Firewall tab

From the Firewall tab, you can configure the Guardium® firewall for an External S-TAP®. Using the Guardium firewall can slow performance and might cause other issues. Guardium suggests that you use the firewall feature only when necessary.

The Firewall tab parameters are based on the Linux-UNIX firewall parameters for S-TAPs. For more information, see Linux-UNIX: Firewall parameters. For more information about Guardium policies and the firewall, see Blocking rule actions.
Table 1. Firewall tab
Parameter Default Meaning
Firewall installed 0 Enables or disables the firewall feature. Valid values:
  • 0: Disables the firewall.
  • 1: Enables the firewall.
Firewall timeout 10 (seconds) Time, in seconds, to wait for a verdict from the Guardium system. If the firewall times out, the Firewall fail close value determines whether to block or allow the connection. The value can be any integer value.
Firewall default state 0 Sets the default state for the firewall. Valid values:
  • 0: The firewall is activated per session when triggered by a rule in the installed policy.
  • 1: Watch all traffic for firewall policy violations.
  • 2: Watch all traffic for firewall policy violations for the initial priority_count packets. The External S-TAP watches the initial part of every new session to your database. Setting the default state to 2 is useful when you have session-based policies, firewall rules based on the user, or some other information that is passed early in the session. It limits the impact of firewall on the performance. Instead of watching every bit of the session (Firewall default state=1) and waiting for an UNWATCH verdict, the External S-TAP unwatches automatically if no WATCH or DROP is sent.
Firewall fail close 0 The action to take when the verdict cannot be set by the policy rules, for example, if Firewall timeout expires.
  • If the check box is selected, the connection is blocked.
  • If not selected, the connection goes through.
Firewall force watch   A comma-separated list of IP/mask values.

If Firewall default state is set to 0 (off), then Firewall force watch specifies the network address or mask of the IP addresses that you want the firewall to watch, overriding the default.

Firewall force unwatch   A comma-separated list of IP/mask values.

If Firewall default state is set to 1 (on), then Firewall force unwatch specifies the network address or mask of the IP addresses that you want the firewall to ignore, overriding the default.