSCOLAUTH

- SYSDBAUTH

- SYSINDEXAUTH

- SYSPLANAUTH

- SYSSCHEMAAUTH

- SYSTABAUTH

- SYSTBSPACEAUTH

71

IPLocks 6.x

Can I scan DB2 databases if I am using customized special builds from IBM?

As of now, IPLocks does not support customized special builds from IBM for VA Scan. IPLocks only supports builds released by IBM on their website as GA or FixPak builds.

72

IPLocks 6.x

Why is IPLocks starting very slow?

The problem might be due to a large number of open connections. Please try to close all open connections before stopping IPLocks. For closing/opening the connections quickly, you may use CLI.

73

IPLocks 6.x

Is it possible to install two instances of IPLocks 6.2 on the same machine?

Technically, you can install two instances of IPLocks6.2 on the same machine without any issues. However, you need to consider the following issues while installing IPLocks6.2:

1. The installation directories for both instances should be different.
2. Userid used for installing both instances should be different.
3. Schemas used for internal repository for both instances should be different.
4. Use different Port Numbers for tomcatHttpPort, tomcatHttpsPort and tomcatShutdownPort for both instances.
The default values for these ports are:

tomcatHttpPort=9100
tomcatHttpsPort=8433
tomcatShutdownPort=8005
If you need to apply IPLocks6.2 patches in the future, it should be applied on each instance separately.

74

IPLocks 6.x

I cannot make a connection from IPLocks when the target database is Sybase on HP-UX. What should I do?

When Sybase 12.5.4 ASE server is installed on HP-UX, Roman 8 encoding is installed by default. This is the reason why IPLocks is not able to connect to Sybase databases on HP-UX. Please contact Fortinet support for Hotfix to solve this problem.

75

IPLocks 6.x

Why does my DB2 V7 connection hang?

Here are the steps to connect to DB2 V7 as a target database:

1. Stop IPLocks using stop-iplocks.bat from $IPLOCKS\bin
2. Rename your $IPLOCKS_HOME\tomcat\webapps\iplocks\WEB-INF\lib\db2java-8.1.jar to db2java-8.1.jar.bak
3. Get the db2java.zip from sqllib\java of the target db2 v7 database to the $IPLOCKS_HOME\tomcat\webapps\iplocks\WEB-INF\lib and rename it to db2java-8.1.jar.
4. On the target database db2 v7 machine, log in as instance owner and start japplet using the following command:
db2jstrt 6789
5. Start IPLocks application using start-iplocks.bat from $IPLOCKS\bin
6. On the IPLocks connection page, you need to use port number as 6789.
For ex: Database Server Name/IP (with port)*  will be 192.168.9.100:6789
The rest of the steps will be same as DB2 V8 target database connection.
For each target database on DB2 v7, you need to repeat Step 1 to 6 above.

76

IPLocks 6.x

Can I scan database across the firewall?

Yes, you can scan databases across a firewall. You need to open a port in the firewall for IPLocks to access your SQL Server. Your network admin should be able to help in this issue.

77

IPLocks 6.x

Can I archive data to SAN (Storage Area Network) instead of $IPLOCKS_HOME folder?

By default, archiving will save the archived data in $IPLOCKS_HOME\archive. However, you can ftp this data to SAN and delete it from your $IPLOCKS_HOME\archive folder. In order to restore, you have to ftp it back to $IPLOCKS_HOME\archive folder again. You can delete the data from the archive folder but keep the archive folder under $IPLOCKS_HOME.
Alerts will be removed from the internal repository and will not be visible from the IPLocks GUI.

78

IPLocks 6.x

Do I need a new license if I change the internal repository from PostGreSQL to Oracle?

A license key is not dependent on the type of internal repository but is dependent on the MAC address of the machine. Same key can be reused if there is a change of internal repository only.

79

IPLocks 6.x

Does IPLocks6.2 have SDK?

IPLocks6.2 does not have SDK available. But we have CLI for automating various functions for MM, PM and VA modules. You can read more about CLI in IPLocks6.2 documentation.

80

IPLocks 6.x

Can I do IPLocks6.2 silent install on Windows?

In order to install IPLocks6.2 using the Silent installer mode, take the following steps:
1. Satisfy all prerequisites in the Installation Checklist.
2. Execute the installer file with this syntax:
<installer_file> -f <settings_file>
where settings_file contains your installation-property values.
Note: A silent installation will be completed when the $IPLOCKS_HOME/IPLocks-<product name>_InstallLog.log is created. For example, the presence of IPLocks-6.2_InstallLog.log indicates the completion of the installation of IPLocks 6.2. (You can determine whether or not your Silent Installation was successful or not by examining the Summary section of this file. If there are no errors in that section, the installation was successful.)

