Known limitations
The following known limitations apply to session-level policies and advanced session-level policies.
- Session-level policies apply on new database sessions opened after installing the session-level policy. When updating or removing session-level policies, existing sessions continue using the original policies until the sessions have finished their work.
- In some protocols, SERVICE_NAME does not exist and is replaced by SERVER_TYPE as a placeholder. For example, Microsoft SQL Server. In this case it is better to avoid using SERVICE_NAME and to use DB_TYPE instead.
- The Microsoft SQL Server username for local connections can be set to OS user and replaced later. Consider this when creating session-level policy rules.
- NET_PROTOCOL can change during sessions and is not recommended for use.
- In rare cases, session information can be correlated in the logger (e.g. Oracle Kerberos authentication). Session parameters correlated in the logger should not be used as session-level policy rule conditions.
- Wildcards are allowed in session-level rule criteria, tuples, search parameters (except MATCH_PATTERN), and groups (or LIKE groups when using advanced session-level policies).
- IP address network masks are not applied to IP address groups. Mask IP address group members before creating the group and add them to the group in subnet form. If CLIENT_NET_MASK, SERVER_NET_MASK, or SENDER_NET_MASK used when CLIENT_IP, SERVER_IP, or SENDER_IP contain a group, add the related subnet members directly to the group. Concider using CIDR notation in groups when it is needed.
- If session level policies are reinstalled, sessions are validated with the new policy rules.
- Regular expression use Perl syntax. The maximum size of regular expressions is 255 symbols. Note that Guardium checks regular expression syntax but does not check semantics. The regular expression language has advanced features and is recommended for use only by experienced users. Otherwise, regular expressions can lead to serious degradation of performance and available resources.
- Only one tuple per rule is allowed. Multiple tuples are allowed in the policy.
- For advanced session level policies only:
- The size specified in the header of any group (including groups of tuples) must match the number of group member values specified in the body of the group. For example, in a six-tuple group with seven tuples, the seventh tuple will be disregarded.
- Imported session rules only work with actions supported by advanced session level policies.
- Advanced session level policies cannot be created with empty groups: at least one group member must be specified.
- Importing session rules imports all currently installed session level policies and rules at once. If you need rules from a single policy, install that policy before importing so it will have only rules from that policy.
- Criteria ANALYZED_CLIENT_IP is the result of correlation encrypted and not encrypted sessions. This criteria is not always available.
- Rules that use the CONFIGURE action can use the following criteria: CLIENT IP ADDRESS, CLIENT_NET_MASK, SERVER_IP_ADDRESS, SERVER_NET_MASK, SERVER_PORT, SENDER_IP, SENDER_NET_MASK, DB_TYPE, SESSION START TIME RANGE, NET_PROTOCOL, SESSION( OPTIONS: LOCAL, TAP_ENCRYPTED, ALL_ENCRYPTED).
- For performance reasons, use fewer than 500 session-level rules across all installed policies.