Blocking rule actions

This section describes S-TAP Terminate and S-GATE rule actions.

S-TAP Terminate

The S-TAP Terminate action terminates a database connection (a session) and prevents additional requests on that session. This action is available in the S-TAP regardless of whether S-GATE is used.

Note: With S-TAP Terminate, the triggering request is not usually blocked but additional requests from that session are blocked. With a high request rate, sometimes more than one request may go through before the session is terminated.


S-GATE provides database protection via the S-TAP for both network and local connections. When S-GATE is available, all database connections (sessions) are evaluated and tagged for monitoring in one of the following S-GATE modes:
  • Attached (S-GATE is "on"): S-TAP is in firewalling mode for that session, and it holds the database requests and waits for a verdict on each request before releasing its responses. Latency is expected in this mode, but it ensures that rogue requests are blocked.
  • Detached (S-GATE is "off"): S-TAP is in normal monitoring mode for that session, and it passes requests to the database server without any delay. Latency is not expected in this mode.
S-GATE configuration in the S-TAP itself defines the default S-GATE mode for all sessions, as well as other defaults related to S-GATE verdicts when the collector is not responding. For more information, see Linux and UNIX systems: S-TAP firewall parameters and Windows: S-TAP firewall parameters.
It is possible to alter the default S-GATE configuration in real time using the following S-GATE policy rule actions:
  • S-GATE Attach: sets S-GATE mode to "Attached" for a specific session. Intended for use when a certain criteria is met that raises the need to closely watch (and if needed block) the traffic on that session.
  • S-GATE Detach: sets S-GATE mode to "Detached" for a specific session. S-GATE Detach is intended for use on sessions that are considered safe or sessions that cannot tolerate any latency.
  • S-GATE Terminate: applies only when the session is attached, S-GATE Terminate drops the reply of the firewalled request and terminates the session on some databases. The S-GATE TERMINATE policy rule action causes a previously watched session to terminate.
  • S-TAP and S-GATE Terminate actions do not work on a client IP group whose members have wild-card characters. S-TAP and S-GATE Terminate only work with a single IP address. Wildcards should be handled by groups if the customer wants to use multiple IP entries. Customer can create groups of trusted or untrusted users/clients to handle their business needs in the policies.
  • There are limitations for using S-GATE with A-TAP with older Linux kernels. For S-TAP V10.1.2 and higher, S-GATE is supported everywhere except Linux with A-TAP using kernels earlier than 2.6.36.
  • For MySQL databases, the default command line connection is mysql -u <user> -p <pass> <dbname>. In this mode, MySQL first maps all the objects and fields in the database to support tab-key auto-completion. A terminate rule on any object or field involved in this mapping immediately disables the connection session. To avoid this, connect to MySQL with the -A flag, which disables the auto-complete feature and will not trigger the terminate rule. Another option is to fine-tune the rule and not terminate on any access to these objects or fields, instead defining a narrower criteria that does not trigger the rule on the login sequence.