If you need more information about the Silent install and sample settings_file, Please follow steps in our IPLocks6.2 Installation Guide.

81

IPLocks 6.x

Do I need administrative privileges to install and launch the application on Windows?

Yes, IPLocks6.2 requires administrative privileges to install and launch the application or start/stop services.

82

IPLocks6.2

Where can I find IPLocks6.2 documentation?

The install Guide and Release Notes can be downloaded from our ftp site (blinder.iplocks.com, it is the same site from where you downloaded IPLocks6.2 GA build).
Other documentation in pdf and HTML formats are part of installation. Once you install IPLocks6.2 and log in as admin or user, you will see the icon named Documentation near the top of the IPLockspage.

Following is the list of documents which are available after IPLocks6.2 installation:
Administration Guide [PDF] [HTML]
CLI User Guide [PDF] [HTML]
Content Monitor User Guide [PDF] [HTML]
Metadata Monitor User Guide [PDF] [HTML]
Privilege Monitor User Guide [PDF] [HTML]
Transaction Monitor/Audit User Guide [PDF] [HTML]
User Behavior Monitor User Guide [PDF] [HTML]
Utilities User Guide [PDF] [HTML]
Vulnerability Assessment User Guide [PDF] [HTML]

83

IPLocks 6.x

Is there a way to reduce or decrease the number of violations so that we don't run into the overflow problem in UBM?

There is a parameter dss.sqlstatement.level in the dssConfig.properties file which controls filtering. It determines which statements are kept (and not filtered out) in order to subsequently determine if they might correspond to a SQL statement related to an IPLocks UBM policy.
A level of '0' means that all statements are kept and none are filtered out;
A level of '1' or '2' means that only IPLocksrelated SQL statements for enabled polices that do not duplicate other records from the same session for enabled policies are kept;
A level of '3' means that only IPLocks-related SQL statements for enabled policies are kept;
A level of '4' means that o IPLocks-related SQL statements for enabled and disabled policies are kept.

84

IPLocks6.2

Why am I getting Unique constraint (IPLOCKS.DATABASES_CONST1) violated error message after upgrade to IPLocks6.2 ?

Here are the steps to solve this issue:
1. Check current sequence number in the internal repository:
SQL> select * from user_sequences where SEQUENCE_NAME in ('DATABASESSEQ');
SEQUENCE_NAME MIN_VALUE MAX_VALUE INCREMENT_BY C O CACHE_SIZE LAST_NUMBER
------------------------------ ---------- ---------- ------------ - - ---------- -----------
ORAAUDITSEQ 1 1.0000E+27 1 N N 20 140

2. Check max dbid value in internal repository;
SQL> select dbid, aliasname from databases_backup order by dbid;
DBID ALIASNAME
---------- --------------------------------------------------
110 ora10g
121 ora10g-2
132 ora920-win
143 win1020

Suppose you get max dbid as 143, execute this command before you try to create a new connection.

SQL> drop sequence DATABASESSEQ;
SQL> create sequence DATABASESEQ start with 144; <--- increment max dbid by 1 to get the new value

85

IPLocks6.2

How can I schedule a VA scan and generate reports using IPLocks6.2?

You can do the scheduling and report generation in IPLocks6.2 the way you want by using CLI. All your requirements of scheduling a VA Scan and generating a VA report can be met by using CLI.

86

IPLocks6.2

How do I set up the DB2 agent on a target machine?

For setup of the Agent for DB2-Audit-Based V8 Retrieval, please refer to the Administration Guide for details.
Note: The audit-based-retrieval agent for MM and PM should be run by the DB2 owner, so it will have access to the proper files. In general, the DB2 account (say db2inst1) will have a directory sqllib under its home directory. In order to set this up, execute one of the following, noting that there is a '.' at the beginning of each:
. /home/db2inst1/sqllib/db2profile
or:
. ~/sqllib/db2profile
In order to activate the agent, you will perform these general steps:
1. Copy the agent files from the IPLocks machine to the target-database machine.
 A. Go the db2v8 directory on the IPLocks machine:
$IPLOCKS_HOME/util/db2v8
 B. Create a directory on your target-database machine to accommodate the agent files
 C. Copy these files to the newly created directory on your target-database machine:
a. For Windows-based targets, copy:
db2audit.bat
serverConfigDB28.properties
db2audit.jar
README.txt
b. For UNIX-based targets, copy:
db2audit.sh
serverConfigDB28.properties
db2audit.jar
README.txt
i). Make sure you have execute permissions on the db2audit.jar file. If not, change
permissions as follows:
chmod 755 db2audit.jar
ii). The DB2 audit agent should be executed by the DB2 instance user. In order to accomplish this, the DB2 instance owner(e.g., db2inst1) should execute the following commands:
chmod -R 755 /opt/IBM/db2/V8.1/security
chown -R db2inst1:db2grp1 /opt/IBM/db2/V8.1/security
where db2inst1 belongs to primary group db2grp1
iii). The DB2 instance user should have write access to the security folder (by default:
/opt/ibm/db2/V8.1/security).
Note: On AIX, the security folder can be found within /usr/opt/db2_08_01.
2. (Optionally) change any agent parameters, from the default values, if necessary. Change, in the serverConfigDB28.properties file, any parameters necessary.
Agent will be listening to default port # 51236, if you want to change it to some other port number, add the following parameter to dssConfig.properties file in $IPLOCKS_HOME/conf.
dss.db28auditPort=newPortNumber
db2extractdirhelp helps alleviate I/O-contention and/or disk-space problems. The default is /tmp. You might want to choose another disk location if you encounter an excessively large db2audit.out file
3. Start the agent
In the directory you created on the target machine, execute for UNIX-based targets:
./db2audit.sh
or, as an Administrator-level user, for Windows-based targets, run:
db2audit.bat
4. Establish your database connection using the agent parameters.

