Linux-UNIX: Query rewrite parameters

The query rewrite parameters affect the behavior of the S-TAP with respect to discovery.

GIM guard_tap.ini Default Value Description
STAP_QRW_INSTALLED qrw_installed 0 Enable or disable the query rewrite feature. When set to 0, all other parameters in this group are ignored. Valid values:
  • 0: Disabled
  • 1: Enabled
Note: firewall_installed and qrw_installed cannot be enabled at the same time. If qrw_installed is set to 1, then firewall_installed is disabled.
STAP_QRW_DEFAULT_STATE qrw_default_state 0 Sets the query rewrite activation trigger. Must be 0 if firewall_default_state=1 or 2. Valid values:
  • 0: QRW is activated per session when triggered by a rule in the installed policy.
  • 1: Watch all packets. QRW is activated for every session regardless of the installed policy. S-TAP watches all priority packets and sends them to collector, which reduces the chance of avoiding firewall or redaction rules.
  • 2: Priority packets are watched by default. If event is not triggered by the priority packets, then query rewrite stops watching after priority packets until the policy is triggered. To reduce the possibility that short sessions evade firewall and redaction rules, when either qrw_default_state or firewall_default_state is set to 2, create a session-level policy. Firewall/QRW is initially activated for a limited number of the first packets (priority packets) of each session. If not triggered by the rule of the installed SLP policy, then Firewall/QRW is automatically deactivated. 
    When set to 2, the QRW operation can be modified by the following commands:
    • Watch - S-TAP changes the state from 2 to 1 so that the connection is permanently subject to firewall or query rewrite operations.
    • Drop - Terminate the connection immediately.
    • Watch & Drop - Terminate the connection immediately.
    • Unwatch - S-TAP changes the state from 2 to 0 so the connection is no longer subject to firewall or query rewrite operations.
STAP_QRW_FORCE_WATCH qrw_force_watch NULL Comma-separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to watch automatically. Valid when qrw_installed is 1, and qrw_default_state is 0. Cannot be configured to the same IP range as firewall_force_unwatch.
STAP_QRW_FORCE_UNWATCH qrw_force_unwatch NULL Comma separated list of client IP/MASKs (for example, 1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to exclude from watching. Valid when qrw_installed is 1, and qrw_default_state is 1. Cannot be configured to the same IP range as firewall_force_unwatch.