The query rewrite parameters affect the behavior of the S-TAP with respect to discovery.
GIM |
guard_tap.ini |
Default Value |
Description |
STAP_QRW_INSTALLED |
qrw_installed |
0 |
Enable or disable the query rewrite feature. When set to 0, all other parameters in this group are
ignored. Valid values:
Note: firewall_installed and qrw_installed cannot be
enabled at the same time. If qrw_installed is set to 1, then
firewall_installed is disabled.
|
STAP_QRW_DEFAULT_STATE |
qrw_default_state |
0 |
Sets the query rewrite activation trigger. Must be 0 if firewall_default_state=1 or 2. Valid values:
- 0: QRW is activated per session when triggered by a rule in the installed policy.
- 1: Watch all packets. QRW is activated for every session regardless of the installed policy.
S-TAP watches all priority packets and sends them to collector, which reduces the chance of avoiding
firewall or redaction rules.
- 2: Priority packets are watched by default. If event is not triggered by the
priority packets, then query rewrite stops watching after priority packets until the policy is
triggered. To reduce the possibility that short sessions evade firewall and redaction rules, when
either qrw_default_state or firewall_default_state is set
to 2, create a session-level policy. Firewall/QRW is initially activated for a limited number of the
first packets (priority packets) of each session. If not triggered by the rule of the installed SLP
policy, then Firewall/QRW is automatically deactivated.
When set to 2, the QRW operation can be
modified by the following commands:
- Watch - S-TAP changes the state from 2 to 1 so that the connection is
permanently subject to firewall or query rewrite operations.
- Drop - Terminate the connection immediately.
- Watch & Drop - Terminate the connection immediately.
- Unwatch - S-TAP changes the state from 2 to 0 so the connection is no longer
subject to firewall or query rewrite operations.
|
STAP_QRW_FORCE_WATCH |
qrw_force_watch |
NULL |
Comma-separated list of client IP/MASKs (for example,
1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to watch automatically. Valid when
qrw_installed is 1, and qrw_default_state is 0. Cannot be
configured to the same IP range as firewall_force_unwatch. |
STAP_QRW_FORCE_UNWATCH |
qrw_force_unwatch |
NULL |
Comma separated list of client IP/MASKs (for example,
1.1.1.1/1.1.1.1,2.2.2.2/2.2.2.2) to exclude from watching. Valid when
qrw_installed is 1, and qrw_default_state is 1. Cannot be
configured to the same IP range as firewall_force_unwatch. |