87

IPLocks 6.x

How can I display "Reason for update" in the Summary report and exporting it to pdf or excel format?

The “Reason for update” textbox cannot be shown in pdf or excel file. As of now, you need to use Jasper report to customize it.

88

Standalone

How can I optimize IPLocks/FortiDB performance by setting Oracle as internal repository?

You can optimize performance by the Oracle parameter tuning. It depends on individual machine settings and hardware. In order to handle a large amount of SQL statements, or large amount of audit data, the repository database has to be tuned. A default installation will not be sufficient to handle the large amount of data load and matching process with the SQL statements. The following parameters need to be set as high as possible based on the available memory for the system:

Db_cache_size=500M
Log_buffer=1M
Pga_aggregate_target=300M
Shared_pool_size=200M
Cursor_sharing=similar
hash_join_enabled=true
BLockSize (more than 16K is recommended)
<Example>
Processes = 600
shared_pool_size = 150994944
db_block_size = 8192
db_cache_size = 520093696 
db_file_multiblock_read_count= 16
hash_join_enabled = TRUE
pga_aggregate_target = 512165824
cursor_sharing = similar

For Oracle tuning with large scale processing, you can do the followings:
- Increase in size/number of UndoSegment (Rollbacksegment)
- Increase in size of OnlineRedoLog file
- Disk I/O Distribution
- Local Segment Management Table
- SegmentManageMent=AUTO or Increase FreeList

89

Standalone

The audit logs of target databases are encrypted for my internal security. If authentication is available for the target database connection, can IPLocks/FortiDB scan the databases?

The IPLocks/FortiDB agent cannot read encrypted data. If the user encrypts a database log when the audit_trail is set to OS, IPLocks/FortiDB application cannot scan even if there is appropriate authentication for the user.

90

Standalone

How can I restore an IPLocks/FortiDB Instance in case of hardware failure?

In case of hardware failure, please take the following steps to rebuild the IPLocks/FortiDB server:

1. Install IPlocks/FortiDB.
2. Connect to your Oracle repository.
3. Restore the previous backup.
4. Request a new license key file if you are installing IPLocks/FortiDB on a different machine.
5. IPLocks/FortiDB uses the keyfiles (.keyfile, .keystore) in the conf directory to encrypt the passwords of target database connections. These files are generated during the installation. If you have these two files backed up, you just need to replace the newly generated ones with the old ones. Otherwise, you will need to modify target database connections from newly installed IPLocks so that it will use the new keyfiles to encrypt/decrypt the passwords of target database connections.
6. Restart IPlocks/FortiDB server.

91

Standalone

Why can’t I sometimes delete database connections when my internal repository is Oracle and when I have very large number of database connections?

You need to create the following indexes if you are running into a problem to delete database connections due to very large numbers of connections and resulting in performance issues:

CREATE INDEX IPLOCKS.CB_CVARUNDETAIL
 ON IPLOCKS.CVARUNDETAIL(RUNID, CLASSIFICATIONID, ALARMID, GUARDID, SEVERITYID)STORAGE ( BUFFER_POOL KEEP) COMPUTE STATISTICS TABLESPACE IPLOCKS;

CREATE INDEX IPLOCKS.CB_CVARUN ON IPLOCKS.CVARUN(DBID,RUNID)STORAGE ( BUFFER_POOL KEEP) COMPUTE STATISTICS TABLESPACE IPLOCKS;

92

Standalone

Does IPLocks/FortiDB support Windows Server 2003 with SP2?

Yes, IPlocks/FortiDB supports Windows Server 2003 with SP2.

