Linux-UNIX: Firewall parameters

These parameters affect the behavior of the S-TAP with respect to the firewall.

These parameters are stored in the [TAP] section of the S-TAP properties file.

GUI GIM guard_tap.ini Default value Description
Firewall installed STAP_FIREWALL_INSTALLED firewall_installed 0 Firewall feature enabled. Valid values:
  • 0: Disabled.
  • 1: Enabled.
Note: firewall_installed and qrw_installed cannot be enabled at the same time. If qrw_installed is set to 1, then firewall_installed is disabled.
Firewall timeout STAP_FIREWALL_TIMEOUT firewall_timeout 2 Time to wait for a verdict from the Guardium® system. If the firewall times out, the value of the parameter firewall_fail_close determines whether to block or allow the connection.
Valid values: -1 to -999, 1 to 10.
Negative values represent milliseconds and positive values represent seconds. For example, -50 is 50 milliseconds while 3 is 3 seconds.
Firewall fail close STAP_FIREWALL_FAIL_CLOSE firewall_fail_close 0 The action when the verdict cannot be set by the policy rules, for example the Firewall timeout expires. Valid values:
  • 0: the connection goes through.
  • 1: the connection is blocked.
Firewall default state STAP_FIREWALL_DEFAULT_STATE firewall_default_state 0 Sets the firewall activation trigger. Must be 0 if qrw_default_state=1 or 2. Valid values: Valid values:
  • 0: Firewall is activated per session when triggered by a rule in the installed policy.
  • 1: All traffic is watched for firewall policy violations
  • 2: All traffic is watched for firewall policy violations for the initial priority_count packets (guard_tap.ini parameter). S-TAP watches the initial part of every new session to your DB. This is useful when you have session based policies, firewall rules based on the user, or some other information that is passed early in the session. It limits the impact of firewall on the performance. Instead of watching every bit of the session (Firewall default state=1) and waiting for an UNWATCH verdict, S-TAP simply unwatches automatically if no WATCH or DROP is sent.

    To reduce the possibility that short sessions evade firewall and redaction rules, if either firewall_default_state or qrw_default_state is set to to 2, create a session-level policy. S-TAP watches all priority packets and sends them to collector, which reduces the chance of avoiding firewall or redaction rules.

Firewall force watch STAP_FIREWALL_FORCE_WATCH firewall_force_watch NULL When firewall_default_state=0 (off), then firewall_force_watch specifies the network/mask of the IPs you want the firewall to watch, overriding the default (off).

Valid value: comma separated list of IP/mask values.

Firewall force unwatch STAP_FIREWALL_FORCE_UNWATCH firewall_force_unwatch NULL When firewall_default_state=1 (on), then firewall_force_unwatch specifies the network/mask of the IPs you want the firewall to ignore, overriding the default (on).

Valid value: comma separated list of IP/mask values.