Blocking rule actions
This section describes S-TAP Terminate and S-GATE rule actions.
The S-TAP Terminate action terminates a database connection (a session) and prevents additional requests on that session. This action is available in the S-TAP regardless of whether S-GATE is used.
- Attached (S-GATE is "on"): S-TAP is in firewalling mode for that session, and it holds the database requests and waits for a verdict on each request before releasing its responses. Latency is expected in this mode, but it ensures that rogue requests are blocked.
- Detached (S-GATE is "off"): S-TAP is in normal monitoring mode for that session, and it passes requests to the database server without any delay. Latency is not expected in this mode.
- S-GATE Attach: sets S-GATE mode to "Attached" for a specific session. Intended for use when a certain criteria is met that raises the need to closely watch (and if needed block) the traffic on that session.
- S-GATE Detach: sets S-GATE mode to "Detached" for a specific session. S-GATE Detach is intended for use on sessions that are considered safe or sessions that cannot tolerate any latency.
- S-GATE Terminate: applies only when the session is attached, S-GATE Terminate drops the reply of the firewalled request and terminates the session on some databases. The S-GATE TERMINATE policy rule action causes a previously watched session to terminate.
- S-TAP and S-GATE Terminate actions do not work on a client IP group whose members have wild-card characters. S-TAP and S-GATE Terminate only work with a single IP address. Wildcards should be handled by groups if the customer wants to use multiple IP entries. Customer can create groups of trusted or untrusted users/clients to handle their business needs in the policies.
- There are limitations for using S-GATE with A-TAP with older Linux kernels. For S-TAP V10.1.2 and higher, S-GATE is supported everywhere except Linux with A-TAP using kernels earlier than 2.6.36.
- For MySQL databases, the default command line connection is
mysql -u <user> -p <pass> <dbname>. In this mode, MySQL first maps all the objects and fields in the database to support tab-key auto-completion. A terminate rule on any object or field involved in this mapping immediately disables the connection session. To avoid this, connect to MySQL with the
-Aflag, which disables the auto-complete feature and will not trigger the terminate rule. Another option is to fine-tune the rule and not terminate on any access to these objects or fields, instead defining a narrower criteria that does not trigger the rule on the login sequence.