Firewall parameters

These parameters affect the behavior of the S-TAP with respect to the firewall.

These parameters are stored in the [TAP] section of the S-TAP properties file.

Attention: These are advanced parameters and should be modified only by IBM Technical Support.
Attention: If a parameter is available through both the GIM and the command line interface (CLI), then the GIM parameter, including any defaults, always overwrites any value that is available from WINSTAP_CMD_LINE.
GIM guard_tap.ini Default value Description Protocol version
WINSTAP_FIREWALL_INSTALLED FIREWALL_INSTALLED 0 Firewall feature enabled. Valid values:
  • 0: Disabled.
  • 1: Enabled.
Note: FIREWALL_INSTALLED and QUERY_REWRITE_INSTALLED cannot be enabled at the same time. If QUERY_REWRITE_INSTALLED is set to 1, then FIREWALL_INSTALLED is disabled.
 7 and 8
WINSTAP_FIREWALL_TIMEOUT FIREWALL_TIMEOUT 2 Time, in seconds, to wait for a verdict from the Guardium® system. If the firewall times out, the value of the parameter firewall_fail_close determines whether to block or allow the connection.
Valid values: 0-10.		 7 and 8
WINSTAP_FAIL_CLOSE FIREWALL_FAIL_CLOSE 0 The action when the verdict cannot be set by the policy rules, for example the expires. Valid values:
  • 0: the connection goes through.
  • 1: the connection is blocked.
 7 and 8
WINSTAP_DEFAULT_STATE FIREWALL_DEFAULT_STATE 0 Valid values:
  • 0: Firewall is activated per session when triggered by a rule in the installed policy.
  • 1: All traffic is watched for firewall policy violations
  • 2: All traffic is watched for firewall policy violations for the initial priority_count packets (guard_tap.ini parameter). S-TAP watches the initial part of every new session to your DB. This is useful when you have session based policies, firewall rules based on the user, or some other information that is passed early in the session. It limits the impact of firewall on the performance. Instead of watching every bit of the session (=1) and waiting for an UNWATCH verdict, S-TAP simply unwatches automatically if no WATCH or DROP is sent.
 7 and 8
WINSTAP_FORCE_WATCH FIREWALL_FORCE_WATCH NULL When firewall_default_state=0 (off), then firewall_force_watch specifies the network/mask of the IPs you want the firewall to watch, overriding the default (off).

Valid value: comma separated list of IP/mask values.

 7 and 8
WINSTAP_FORCE_UNWATCH FIREWALL_FORCE_UNWATCH NULL When firewall_default_state=1 (on), then firewall_force_unwatch specifies the network/mask of the IPs you want the firewall to ignore, overriding the default (on).

Valid value: comma separated list of IP/mask values.

 7 and 8