IBM Support

Guardium S-TAP Verification with Network Address Translation (NAT)

Question & Answer


Question

NAT is used between the network locations where my S-TAP and Collector are installed. What is the expected behavior of Guardium S-TAP Verification in this case?

Cause

S-TAP Verification (both advanced and standard) checks the client and server IP of the connection from collector to database. If the IP addresses are different from the perspective of the collector and the database server, for example if NAT is used, the verification process will not work as expected.

The verification process is looking for traffic from IP1 to IP2, but the S-TAP is reporting traffic from IP3 to IP4 due to NAT.

Answer

If NAT is used between network locations of the collector and S-TAP, S-TAP verification will fail, even if the S-TAP is in fact collecting traffic. Run diagnostics will show '0 failed checks'.

As of Guardium v10.1.2 and v9.5 this is the expected behavior. S-TAP verification is not supported in NAT environment.

Check in reports to verify if these S-TAPs are collecting data. For example - How can I check if the correct data is being logged on my Guardium appliance?

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Appliances","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"10.0;10.0.1;10.1;10.1.2;9.0;9.1;9.5","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22000145

Page Feedback