93

Standalone

What should I do if my IPLocks/FortiDB application is running out of Java Heap Memory?

Please check the physical memory size and Oracle SGA size.
If you have free 4GB memory on the server, you can specify as follows:
-Xmx4096m
-XX:MaxNewSize=4096M
-XX:NewSize=512M

If you don’t know the appropriate values, please look at the memory information on the IPLocks server and tune it accordingly such as:
1. Oracle SGA size
2. Physical memory and free space information from top command

94

Standalone

Why can’t I start IPLocks after changing IPLocks password in internal repository?

If you have changed the password in the Oracle repository, then you should put that password in install.properties file in clear text in place of

dbPassword=4831a9ee63c11e65820db564242bf682

Remove the encrypted password and put the new password.
-Ensure that install.properties file is not corrupted(Please keep a copy of install.properties for safety and future use).
-Delete or rename your dssConfig.properties file in $IPLOCKS_HOME/conf directory
-cd $IPLOCKS_HOME/bin and run ./ RegenEnv this is generate new dssConfig.properties file
-Start iplocks using $IPLOCKS_HOME/bin start-iplocks

95

Standalone

Can I change the starting number of the Alert ID from 101 to some other number?

IPLocks Admin cannot change the Alert ID from the GUI or by changing the setup/configuration files. However, it can be changed by changing the sequence start number in the internal repository. Since we have not tested this by changing the sequence number in the internal repository, it is not recommended.

96

Standalone

Can I display more than 100 alerts in UBM?

UBM stores all the violations but will display only first 100 violations. There is a parameter named dss.ubm.maxaccessviolations in dssConfig.properties file which controls this.
It determines the maximum number of displaying access violations in a single alert. It is configurable and default is 100.

You can also delete any alerts that have been resolved. A permanent copy exists in the IPLocks application system, so you can always retrieve old alerts using the Report Generator, even if you delete it from the screen.
You can use Audit Log Navigation of UBM for generating Reports. This screen lets you search audit data by some criteria and generate reports and gather important statistical information about audit data.

97

Standalone

How can I change the port number https and http port for IPLocks v7/FortiDB 3.x  application?

The default port http for IPLocks/FortiDB application is 9100 and https is 8433.
The URL for secure connection will be https://localhost:8433/iplocks.

To change the port numbers after installation, do the following steps:
1. Go to $IPLOCKS_HOME/conf.

2.Change port numbers to new port numbers in the install.properties file
For example:
change from:
tomcatHttpPort=9100
tomcatHttpsPort:8433
to:
tomcatHttpPort=80
tomcatHttpsPort:443
The port # 80 and 443 are just examples. Please use the available ports on your machine.

3. Stop and restart IPLocks/FortiDB from $IPLOCKS_HOME/bin.
Stop-<application name>
Start-<application name>

98

Standalone

Does FortiDB 4.x support LDAP or Active Directory authentication?

Yes, presently /FortiDB 4.x does support LDAP or LDAP through Active directory authentication.

99

Standalone

Why can’t I install FortiDB 4.x with PostgreSQL as internal database,

Unlike IPLocks6.2, PostgreSQL is not bundled with the IPLocks v7/FortiDB 3.x Installer. The user has to install PostgreSQL 8.3. separately. If you want to use IPLocks v7/FortiDB 3.x for Demo purposes only, Derby, a flat file database is shipped with IPLocks v7/FortiDB 3.x; Please choose the Derby option for internal database instead of PostgreSQL.

100

Standalone

How can I find the version number and the timestamp when PDR XML file was uploaded?

The user can query a table in internal repository using the following SQL and find out the XML file name, version number and time it was uploaded.

select * from pdrlog;

101

VA

When a user cannot see descriptions for VA policies in VA reports or error messages, what could be the possible reason?

If the user doesn’t see any description or the error message as shown below, one of the possible reasons could be a space problem on the user's target database machine. "The result set for this policy could not be displayed, due to the inability to retrieve the required object information". Increasing the space may address the issue. The Other reason could be privileges granted to the user who is scanning the database. Please grant the correct privileges as advised in the Administration Guide.

102

VA

How can I find how much storage space is used by VA reports in an internal server?

You can run the following SQL query to find the storage space used by VA reports. Every time you run a scan against a database, it subtracts the previous scan value which will give the user storage space used for each scan. Please run this SQL query as a user, system, if your internal repository is Oracle.
select sum(BYTES) /1024/1024 as "BYTES(MB)" from dba_segments where OWNER = 'IPLOCKS';

103

VA

Where can I view the historical reports for VA scan?

You can see the historical reports from VA Trend Report. You need to go to the bottom of the page and will find all the historical reports sorted by timestamps.