Linux-Unix: Firewall parameters

These parameters affect the behavior of the S-TAP with respect to the firewall.

These parameters are stored in the [TAP] section of the S-TAP properties file.

CAUTION:
These are advanced parameters and are usually modified by IBM Technical Support only.
GIM guard_tap.ini Default value Description
STAP_FIREWALL_INSTALLED firewall_installed 0 Firewall feature enabled. Valid values:
  • 0: no
  • 1: yes
STAP_FIREWALL_TIMEOUT firewall_timeout 2 Time, in seconds, to wait for a verdict from the Guardium system. If the firewall times out, look at firewall_fail_close value to know whether to block or allow the connection. The value can be any integer value.
STAP_FIREWALL_FAIL_CLOSE firewall_fail_close 0 The action when the verdict cannot be set by the policy rules, for example the firewall_timeout expires. Valid values:
  • 0: the connection goes through
  • 1: the connection is blocked
STAP_FIREWALL_DEFAULT_STATE firewall_default_state 0 Valid values:
  • 0: firewall is activated per session when triggered by a rule in the installed policy. This option should only be used when absolutely necessary.
  • 1: All traffic is watched for firewall policy violations
  • 2: All traffic is watched for firewall policy violations for the initial priority_count packets. S-TAP watches the initial part of every new session to your DB. This is useful when you have session based policies, firewall rules based on the user, or some other information that is passed early in the session. It limits the impact of firewall on the performance. Instead of watching every bit of the session (firewall_default_state=1) and waiting for an UNWATCH verdict, S-TAP simply unwatches automatically if no WATCH or DROP is sent.
Restart the S-TAP after changing this parameter.
STAP_FIREWALL_FORCE_WATCH firewall_force_watch NULL When firewall_default_state=0 (off), then firewall_force_watch specifies the network/mask of the IPs you want the firewall to watch, overriding the default (off).

Valid value: comma separated list of IP/mask values.
STAP_FIREWALL_FORCE_UNWATCH firewall_force_unwatch NULL When firewall_default_state=1 (on), then firewall_force_unwatch specifies the network/mask of the IPs you want the firewall to ignore, overriding the default (on).

Valid value: comma separated list of IP/mask values.